This patch allows the superuser to grant passwordless connection rights
in postgres_fdw user mappings.
The patch is authored by my colleague Craig Ringer, with slight bitrot
fixed by me.
One use case for this is with passphrase-protected client certificates,
a patch for which will follow shortly.
Here are Craig's remarks on the patch:
postgres_fdw denies a non-superuser the ability to establish a
connection that
doesn't have a password in the connection string, or one that fails
to actually
use the password in authentication. This is to stop the unprivileged
user using
OS-level authentication as the postgres server (peer, ident, trust).
It also
stops unauthorized use of local credentials like .pgpass, a service
file,
client certificate files, etc.
Add the ability for a superuser to create user mappings that
override this
behaviour by setting the passwordless_ok attribute to true in a user
mapping
for a non-superuser. The non-superuser gains the ability to use the
FDW the
mapping applies to even if there's no password in their mapping or
in the
connection string.
This is only safe if the superuser has established that the local
server is
configured safely. It must be configured not to allow
trust/peer/ident/sspi/gssapi auth to allow the OS user the postgres
server runs
as to log in to postgres as a superuser. Client certificate keys can
be used
too, if accessible. But the superuser can already GRANT superrole TO
normalrole, so it's not any sort of new power.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
