On Sun, Feb 19, 2017 at 9:50 AM, Michael Paquier <michael.paquier@gmail.com> wrote: > I have been poking at it, and yeah... I missed the fact that > pg_subcription is not a view. I thought that check_conninfo was being > called in this context only..
Still, storing plain passwords in system catalogs is a practice that should be discouraged as base backup data can go over a network as well... At least adding a note or a warning in the documentation would be nice about the fact that any kind of security-sensitive data should be avoided here.
Isn't that moving the goalposts quite a bit? We already allow passwords in CREATE USER MAPPING without any warnings against it (in fact, we suggest that's what you should do), which is a similar situation. Same goes for dblink.
If password auth is used, we have to store the password in plaintext equivalent somewhere. Meaning it's by definition going to be exposed to superusers and replication downstreams. Or are you suggesting a scheme whereby you have to enter all your subscription passwords in a prompt of some kind when starting the postmaster, to avoid it?