diff options
| author | Andrew Dunstan <andrew@dunslane.net> | 2019-12-20 16:23:34 +1030 |
|---|---|---|
| committer | Andrew Dunstan <andrew@dunslane.net> | 2019-12-20 16:23:34 +1030 |
| commit | 6136e94dcb88c50b6156aa646746565400e373d4 (patch) | |
| tree | 41c6d3367fdae86234a8b796cabcd65a0c61c0a8 /contrib/postgres_fdw/option.c | |
| parent | 16a4e4aecd47da7a6c4e1ebc20f6dd1a13f9133b (diff) | |
| download | postgresql-6136e94dcb88c50b6156aa646746565400e373d4.tar.gz postgresql-6136e94dcb88c50b6156aa646746565400e373d4.zip | |
Superuser can permit passwordless connections on postgres_fdw
Currently postgres_fdw doesn't permit a non-superuser to connect to a
foreign server without specifying a password, or to use an
authentication mechanism that doesn't use the password. This is to avoid
using the settings and identity of the user running Postgres.
However, this doesn't make sense for all authentication methods. We
therefore allow a superuser to set "password_required 'false'" for user
mappings for the postgres_fdw. The superuser must ensure that the
foreign server won't try to rely solely on the server identity (e.g.
trust, peer, ident) or use an authentication mechanism that relies on the
password settings (e.g. md5, scram-sha-256).
This feature is a prelude to better support for sslcert and sslkey
settings in user mappings.
Author: Craig Ringer.
Discussion: https://postgr.es/m/075135da-545c-f958-fed0-5dcb462d6dae@2ndQuadrant.com
Diffstat (limited to 'contrib/postgres_fdw/option.c')
| -rw-r--r-- | contrib/postgres_fdw/option.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/contrib/postgres_fdw/option.c b/contrib/postgres_fdw/option.c index da175a626f2..f8b077d1116 100644 --- a/contrib/postgres_fdw/option.c +++ b/contrib/postgres_fdw/option.c @@ -51,6 +51,7 @@ static void InitPgFdwOptions(void); static bool is_valid_option(const char *keyword, Oid context); static bool is_libpq_option(const char *keyword); +#include "miscadmin.h" /* * Validate the generic options given to a FOREIGN DATA WRAPPER, SERVER, @@ -141,6 +142,23 @@ postgres_fdw_validator(PG_FUNCTION_ARGS) errmsg("%s requires a non-negative integer value", def->defname))); } + else if (strcmp(def->defname, "password_required") == 0) + { + bool pw_required = defGetBoolean(def); + + /* + * Only the superuser may set this option on a user mapping, or + * alter a user mapping on which this option is set. We allow a + * user to clear this option if it's set - in fact, we don't have a + * choice since we can't see the old mapping when validating an + * alter. + */ + if (!superuser() && !pw_required) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("password_required=false is superuser-only"), + errhint("User mappings with the password_required option set to false may only be created or modified by the superuser"))); + } } PG_RETURN_VOID(); @@ -175,6 +193,7 @@ InitPgFdwOptions(void) /* fetch_size is available on both server and table */ {"fetch_size", ForeignServerRelationId, false}, {"fetch_size", ForeignTableRelationId, false}, + {"password_required", UserMappingRelationId, false}, {NULL, InvalidOid, false} }; |