Re: [HACKERS] postgres_fdw super user checks

On Wed, Dec 6, 2017 at 1:35 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:

>>
>> "Only superusers may connect to foreign servers without password
>> authentication, so always specify the <literal>password</literal>
>> option for user mappings that may be used by non-superusers." But
>> which user mappings may be used by non-superusers can not be defined
>> without explaining views owned by superusers. I don't think we should
>> be talking about views in that part of documentation.
>
> Well, if we don't, then I'm not sure we can really make this clear.
>
> Anyhow, I've committed the patch to master for now; we can keep
> arguing about what, if anything, to do for back-branch documentation.
>

Ok, something like this:

"Only superusers may connect to foreign servers without password
authentication, so always specify the <literal>password</literal>
option for user mappings that may be used by non-superusers. Hence
always specify the <literal>password</literal> option for a user
mapping for a non-superuser. Consider a view referencing a foreign
table and owned by a superuser but accessible to a non-superuser. When
the non-superuser executes a query referencing the view, it uses
superuser's user mapping to connect to the foreign server. Since a
non-superuser is using the user mapping, it requires password, even
though its a super-user's mapping. Hence specify the
<literal>password</literal> option for a user mapping for a superuser,
if the superuser has such views."

That's a lot of explanation. And somehow we will have to say that this
behaviour will change in the next version.

--
Best Wishes,
Ashutosh Bapat
EnterpriseDB Corporation
The Postgres Database Company