Re: missing toast table for pg_policy - Mailing list pgsql-hackers

From Michael Paquier
Subject Re: missing toast table for pg_policy
Date
Msg-id 20180217234837.GC31338@paquier.xyz
Whole thread Raw
In response to Re: missing toast table for pg_policy  (Andres Freund <andres@anarazel.de>)
Responses Re: missing toast table for pg_policy
List pgsql-hackers
On Sat, Feb 17, 2018 at 08:52:11AM -0800, Andres Freund wrote:
> On 2018-02-17 11:39:57 -0500, Tom Lane wrote:
> >  pg_authid               | rolpassword     | text
>
> that seems not not to require one.

You can craft SCRAM verifiers that make it fail, which can be easily
done using this module:
https://github.com/michaelpq/pg_plugins/tree/master/scram_utils

=# create extension scram_utils ;
CREATE EXTENSION
=# select scram_utils_verifier('your_role_name', 'foo', 100, 9000);
ERROR:  54000: row is too big: size 12224, maximum size 8160

The third argument counts for the number of iterations to generate the
proof and the fourth controls the salt length.

Longer salts make it for harder to reproduce connection proofs, so some
users may want to privilege that than the number of iterations, and
those are perfectly valid per the SCRAM exchange protocol.

There is another restriction which limits the size of authentication
messages to 2000 in libpq, which we may actually want to relax in the
future if we allow configurable in-core salt lengths to be created with
a GUC.  And other clients like jdbc don't have this restriction if I
recall correctly.

In short, removing this restriction at least on HEAD for the backend
gives more flexibility.
--
Michael

Attachment

pgsql-hackers by date:

Previous
From: David Rowley
Date:
Subject: Re: [HACKERS] path toward faster partition pruning
Next
From: Andres Freund
Date:
Subject: Re: missing toast table for pg_policy