On Thu, Mar 20, 2025 at 9:02 PM Jacob Champion <jacob.champ...@enterprisedb.com> wrote: > > On Thu, Mar 20, 2025 at 12:54 PM Matheus Alcantara > <matheusssil...@gmail.com> wrote: > > Since the security checks are defined I'm attaching 0003 which include > > the fix of security checks for postgres_fdw. It implements the > > validations very similar to what are being implemented on dblink. > > Comments on 0003: > > > + keywords[n] = "require_auth"; > > + values[n] = "scram-sha-256"; > > + n++; > > The keywords and values arrays need to be lengthened for this.
Fixed. I've also changed the code comment to mention the scram keys and required options. > > host all all $hostaddr/32 > > scram-sha-256 > > - }); > > + } > > + ); > > Accidental diff? Yep, sorry, I made some confusion with dblink formatting. Removed > A few whitespace and comment tweaks are attached as well. Squashed > -- > > > > I think they should just be reduced to "The remote server must request > > > SCRAM authentication." and "The user mapping password is not used." > > > > I've removed the "user mapping password" <listitem> because we already > > mentioned above that the password is not used and having just "The user > > mapping password is not used." again seems redundant, what do you think? > > Personally, I think it's still useful to call out that the password in > the user mapping is explicitly ignored. The other text motivates the > feature, but it doesn't explain how it interacts with existing user > mappings (most of which will have passwords). Fair point. I've changed it to just "The user mapping password is not used". -- Matheus Alcantara
v10-0001-dblink-refactor-get-connection-routines.patch
Description: Binary data
v10-0002-dblink-Add-SCRAM-pass-through-authentication.patch
Description: Binary data
v10-0003-postgres_fdw-improve-security-checks.patch
Description: Binary data
