From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | greatvovan(at)gmail(dot)com, pgsql-docs(at)lists(dot)postgresql(dot)org |
Subject: | Re: User mapping security |
Date: | 2023-11-09 22:02:53 |
Message-ID: | ZU1XDU7dWU1zLLv2@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
Greetings,
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, Jul 16, 2019 at 02:01:00AM +0000, PG Doc comments form wrote:
> > The following documentation comment has been logged on the website:
> >
> > Page: https://www.postgresql.org/docs/10/postgres-fdw.html
> > Description:
> >
> > Regarding the documentation pages
> > https://www.postgresql.org/docs/10/postgres-fdw.html?origin_team=T02HEPYKQ
> > and https://www.postgresql.org/docs/10/sql-createusermapping.html
> >
> > I suppose it should be warned on the pages that foreign credentials with be
> > stored as simple text and will be available for viewing in pg_user_mappings.
>
> I know this is four years old, but the attached patch documents it. I
> don't think postgresql-fdw needs it since it relies on user mapping and
> discourages passwords in the connection string.
A bit on the fence about it ... but I do wonder if we should encourage
use of gssapi and credential delegation now that we support that and
point out that storing passwords isn't required if you're using gssapi.
Thanks,
Stephen
> diff --git a/doc/src/sgml/ref/create_user_mapping.sgml b/doc/src/sgml/ref/create_user_mapping.sgml
> index 55debd5401..e93bfe48f6 100644
> --- a/doc/src/sgml/ref/create_user_mapping.sgml
> +++ b/doc/src/sgml/ref/create_user_mapping.sgml
> @@ -92,7 +92,11 @@ CREATE USER MAPPING [ IF NOT EXISTS ] FOR { <replaceable class="parameter">user_
> This clause specifies the options of the user mapping. The
> options typically define the actual user name and password of
> the mapping. Option names must be unique. The allowed option
> - names and values are specific to the server's foreign-data wrapper.
> + names and values are specific to the server's foreign-data
> + wrapper. Option values, including passwords, are visible in the
> + <link
> + linkend="catalog-pg-user-mapping"><structname>pg_user_mapping</structname></link>
> + system view.
> </para>
> </listitem>
> </varlistentry>
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2023-11-09 22:03:33 | Re: User mapping security |
Previous Message | Bruce Momjian | 2023-11-09 21:42:18 | Re: User mapping security |