Re: Successor of MD5 authentication, let's use SCRAM

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Marko Kreen <markokr(at)gmail(dot)com>
Cc: Simon Riggs <simon(at)2ndquadrant(dot)com>, Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Successor of MD5 authentication, let's use SCRAM
Date: 2012-10-12 19:47:12
Message-ID: 20121012194712.GS29165@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Marko Kreen (markokr(at)gmail(dot)com) wrote:
> As it works only on connect
> time, it can actually be secure, unlike user switching
> with SET ROLE.

I'm guessing your issue with SET ROLE is that a RESET ROLE can be issued
later..? If so, I'd suggest that we look at fixing that, but realize it
could break poolers. For that matter, I'm not sure how the proposal to
allow connections to be authenticated as one user but authorized as
another (which we actually already support in some cases, eg: peer)
*wouldn't* break poolers, unless you're suggesting they either use a
separate connection for every user, or reconnect every time, both of
which strike me as defeating a great deal of the point of having a
pooler in the first place...

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Pavel Stehule 2012-10-12 19:52:54 [PATCH] assign result of query to psql variable
Previous Message Stephen Frost 2012-10-12 19:44:06 Re: Successor of MD5 authentication, let's use SCRAM