Thread: Feature request dblink: Security issue - dblink user+password parameters must be optional
Feature request dblink: Security issue - dblink user+password parameters must be optional
From
Hermann Muster
Date:
When creating a view via DBLINK, the user=... and password=... parameters shall be optional. If they are left out, then the current user accessing the view shall be impersonated implicitely to the "dblinked" database as well. Forcing anybody to hardcode a password readable within the view definition should be an absolute DON'T! Haven't found a better place to post this request. Hope the author of dblink is reading it here, too. :-)
Re: Feature request dblink: Security issue - dblink user+password parameters must be optional
From
Marko Kreen
Date:
On 1/28/09, Hermann Muster <Hermann.Muster@gmx.de> wrote: > When creating a view via DBLINK, the user=... and password=... parameters > shall be optional. If they are left out, then the current user accessing the > view shall be impersonated implicitely to the "dblinked" database as well. > Forcing anybody to hardcode a password readable within the view definition > should be an absolute DON'T! > > Haven't found a better place to post this request. Hope the author of > dblink is reading it here, too. :-) I think this will be properly fixed by SQL-MED connection handling in 8.4. In older version maybe you can use wrapper function around dblink that constructs per-user connect string. -- marko