Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion
Date
Msg-id CABUevEwoM6MRdVTNRKBzMNUxEdYibzsP0H_CMX+-V+kYCKCT0g@mail.gmail.com
Whole thread Raw
In response to Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion  (Michael Paquier <michael.paquier@gmail.com>)
Responses Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion
Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion
List pgsql-hackers


On Sun, Feb 19, 2017 at 2:01 AM, Michael Paquier <michael.paquier@gmail.com> wrote:
On Sun, Feb 19, 2017 at 9:50 AM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> I have been poking at it, and yeah... I missed the fact that
> pg_subcription is not a view. I thought that check_conninfo was being
> called in this context only..

Still, storing plain passwords in system catalogs is a practice that
should be discouraged as base backup data can go over a network as
well... At least adding a note or a warning in the documentation would
be nice about the fact that any kind of security-sensitive data should
be avoided here.


Isn't that moving the goalposts quite a bit? We already allow passwords in CREATE USER MAPPING without any warnings against it (in fact, we suggest that's what you should do), which is a similar situation. Same goes for dblink.

If password auth is used, we have to store the password in plaintext equivalent somewhere. Meaning it's by definition going to be exposed to superusers and replication downstreams. Or are you suggesting a scheme whereby you have to enter all your subscription passwords in a prompt of some kind when starting the postmaster, to avoid it?


--

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [HACKERS] Parallel Index-only scan
Next
From: Robert Haas
Date:
Subject: Re: [HACKERS] [PATCH] Add pg_disable_checksums() and supporting infrastructure