Joe Conway wrote:
> I'm mainly concerned about re-opening security holes that we spent a lot
> of time debating and subsequently closing. I suspect if we assume that
> any FDW-derived connect string can bypass the checks we put in place, we
> will regret it later. But I'm open to arguments on both sides...
>
In order to create a foreign server, the user needs USAGE on the foreign
data wrapper. Creating user mappings requires the user to be the owner of
the server. Both need explicit grants or alters by the superuser. This is
a bit more relaxed than the current superuser check, but still only trusted
users can define arbitrary connections.
Also, allowing passwordless user mappings adds some flexibility for defining
connections - storing passwords in .pgpass, pgservice or not using a password
at all (pg_hba trust etc.).
regards,
Martin