Re: dblink: Add SCRAM pass-through authentication

On Thu, Mar 20, 2025 at 9:02 PM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
>
> On Thu, Mar 20, 2025 at 12:54 PM Matheus Alcantara
> <matheusssilv97(at)gmail(dot)com> wrote:
> > Since the security checks are defined I'm attaching 0003 which include
> > the fix of security checks for postgres_fdw. It implements the
> > validations very similar to what are being implemented on dblink.
>
> Comments on 0003:
>
> > + keywords[n] = "require_auth";
> > + values[n] = "scram-sha-256";
> > + n++;
>
> The keywords and values arrays need to be lengthened for this.

Fixed. I've also changed the code comment to mention the scram keys and
required options.

> > host all all $hostaddr/32 scram-sha-256
> > - });
> > + }
> > + );
>
> Accidental diff?

Yep, sorry, I made some confusion with dblink formatting. Removed

> A few whitespace and comment tweaks are attached as well.

Squashed

> --
>
> > > I think they should just be reduced to "The remote server must request
> > > SCRAM authentication." and "The user mapping password is not used."
> >
> > I've removed the "user mapping password" <listitem> because we already
> > mentioned above that the password is not used and having just "The user
> > mapping password is not used." again seems redundant, what do you think?
>
> Personally, I think it's still useful to call out that the password in
> the user mapping is explicitly ignored. The other text motivates the
> feature, but it doesn't explain how it interacts with existing user
> mappings (most of which will have passwords).

Fair point. I've changed it to just "The user mapping password is not
used".

--
Matheus Alcantara