| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Wolfgang Walther <walther(at)technowledgy(dot)de> |
| Cc: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>, Robert Haas <robertmhaas(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, Eric Hanson <eric(at)aquameta(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Matheus Alcantara <matheusssilv97(at)gmail(dot)com> |
| Subject: | Re: Proposal: Role Sandboxing for Secure Impersonation |
| Date: | 2024-12-05 16:27:23 |
| Message-ID: | CAOYmi+=tT04+TpZb2WjSUx16TxOoyEULc_0+F8rQbb5HgGJd_Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Dec 5, 2024 at 12:47 AM Wolfgang Walther
<walther(at)technowledgy(dot)de> wrote:
> > If we want something like this, we'd want to allow
> > users to re-trigger SCRAM authentication. Which clearly requires a
> > protocol change.
>
> Yes. This. Re-authenticating without re-connecting.
The ability to reauthenticate would be useful for the OAUTHBEARER
mechanism as well. (Specifically, the ability to perform a new SASL
exchange on the connection after the first one has failed.) And it
would probably have overlap with the recent discussion around
pass-through SCRAM [1].
--Jacob
[1] https://postgr.es/m/27b29a35-9b96-46a9-bc1a-914140869dac%40gmail.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2024-12-05 16:33:22 | Re: attndims, typndims still not enforced, but make the value within a sane threshold |
| Previous Message | Robert Haas | 2024-12-05 16:21:12 | Re: deferred writing of two-phase state files adds fragility |