Home > mailing lists

Re: Proposal: Role Sandboxing for Secure Impersonation - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: Proposal: Role Sandboxing for Secure Impersonation
Date	December 5 22:27:23
Msg-id	CAOYmi+=tT04+TpZb2WjSUx16TxOoyEULc_0+F8rQbb5HgGJd_Q@mail.gmail.com Whole thread Raw
In response to	Re: Proposal: Role Sandboxing for Secure Impersonation (Wolfgang Walther <walther@technowledgy.de>)
List	pgsql-hackers

Tree view

On Thu, Dec 5, 2024 at 12:47 AM Wolfgang Walther
<walther@technowledgy.de> wrote:
> > If we want something like this, we'd want to allow
> > users to re-trigger SCRAM authentication. Which clearly requires a
> > protocol change.
>
> Yes. This. Re-authenticating without re-connecting.

The ability to reauthenticate would be useful for the OAUTHBEARER
mechanism as well. (Specifically, the ability to perform a new SASL
exchange on the connection after the first one has failed.) And it
would probably have overlap with the recent discussion around
pass-through SCRAM [1].

--Jacob

[1] https://postgr.es/m/27b29a35-9b96-46a9-bc1a-914140869dac%40gmail.com

pgsql-hackers by date:

From: Robert Haas
Date: 05 December, 22:21:12
Subject: Re: deferred writing of two-phase state files adds fragility

From: Tom Lane
Date: 05 December, 22:33:22
Subject: Re: attndims, typndims still not enforced, but make the value within a sane threshold

Re: Proposal: Role Sandboxing for Secure Impersonation - Mailing list pgsql-hackers

Previous

Next