From 761c79508e7fbc33c1b11754bdde4bd03ce9cbb3 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Wed, 15 Jan 2025 17:55:18 +0100 Subject: postgres_fdw: SCRAM authentication pass-through This enables SCRAM authentication for postgres_fdw when connecting to a foreign server without having to store a plain-text password on user mapping options. This is done by saving the SCRAM ClientKey and ServeryKey from the client authentication and using those instead of the plain-text password for the server-side SCRAM exchange. The new foreign-server or user-mapping option "use_scram_passthrough" enables this. Co-authored-by: Matheus Alcantara Co-authored-by: Peter Eisentraut Discussion: https://www.postgresql.org/message-id/flat/27b29a35-9b96-46a9-bc1a-914140869dac@gmail.com --- doc/src/sgml/postgres-fdw.sgml | 72 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) (limited to 'doc/src/sgml/postgres-fdw.sgml') diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml index 188e8f0b4d0..d2998c13d5d 100644 --- a/doc/src/sgml/postgres-fdw.sgml +++ b/doc/src/sgml/postgres-fdw.sgml @@ -770,6 +770,78 @@ OPTIONS (ADD password_required 'false'); + + use_scram_passthrough (boolean) + + + This option controls whether postgres_fdw will + use the SCRAM pass-through authentication to connect to the foreign + server. With SCRAM pass-through authentication, + postgres_fdw uses SCRAM-hashed secrets instead of + plain-text user passwords to connect to the remote server. This + avoids storing plain-text user passwords in PostgreSQL system + catalogs. + + + + To use SCRAM pass-through authentication: + + + + The remote server must request SCRAM authentication. (If desired, + enforce this on the client side (FDW side) with the option + require_auth.) If another authentication method + is requested by the server, then that one will be used normally. + + + + + + The remote server can be of any PostgreSQL version that supports + SCRAM. Support for use_scram_passthrough is + only required on the client side (FDW side). + + + + + + The user mapping password is not used. (It could be set to support + other authentication methods, but that would arguably violate the + point of this feature, which is to avoid storing plain-text + passwords.) + + + + + + The server running postgres_fdw and the remote + server must have identical SCRAM secrets (encrypted passwords) for + the user being used on postgres_fdw to + authenticate on the foreign server (same salt and iterations, not + merely the same password). + + + + As a corollary, if FDW connections to multiple hosts are to be + made, for example for partitioned foreign tables/sharding, then all + hosts must have identical SCRAM secrets for the users involved. + + + + + + The current session on the PostgreSQL instance that makes the + outgoing FDW connections also must also use SCRAM authentication + for its incoming client connection. (Hence + pass-through: SCRAM must be used going in and out.) + This is a technical requirement of the SCRAM protocol. + + + + + + + -- cgit v1.2.3