On 8/12/15 12:19 PM, Robert Haas wrote:
> On Wed, Aug 12, 2015 at 10:50 AM, Peter Eisentraut <peter_e@gmx.net> wrote:
>> I understand this idea, but I think it's not practical for many uses.
>> There is no way to find out, on the server, whether all current clients
>> would support a switch to SCRAM. Let alone all not-current clients.
>> The only way to do such a switch would be to do the switch and then
>> check for connection failures in the log, which is not good.
>
> Well, number one, I don't think we log anything currently that would
> let you figure that out;
We have options to log details about authenticated connections. This
kind of thing could easily be added there.
> and number two, I'm not sure I believe that's
> the only way to make sure you've updated your clients.
Well, if there is another one, I haven't heard about it so far.
>> (Now that I think about this, to counter my point, this is very similar
>> to the switch from crypt to md5. You couldn't turn that on until you
>> were sure that all clients would support it. I don't remember the
>> experience from back then, though.)
>
> Maybe we should try to find out how that played out. It could inform
> the current discussion.
I think in those days, installations weren't very long-lived. md5 was
introduced in version 7.2, which is also the first version with lazy vacuum.
> Another thing we might want to try to find out is: if we add SCRAM
> authentication to 9.6, how committed are drivers authors to adding
> that support to their drivers? If we poll the maintainers of the
> drivers for Perl, Python, Ruby, Node.JS, Java, ODBC, etc. and involve
> them in this conversation, we might learn useful things. This is a
> big change we're talking about, and it's only to work (regardless of
> the details) if the driver authors are on board. We haven't, AFAIK,
> talked to them about this at all.
I'm not concerned about whether drivers are willing to support this.
These sort of things have usually worked out in the past. But just
because a driver supports a new authentication method, that doesn't mean
everyone can or will upgrade to it right away.