Re: SCRAM pass-through authentication for postgres_fdw

Mon, 11 Aug 2025 13:43:47 -0700 

On Fri Aug 8, 2025 at 3:31 PM -03, Peter Eisentraut wrote:
>> I've also made some tests by using the use_scram_passthrough option on
>> foreign server and if a bgworker try to use a foreign table that has
>> this option associated with the foreign server the connection will fail
>> because we don't have the MyProcPort and the password. To make it work
>> the password is required on USER MAPPING options. I think that this
>> limitation should be documented, see patch attached.
>
> The fact that SCRAM pass-through doesn't work in a background worker is 
> arguably implied by the existing paragraph that says that you need to 
> use SCRAM on the client side.  But I think there is opportunity to 
> clarify that further.  The documentation currently doesn't say what 
> happens if the client doesn't use SCRAM.  The code then just ignores the 
> use_scram_passthrough setting, and your documentation proposal also 
> suggests that it would fall back to the password provided in the user 
> mapping.  But this could be documented more explicitly, I think.
>
I agree, thanks for the comments! What do you think about the following?

+      <para>
+       If the incoming connection to the FDW instance does not use SCRAM,
+       <literal>use_scram_passthrough</literal> is ignored and authentication
+       will instead use the password from the user mapping, if one is provided.
+      </para>

--
Matheus Alcantara

From d466c99bbe9bd87db57a4d3da062d812515b898c Mon Sep 17 00:00:00 2001
From: Matheus Alcantara <mths....@pm.me>
Date: Mon, 11 Aug 2025 17:38:20 -0300
Subject: [PATCH v2] docs: add note of fdw connections using SCRAM

---
 doc/src/sgml/postgres-fdw.sgml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml
index 781a01067f7..ef052101abd 100644
--- a/doc/src/sgml/postgres-fdw.sgml
+++ b/doc/src/sgml/postgres-fdw.sgml
@@ -834,6 +834,13 @@ OPTIONS (ADD password_required 'false');
          </listitem>
         </itemizedlist>
        </para>
+
+      <para>
+       If the incoming connection to the FDW instance does not use SCRAM,
+       <literal>use_scram_passthrough</literal> is ignored and authentication
+       will instead use the password from the user mapping, if one is provided.
+      </para>
+
       </listitem>
      </varlistentry>
 
-- 
2.39.5 (Apple Git-154)

Reply via email to