Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
my-ship-it closed issue #739: [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects URL: https://github.com/apache/cloudberry/issues/739 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org
Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
z17033 commented on issue #739: URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2510965234 @avamingli Alright, I'll give it a try, thank you for your reply. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org
Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
avamingli commented on issue #739: URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2510952591 > > FATAL: terminating connection due to idle-session timeout > > server closed the connection unexpectedly > > This probably means the server terminated abnormally > > before or while processing the request. > > The connection to the server was lost. Attempting reset: > > Hi, this should be a crash , is it on our CBDB? You could use `select version()` to show the info. And could you provide the coredump file for us to see the crash? Hi, @z17033 , After a think, I agree with @fanfuxiaoran this is not a bug. > This is kind of a optimization of `psql` However, if you are convinced about that, my suggestion is that you could submit a patch to Postgres https://www.postgresql.org/list/pgsql-bugs/ Psql codes come from Postgres upstream, we follow that. If there were some bugs, they should be fixed there and then cherry-pick to CBDB. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org
Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
avamingli commented on issue #739: URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2510933653 > FATAL: terminating connection due to idle-session timeout server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Hi, this should be a crash , is it on our CBDB? You could use `select version()` to show the info. And could you provide the coredump file for us to see the crash? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org
Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
z17033 commented on issue #739: URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2508777303 > hi @z17033 , thanks for submitting the bug. When the connection is closed by the server, psql will try to reset the connection by closing and creating a new connection using the old connection params. This is kind of a optimization of `psql`. Could you give more explanation about what security problems this can bring? @fanfuxiaoran Thank you for your reply. First, while it is indeed possible to configure trust during user login, but it is generally disabled in our commercial environments. Consider the following scenario: Step 1: User gpadmin is a superuser with the password _Passw0rd@__ and must use a password to log in. To prevent long idle sessions, `idle_session_timeout` is set to 60 seconds. Step 2: On the first login (`psql -U gpadmin`), the user needs to enter the password to log in, which is expected behavior. Step 3: After logging in, if the user is idle for more than 1 minute and then tries to execute a query, **a new session connection is automatically created without requiring password input. I believe this is not expected behavior.** _postgres=# select 1; FATAL: terminating connection due to idle-session timeout server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Succeeded. seasql=#_ **A password prompt should appear when a new connection is created correctly.** _postgres=# select 1; FATAL: terminating connection due to idle-session timeout server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: **Password for user gpadmin**:_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org
Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
fanfuxiaoran commented on issue #739: URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2507354022 hi @z17033 , thanks for submitting the bug. When the connection is closed by the server, psql will try to reset the connection by closing and creating a new connection using the old connection params. This is kind of a optimization of `psql`. Could you give more explanation about what security problems this can bring? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org
[I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
z17033 opened a new issue, #739: URL: https://github.com/apache/cloudberry/issues/739 ### Apache Cloudberry version master ### What happened psql did not vertify the user password when executing SQL after disconnection due to session timeout. There is a security risk. ### What you think should happen instead For security reasons, psql requires password verification before executing SQL after the session times out and disconnects ### How to reproduce Step 1: set idle_sessin_timeout = 5s; Step 2: restart cluster Step 3: Using psql login database and have the session remain idle for more than 5 seconds. ### Operating System OS-independent ### Anything else https://github.com/apache/cloudberry/pull/738/commits/0f8eef55115645bcbb74a3b38a5d5c429b9257e6 ### Are you willing to submit PR? - [X] Yes, I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/cloudberry/blob/main/CODE_OF_CONDUCT.md). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org
Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]
github-actions[bot] commented on issue #739: URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2505516172 Hey, @z17033 welcome!🎊 Thanks for taking the time to point this out.🙌 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org For additional commands, e-mail: commits-h...@cloudberry.apache.org