Re: password_encryption default - Mailing list pgsql-hackers

From Robert Haas
Subject Re: password_encryption default
Date
Msg-id CA+Tgmoa53WpBX9mtYWWNPa-Nrg8bBEVfUEKYwgDwuJey3q3ZXg@mail.gmail.com
Whole thread Raw
In response to Re: password_encryption default  (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
Responses Re: password_encryption default
List pgsql-hackers
On Thu, May 28, 2020 at 8:53 AM Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> More along these lines: We could also remove the ENCRYPTED and
> UNENCRYPTED keywords from CREATE and ALTER ROLE.  AFAICT, these have
> never been emitted by pg_dump or psql, so there are no concerns from
> that end.  Thoughts?

I have a question about this. My understanding of this area isn't
great. As I understand it, you can specify a password unencrypted and
let the system compute the validator from it, or you can compute the
validator yourself and then send that as the 'encrypted' password.
But, apparently, CREATE ROLE and ALTER ROLE don't really know which
thing you did. They just examine the string that you passed and decide
whether it looks like a validator. If so, they assume it is; if not,
they assume it's just a password.

But that seems really odd. What if you choose a password that just
happens to look like a validator? Perhaps that's not real likely, but
why do we not permit -- or even require -- the user to specify intent?
It seems out of character for us to, essentially, guess the meaning of
something ambiguous rather than requiring the user to be clear about
it.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: Explain Analyze (Rollback off) Suggestion
Next
From: Stephen Frost
Date:
Subject: Re: password_encryption default