diff options
| author | Peter Eisentraut | 2025-01-15 16:55:18 +0000 |
|---|---|---|
| committer | Peter Eisentraut | 2025-01-15 16:58:05 +0000 |
| commit | 761c79508e7fbc33c1b11754bdde4bd03ce9cbb3 (patch) | |
| tree | 5b76973b71b307fbdc2cd3989edee4dd44e56064 /contrib/postgres_fdw/expected | |
| parent | b6463ea6ef3e46b32be96a23f3a9f47357847ce4 (diff) | |
postgres_fdw: SCRAM authentication pass-through
This enables SCRAM authentication for postgres_fdw when connecting to
a foreign server without having to store a plain-text password on user
mapping options.
This is done by saving the SCRAM ClientKey and ServeryKey from the
client authentication and using those instead of the plain-text
password for the server-side SCRAM exchange. The new foreign-server
or user-mapping option "use_scram_passthrough" enables this.
Co-authored-by: Matheus Alcantara <[email protected]>
Co-authored-by: Peter Eisentraut <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/[email protected]
Diffstat (limited to 'contrib/postgres_fdw/expected')
| -rw-r--r-- | contrib/postgres_fdw/expected/postgres_fdw.out | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out index bf322198a20..64aa12ecc48 100644 --- a/contrib/postgres_fdw/expected/postgres_fdw.out +++ b/contrib/postgres_fdw/expected/postgres_fdw.out @@ -10301,7 +10301,7 @@ CREATE FOREIGN TABLE pg_temp.ft1_nopw ( ) SERVER loopback_nopw OPTIONS (schema_name 'public', table_name 'ft1'); SELECT 1 FROM ft1_nopw LIMIT 1; ERROR: password or GSSAPI delegated credentials required -DETAIL: Non-superusers must delegate GSSAPI credentials or provide a password in the user mapping. +DETAIL: Non-superusers must delegate GSSAPI credentials, provide a password, or enable SCRAM pass-through in user mapping. -- If we add a password to the connstr it'll fail, because we don't allow passwords -- in connstrs only in user mappings. ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw'); @@ -10351,7 +10351,7 @@ DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw; -- lacks password_required=false SELECT 1 FROM ft1_nopw LIMIT 1; ERROR: password or GSSAPI delegated credentials required -DETAIL: Non-superusers must delegate GSSAPI credentials or provide a password in the user mapping. +DETAIL: Non-superusers must delegate GSSAPI credentials, provide a password, or enable SCRAM pass-through in user mapping. RESET ROLE; -- The user mapping for public is passwordless and lacks the password_required=false -- mapping option, but will work because the current user is a superuser. |