Allow superuser to grant passwordless connection rights on postgres_fdw

This patch allows the superuser to grant passwordless connection rights
in postgres_fdw user mappings.

The patch is authored by my colleague Craig Ringer, with slight bitrot
fixed by me.

One use case for this is with passphrase-protected client certificates,
a patch for which will follow shortly.

Here are Craig's remarks on the patch:

  
    postgres_fdw denies a non-superuser the ability to establish a
connection that
    doesn't have a password in the connection string, or one that fails
to actually
    use the password in authentication. This is to stop the unprivileged
user using
    OS-level authentication as the postgres server (peer, ident, trust).
It also
    stops unauthorized use of local credentials like .pgpass, a service
file,
    client certificate files, etc.
   
    Add the ability for a superuser to create user mappings that
override this
    behaviour by setting the passwordless_ok attribute to true in a user
mapping
    for a non-superuser. The non-superuser gains the ability to use the
FDW the
    mapping applies to even if there's no password in their mapping or
in the
    connection string.
   
    This is only safe if the superuser has established that the local
server is
    configured safely. It must be configured not to allow
    trust/peer/ident/sspi/gssapi auth to allow the OS user the postgres
server runs
    as to log in to postgres as a superuser. Client certificate keys can
be used
    too, if accessible. But the superuser can already GRANT superrole TO
    normalrole, so it's not any sort of new power.
   

cheers

andrew

--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services