Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1paH0p-0001D3-QD for pgsql-hackers@arkaria.postgresql.org; Thu, 09 Mar 2023 14:12:55 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1paH0o-0002BC-MC for pgsql-hackers@arkaria.postgresql.org; Thu, 09 Mar 2023 14:12:54 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1paH0o-00027z-CO for pgsql-hackers@lists.postgresql.org; Thu, 09 Mar 2023 14:12:54 +0000 Received: from mail-lj1-x22d.google.com ([2a00:1450:4864:20::22d]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1paH0k-0002qr-AI for pgsql-hackers@postgresql.org; Thu, 09 Mar 2023 14:12:54 +0000 Received: by mail-lj1-x22d.google.com with SMTP id i20so1947825lja.11 for ; Thu, 09 Mar 2023 06:12:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678371169; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=mkboEEuSPCXHdeVGzYuVqFsEF8IPiqZD8MRp1k2cCvA=; b=dSqKYZi+r770FW26Ke+Oxf+7wkjmP6cV4Oy+yUo4Iztx9YMziKt3A0YdmiJr+L46p2 Mc4MBsD2duGsXaBNWFbdon1xpSmPSG9kYKnza1fRjwKWamOQL1LoJRvTD4d6vthhITWu cUwIOGuXed4lI6xVtVgfmi9hm1rvDYnk9RFPUO346ySLkI6kW1gX9fWkyV7n3LoP87Ie Iz7nd4eO9EgA3uDoeR9ZGgWrms4G/wq9NS1ebLFNlheTd+0aY+JCiORfIJGA4DYN0CDS SDBEmNXSmjOh0HcFXw7haOkYhTY8Ofa50/AVwwF6OctzH9GhMor2ffmP1jITB5ifAPeh N0Dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678371169; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mkboEEuSPCXHdeVGzYuVqFsEF8IPiqZD8MRp1k2cCvA=; b=Fu6LM08mE1JYSLrZ+DPTyKOMYgIrNW1PJeYBZmubtRh9lTFvMYyCYDYx+H3DXiaXxt 9u1Foue7ERDtBiFWelvmiHjp+/ItgiCM9XWPr4qkaCBjSL/Qh0HDt5ft18ROTCZOlh07 d9Wn7uhEhohlsvISbdTnHMq/HSmbUQ85OtEea2ijsMIW6PwfjJwCmQ3N+N2/scNPqpWx SFs7mfGSxWI9A9JS2n16Jx6M6uEj41o590597h0/bt/94gZcPfvST2Eh1qaJSdkx1Na8 wbcoiFPjspU+SjZd6Fb+Dx8di+z0fqN+nqtQUOPCYOHtocLZIVMXYysopydgLUmlJz3I /Gtg== X-Gm-Message-State: AO0yUKXBeDgpa9JvtptS5xAHVZ56790fUQlIskSWKUFPcH/iRCBaO+pp nnRHFWfnd6wiC8cvfsidEoeQNys5CxpLH/Sq8Sk= X-Google-Smtp-Source: AK7set818ma/qoq2gILbkI96qw9TBiK7R3nl/JDB5vxM+t2o/5CbENwYHGHwymGHvnvwVjTBSyjZFr50JFK93vDa3vw= X-Received: by 2002:a2e:a4a7:0:b0:296:d4da:16ac with SMTP id g7-20020a2ea4a7000000b00296d4da16acmr6808042ljm.10.1678371169330; Thu, 09 Mar 2023 06:12:49 -0800 (PST) MIME-Version: 1.0 References: <66f55a6b9ff7bdd6bfd0d05e8fd8351690e69e23.camel@j-davis.com> <6ef7d0b0-3255-68c3-73b2-e6023b241222@timescale.com> <0768cedb-695a-8841-5f8b-da2aa64c8f3a@timescale.com> In-Reply-To: From: Robert Haas Date: Thu, 9 Mar 2023 09:12:37 -0500 Message-ID: Subject: Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security To: Jacob Champion Cc: Andres Freund , Mark Dilger , Jeff Davis , Amit Kapila , Andrew Dunstan , PostgreSQL-development Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Mar 8, 2023 at 5:44=E2=80=AFPM Jacob Champion wrote: > > On Wed, Mar 8, 2023 at 11:40=E2=80=AFAM Robert Haas wrote: > > On Wed, Mar 8, 2023 at 2:30=E2=80=AFPM Jacob Champion wrote: > > > I don't think I necessarily like that option better than SASL-style, > > > but hopefully that clarifies it somewhat? > > > > Hmm, yeah, I guess that's OK. > > Okay, cool. > > > I still don't love it, though. It feels > > more solid to me if the proxy can actually block the connections > > before they even happen, without having to rely on a server > > interaction to figure out what is permissible. > > Sure. I don't see a way for the proxy to figure that out by itself, > though, going back to my asymmetry argument from before. Only the > server truly knows, at time of HBA processing, whether the proxy > itself has authority. If the proxy knew, it wouldn't be confused. > > > I don't know what you mean by SASL-style, exactly. > > That's the one where the server explicitly names all forms of > authentication, including the ambient ones (ANONYMOUS, EXTERNAL, > etc.), and requires the client to choose one before running any > actions on their behalf. That lets the require_auth machinery work for > this case, too. > > --Jacob --=20 Robert Haas EDB: http://www.enterprisedb.com