Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-12-04 Thread via GitHub


my-ship-it closed issue #739: [Bug] For security reasons, psql requires 
password verification before executing SQL after the session times out and 
disconnects
URL: https://github.com/apache/cloudberry/issues/739


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org



Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-12-02 Thread via GitHub


z17033 commented on issue #739:
URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2510965234

   @avamingli Alright, I'll give it a try, thank you for your reply.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org



Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-12-02 Thread via GitHub


avamingli commented on issue #739:
URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2510952591

   
   
   
   
   > > FATAL: terminating connection due to idle-session timeout
   > > server closed the connection unexpectedly
   > > This probably means the server terminated abnormally
   > > before or while processing the request.
   > > The connection to the server was lost. Attempting reset:
   > 
   > Hi, this should be a crash , is it on our CBDB? You could use `select 
version()` to show the info. And could you provide the coredump file for us to 
see the crash?
   
   Hi,  @z17033 ,
   
   After a think, I agree with @fanfuxiaoran  this is not a bug.
   
> This is kind of a optimization of `psql`
   
   However, if you are convinced about that,  my suggestion is that you could 
submit a patch to Postgres https://www.postgresql.org/list/pgsql-bugs/
   
   Psql codes come from Postgres upstream, we follow that. 
   If there were some bugs, they should be fixed there and then cherry-pick to 
CBDB.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org



Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-12-02 Thread via GitHub


avamingli commented on issue #739:
URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2510933653

   > FATAL: terminating connection due to idle-session timeout
   server closed the connection unexpectedly
   This probably means the server terminated abnormally
   before or while processing the request.
   The connection to the server was lost. Attempting reset:
   
   Hi, this should be a crash , is it on our CBDB? You could use `select 
version()` to show the info.
   And could you provide the coredump file for us to see the crash?
   
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org



Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-11-29 Thread via GitHub


z17033 commented on issue #739:
URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2508777303

   > hi @z17033 , thanks for submitting the bug. When the connection is closed 
by the server, psql will try to reset the connection by closing and creating a 
new connection using the old connection params. This is kind of a optimization 
of `psql`. Could you give more explanation about what security problems this 
can bring?
   
   @fanfuxiaoran Thank you for your reply. 
   First, while it is indeed possible to configure trust during user login, but 
it is generally disabled in our commercial environments. Consider the following 
scenario:
   
   Step 1: User gpadmin is a superuser with the password _Passw0rd@__ and must 
use a password to log in. To prevent long idle sessions, `idle_session_timeout` 
is set to 60 seconds.
   
   Step 2: On the first login (`psql -U gpadmin`), the user needs to enter the 
password to log in, which is expected behavior.
   
   Step 3: After logging in, if the user is idle for more than 1 minute and 
then tries to execute a query, **a new session connection is automatically 
created without requiring password input. I believe this is not expected 
behavior.**
   
   _postgres=# select 1;  
   FATAL:  terminating connection due to idle-session timeout  
   server closed the connection unexpectedly  
   This probably means the server terminated abnormally  
   before or while processing the request.  
   The connection to the server was lost. Attempting reset: Succeeded.  
   seasql=#_  
   
   **A password prompt should appear when a new connection is created 
correctly.**
   
   _postgres=# select 1;  
   FATAL:  terminating connection due to idle-session timeout  
   server closed the connection unexpectedly  
   This probably means the server terminated abnormally  
   before or while processing the request.  
   The connection to the server was lost. Attempting reset:  
   **Password for user gpadmin**:_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org



Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-11-29 Thread via GitHub


fanfuxiaoran commented on issue #739:
URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2507354022

   hi @z17033 , thanks for submitting the bug. 
   When the connection is closed by the server, psql will try to reset the 
connection by closing and creating a new connection using the old connection 
params.  This is kind of a optimization of `psql`. 
   Could you give more explanation about what security problems this can bring?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org



[I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-11-28 Thread via GitHub


z17033 opened a new issue, #739:
URL: https://github.com/apache/cloudberry/issues/739

   ### Apache Cloudberry version
   
   master
   
   ### What happened
   
   psql did not vertify the user password when executing SQL after 
disconnection due to session timeout. There is a security risk.
   
   ### What you think should happen instead
   
   For security reasons, psql requires password verification before executing 
SQL after the session times out and disconnects
   
   ### How to reproduce
   
   Step 1:
   set idle_sessin_timeout = 5s;
   Step 2:
   restart cluster
   Step 3:
   Using psql login database and have the session remain idle for more than 5 
seconds.
   
   ### Operating System
   
   OS-independent
   
   ### Anything else
   
   
https://github.com/apache/cloudberry/pull/738/commits/0f8eef55115645bcbb74a3b38a5d5c429b9257e6
   
   ### Are you willing to submit PR?
   
   - [X] Yes, I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/cloudberry/blob/main/CODE_OF_CONDUCT.md).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org



Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

2024-11-28 Thread via GitHub


github-actions[bot] commented on issue #739:
URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2505516172

   Hey, @z17033 welcome!🎊 Thanks for taking the time to point this out.🙌


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org