On Fri, Mar 7, 2025 at 8:22 AM Peter Eisentraut <peter@eisentraut.org> wrote:
> Right. How about the attached? It checks as an alternative to a
> password whether the SCRAM keys were provided. That should get us back
> to the same level of checking?
Yes, I think so. Attached is a set of tests to illustrate, mirroring
the dblink tests added upthread; they fail without this patch.
I like that this solution addresses some of the concerns from my dblink review.
--
Not part of this patchset, but I think the errmsg in
pgfdw_security_check() is confusing:
ERROR: password or GSSAPI delegated credentials required
DETAIL: Non-superuser cannot connect if the server does not
request a password or...
HINT: Target server's authentication method must be changed or...
For the user to have gotten past check_conn_params, they *have*
provided a password/credentials. But the server didn't ask for it (or
at least, not the right one). The detail and hint messages are correct
here, but I'd argue the error message itself is not.
Thanks!
--Jacob
