Hi Andrew,
On Fri, Dec 20, 2019 at 05:55:10AM +0000, Andrew Dunstan wrote:
> Superuser can permit passwordless connections on postgres_fdw
>
> Currently postgres_fdw doesn't permit a non-superuser to connect to a
> foreign server without specifying a password, or to use an
> authentication mechanism that doesn't use the password. This is to avoid
> using the settings and identity of the user running Postgres.
>
> However, this doesn't make sense for all authentication methods. We
> therefore allow a superuser to set "password_required 'false'" for user
> mappings for the postgres_fdw. The superuser must ensure that the
> foreign server won't try to rely solely on the server identity (e.g.
> trust, peer, ident) or use an authentication mechanism that relies on the
> password settings (e.g. md5, scram-sha-256).
>
> This feature is a prelude to better support for sslcert and sslkey
> settings in user mappings.
After this commit a couple of buildfarm animals are unhappy with the
regression tests of postgres_fdw:
CREATE ROLE nosuper NOSUPERUSER;
+WARNING: roles created by regression test cases should have names
starting with "regress_"
GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw TO nosuper;
It is a project policy to only user roles prefixed by "regress_" in
regression tests.
These is also a second type of failure:
-HINT: Valid options in this context are: [...] krbsrvname [...]
+HINT: Valid options in this context are: [...]
The diff here is that krbsrvname is not part of the list of valid
options. Anyway, as this list is build-dependent, I think that this
test needs some more design effort.
--
Michael
