}
+/*
+ * Return whether SCRAM pass-through is enabled.
+ *
+ * If use_scram_passthrough is specified in both the foreign server
+ * and the user mapping, the user mapping setting takes precedence.
+ */
static bool
UseScramPassthrough(ForeignServer *foreign_server, UserMapping *user)
{
ListCell *cell;
- foreach(cell, foreign_server->options)
+ foreach(cell, user->options)
{
DefElem *def = lfirst(cell);
return defGetBoolean(def);
}
- foreach(cell, user->options)
+ foreach(cell, foreign_server->options)
{
DefElem *def = (DefElem *) lfirst(cell);
my $db2 = "db2"; # For node2
my $fdw_server = "db1_fdw";
my $fdw_server2 = "db2_fdw";
+my $fdw_server3 = "db1_fdw_override";
my $fdw_invalid_server = "db2_fdw_invalid"; # For invalid fdw options
my $fdw_invalid_server2 =
"db2_fdw_invalid2"; # For invalid scram keys fdw options
setup_fdw_server($node1, $db0, $fdw_server2, $node2, $db2);
setup_invalid_fdw_server($node1, $db0, $fdw_invalid_server, $node2, $db2);
setup_fdw_server($node1, $db0, $fdw_invalid_server2, $node2, $db2);
+setup_fdw_server($node1, $db0, $fdw_server3, $node1, $db1);
setup_user_mapping($node1, $db0, $fdw_server);
setup_user_mapping($node1, $db0, $fdw_server2);
setup_user_mapping($node1, $db0, $fdw_invalid_server);
+setup_user_mapping($node1, $db0, $fdw_server3);
# Make the user have the same SCRAM key on both servers. Forcing to have the
# same iteration and salt.
test_fdw_auth_with_invalid_overwritten_require_auth($fdw_invalid_server);
+# Test that use_scram_passthrough=false on user mapping overrides server setting
+{
+ my $connstr = $node1->connstr($db0) . qq' user=$user';
+
+ $node1->safe_psql($db0,
+ qq'ALTER USER MAPPING FOR $user SERVER $fdw_server3 OPTIONS(add use_scram_passthrough \'false\')',
+ connstr => $connstr
+ );
+
+ my ($ret, $stdout, $stderr) = $node1->psql(
+ $db0,
+ "select * from dblink('$fdw_server3', 'select * from t') as t(a int, b int)",
+ connstr => $connstr);
+
+ is($ret, 3, 'SCRAM passthrough disabled on user mapping should fail');
+ like(
+ $stderr,
+ qr/password/i,
+ 'expected password-related error when scram passthrough disabled on user mapping');
+}
+
# Ensure that trust connections fail without superuser opt-in.
unlink($node1->data_dir . '/pg_hba.conf');
unlink($node2->data_dir . '/pg_hba.conf');
The foreign-data wrapper <filename>dblink_fdw</filename> has an additional
Boolean option <literal>use_scram_passthrough</literal> that controls
whether <filename>dblink</filename> will use the SCRAM pass-through
- authentication to connect to the remote database. With SCRAM pass-through
- authentication, <filename>dblink</filename> uses SCRAM-hashed secrets
- instead of plain-text user passwords to connect to the remote server. This
- avoids storing plain-text user passwords in PostgreSQL system catalogs.
+ authentication to connect to the remote database. It can be specified
+ for a foreign server or a user mapping. A user mapping setting overrides
+ the foreign server setting. With SCRAM pass-through authentication,
+ <filename>dblink</filename> uses SCRAM-hashed secrets instead of plain-text
+ user passwords to connect to the remote server. This avoids storing
+ plain-text user passwords in PostgreSQL system catalogs.
See the documentation of the equivalent <link
linkend="postgres-fdw-option-use-scram-passthrough"><literal>use_scram_passthrough</literal></link>
option of postgres_fdw for further details and restrictions.
projects / thirdparty / postgresql.git / commitdiff
