Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1jbQj0-0000Af-Gc
	for pgsql-pkg-yum@arkaria.postgresql.org; Wed, 20 May 2020 15:33:42 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1jbQiy-00049u-Pj
	for pgsql-pkg-yum@arkaria.postgresql.org; Wed, 20 May 2020 15:33:40 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1jbQiy-00049n-KR
	for pgsql-pkg-yum@lists.postgresql.org; Wed, 20 May 2020 15:33:40 +0000
Received: from tamriel.snowman.net ([96.255.250.162])
	by makus.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1jbQiw-0004XT-3s
	for pgsql-pkg-yum@postgresql.org; Wed, 20 May 2020 15:33:39 +0000
Received: by tamriel.snowman.net (Postfix, from userid 1000)
	id 473B65F79E; Wed, 20 May 2020 11:33:37 -0400 (EDT)
Date: Wed, 20 May 2020 11:33:37 -0400
From: Stephen Frost <sfrost@snowman.net>
To: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Cc: Christoph Berg <myon@debian.org>,
	Devrim =?iso-8859-1?B?R/xuZPx6?= <devrim@gunduz.org>,
	Craig Ringer <craig@2ndquadrant.com>,
	pgsql-pkg-yum <pgsql-pkg-yum@postgresql.org>
Subject: Re: Can we stop defaulting to 'ident'?
Message-ID: <20200520153337.GE3418@tamriel.snowman.net>
References: 
 <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
 <7761d006b5ace13a4d86ce489123e5004aaf8b6c.camel@gunduz.org>
 <20200519212710.GQ13712@tamriel.snowman.net>
 <6089d4c8e262dd6fe8a6510c283e674543a24b5c.camel@gunduz.org>
 <3869d8c9-c212-8d73-52f4-13b03abe4813@2ndquadrant.com>
 <20200520134035.GD296739@msg.df7cb.de>
 <3a7d55ed-6abb-2005-23d7-8411bb9f5651@2ndquadrant.com>
 <20200520145752.GD3418@tamriel.snowman.net>
 <32b7fe66-f0e6-42e5-3c95-7d123e7d7f6d@2ndquadrant.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="BZaMRJmqxGScZ8Mx"
Content-Disposition: inline
In-Reply-To: <32b7fe66-f0e6-42e5-3c95-7d123e7d7f6d@2ndquadrant.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
List-Id: <pgsql-pkg-yum.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-yum@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-yum-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-yum>
Precedence: bulk


--BZaMRJmqxGScZ8Mx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Greetings,

* Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote:
> On 2020-05-20 16:57, Stephen Frost wrote:
> >* Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote:
> >>Sorry, I should have been more clear.  The upstream default of the GUC
> >>parameter "password_encryption" is md5.
> >
> >Which, really, is pretty broken when we're going to be having our
> >packagers setting up pg_hba.conf to use scram- at the *very* least it's
> >ridiculously misleading because we're going to have SCRAM in pg_hba.conf
> >but passwords actually stored as md5 and therefore we won't be getting
> >the benefits from SCRAM auth (though it should still work, of course,
> >since the SCRAM mode will fall back to working with an md5 password).
>=20
> Devrim's commit to pgrpms did include a change to the default setting of
> password_encryption, so it appears to be correct as far as it goes.

That's good- we'd want that to be done on the Debian packages too then,
though ideally we'd get the source default to be changed.

> But this leads to other questions, like, what should pg_upgrade do?

Same as it always has- make the user deal with anything they need to
regarding postgresql.conf?  Why would anything change with pg_upgrade?
Even if the user doesn't change anything, everything would still work-
existing passwords with md5 would work with scram set in
password_encryption and scram in pg_hba.conf, and they'd be nicely
automatically upgraded when they change their password if they use a
password-change mechanism that works with SCRAM (and if they use one
that sets md5 passwords, that'd still work too).  Yes, there's some
small potential risk that they change their password using psql's
\password and they have some client library that doesn't work with scram
yet using the same account and they'll have failed logins after running
\password, but that's certainly possible from just typo'ing the password
or something else and hopefully they'll be able to remedy that pretty
quickly.

Obviously the same goes for pg_hba.conf- pg_upgrade doesn't do anything
for that either, so users have to adjust it or copy over their old one
to the new cluster.  Basically, users are likely pretty used to dealing
with having to fix up their configs as part of putting together a new
cluster before or after pg_upgrade on distributions that don't have
tooling around this.

And that's part of it- all of this depends entirely on what distribution
is being used and what tools are being used to do the upgrade anyway.
Debian has pg_upgradecluster that already copies over and updates things
in the postgresql.conf, so on Debian, I expect that we'll see that part
of such an upgrade might check pg_hba.conf for 'md5' entries and if it
finds any, setting password_encryption to 'md5' for those upgraded
clusters if it's not already set to something else in postgresql.conf,
to ensure there isn't any issue on those upgrades.  Maybe it could be
more intelligent and notify the user that they're getting upgraded to
SCRAM and adjust pg_hba.conf to change md5 -> scram and leave
postgresql.conf alone, but ultimately that's probably going to be up to
what Christoph is comfortable with.

Unfortunately, I don't think any of that has made it over to RHEL yet
though.

Maybe we could talk about changing pg_upgrade to actually do something
about postgresql.conf, so that we can have commonality across
distributions, but that's certainly a different discussion.

> These discussions should be had, but perhaps not on the RPM packaging list
> the night before the release.

For my 2c, I don't think it'd be the worst thing to change a default
setting post beta1, so while I agree we should discuss this over on
-hackers, I don't think it's particularly pressing.  Might be
interesting to see what happens with the beta1 release with Devrim's
changes (and ideally similar in Debian), in fact, to see if we actually
get any complaints or push-back from it.

Thanks,

Stephen

--BZaMRJmqxGScZ8Mx
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJexU3QAAoJEO1sijiDR2RVj9wP/3/Xejo/DHwlkmJT70c339aK
fpn++jDEisRgTCwM6sO3I/jswl1KCymgQqCSeGQsjIlFi/Jnjk384rud9j/HB2bJ
TqaLp+uWYzL6w+6bk7bmYBKbqTMGOdPicpZcRqJQVTs0OdizoJIvjYPFlDR9MTYP
ONpkRwh8S7jdam7CjmdMF4D0AXua3qom/NgPbmMM2VlJCtRJcet/Tf9FgWwbwt0r
r2nSdG5NywCqXVdkDFGqepl2CwGc7j7khGwzDJULg4OZRe79LIeKccK7EiQjgvn8
FEdoobs0lz1Udjxh8xwWCkxnUZfMZLVxo2vTpyN18YVZy6JJqIo3zeqAIVt5k31n
50xb3WC7QDcR+CgOl5m8DzIGylPHTyZ64yY2FeRk8AMFGPhx3s6nmfelCm90HzRT
TR8gTROkFVTd8ay6QkZTNbgvZ9wX8LS/mYCSt+UDxAbY0CiH1ujrT330dSwD8osy
STOrjaD8A6lbbZd8fYd7hnZWLpzQM51SNybnCdLQGww5dzO+BU7gw6Cnxx3+zgR3
yFBAo6x2styVSXDKqsw/KIR+XKFosMtmy0J0lXnbDJXwRxVBGoyZFsiwniSC7bO5
O8+aIaNPogtoqfPGHaR4+3HlmWUT1/Drh3kNksncAq+nwn6RXPprze7LEBmTAfun
Eoa4dSmrBInq1KdJzOrD
=6P3a
-----END PGP SIGNATURE-----

--BZaMRJmqxGScZ8Mx--