Quick Links

Re: RFC: Non-user-resettable SET SESSION AUTHORISATION

From:	Robert Haas <robertmhaas(at)gmail(dot)com>
To:	Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com>
Cc:	Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Marko Tiikkaja <marko(at)joh(dot)to>, Simon Riggs <simon(at)2ndquadrant(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, José Luis Tallón <jltallon(at)adv-solutions(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>
Subject:	Re: RFC: Non-user-resettable SET SESSION AUTHORISATION
Date:	2015-05-21 02:38:17
Message-ID:	CA+TgmobCJXu2h-gi_P4yaL7SZLQfvDWp68o5Q0Rndj=S7SG--A@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Wed, May 20, 2015 at 8:22 PM, Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com> wrote:
>> It might be a good idea to do something like this, but it's
>> significantly more complicated than a protocol-level SET SESSION
>> AUTHORIZATION. Right now, you can never go backwards from an
>> authenticated state to an unauthenticated state, and there may be code
>> in the backend that relies on that in subtle ways. The initial
>> bootstrap sequence is pretty complicated, and I'm pretty sure that any
>> naive attempt to redo that stuff is going to have unpleasant, probably
>> security-relevant bugs.
>
> What about the middle-ground of not doing de-auth right now? That eliminates
> your concerns but still allows getting rid of ugly things like copies of the
> password file (FWIW, my understanding is pgBouncer was meant more to run on
> the database server where you'd just point it at the native password file).

Uh, I don't have a clue what you mean when you say "the middle ground
of not doing de-auth right now".

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

In response to

Re: RFC: Non-user-resettable SET SESSION AUTHORISATION at 2015-05-21 00:22:04 from Jim Nasby

Responses

Re: RFC: Non-user-resettable SET SESSION AUTHORISATION at 2015-05-22 18:11:42 from Jim Nasby

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Peter Geoghegan	2015-05-21 02:42:58	Re: Re: [COMMITTERS] pgsql: Add support for INSERT ... ON CONFLICT DO NOTHING/UPDATE.
Previous Message	Robert Haas	2015-05-21 02:36:05	Re: Disabling trust/ident authentication configure option