On 6/30/22 8:20 PM, Stephen Frost wrote:
> * Gurjeet Singh (gurjeet@singh.im) wrote:
>> I am planning on picking it up next week; right now picking up steam,
>> and reviewing a different, smaller patch.
> Great! Glad that others are interested in this.
>
>> At his behest, I had a conversation with Joshua (OP), and have his
>> support to pick up and continue working on this patch. I have a some
>> ideas of my own, on what this patch should do, but since I haven't
>> fully reviewed the (bulky) patch, I'll reserve my proposals until I
>> wrap my head around it.
> I'd be curious as to your thought as to what the patch should be doing.
> Joshua and I had discussed it at some length as he was working on it.
Adding myself to the CC list here /waves
Hi!
I gave Gurjeet a bit of a brain dump on what I had planned (and what
we'd talked about), though he's free to take it in a different direction
if he wants.
Perhaps though would certainly like this to patch to be useful for the use-cases that we had discussed, naturally. :)
>> Please expect some activity on this patch towards the end of next week.
> I've gone ahead and updated it, cleaned up a couple things, and make it
> so that check-world actually passes with it. Attached is an updated
> version and I'll add it to the July commitfest.
Ah, thanks. Hopefully it wasn't too horrible of a rebase.
Wasn’t too bad.. needs more clean-up, there was some white space issues and some simple re-base stuff, but then the support for “md5” pg_hba option was broken for users with SCRAM passwords because we weren’t checking if there was a SCRAM pw stored and upgrading to SCRAM in that case. That’s the main case that I fixed. We will need to document this though, of course. The patch I submitted should basically do:
pg_hba md5 + md5-only pws -> md5 auth used
pg_hba md5 + scram-only pws -> scram
pg_hba md5 + md5 and scram pws -> scram
pg_hba scram -> scram
Not sure if we need to try and do something to make it possible to have pg_hba md5 + mixed pws and have md5 used but it’s tricky as we would have to know on the server side early on if that’s what we want to do. We could add an option to md5 to say “only do md5” maybe but I’m also inclined to not bother and tell people to just get moved to scram already.
For my 2c, I’d also like to move to having a separate column for the PW type from the actual secret but that’s largely an independent change.
Thanks!
Stephen
