On Sun, Feb 19, 2017 at 2:01 AM, Michael Paquier <michael.paqu...@gmail.com>
wrote:

> On Sun, Feb 19, 2017 at 9:50 AM, Michael Paquier
> <michael.paqu...@gmail.com> wrote:
> > I have been poking at it, and yeah... I missed the fact that
> > pg_subcription is not a view. I thought that check_conninfo was being
> > called in this context only..
>
> Still, storing plain passwords in system catalogs is a practice that
> should be discouraged as base backup data can go over a network as
> well... At least adding a note or a warning in the documentation would
> be nice about the fact that any kind of security-sensitive data should
> be avoided here.
>
>
Isn't that moving the goalposts quite a bit? We already allow passwords in
CREATE USER MAPPING without any warnings against it (in fact, we suggest
that's what you should do), which is a similar situation. Same goes for
dblink.

If password auth is used, we have to store the password in plaintext
equivalent somewhere. Meaning it's by definition going to be exposed to
superusers and replication downstreams. Or are you suggesting a scheme
whereby you have to enter all your subscription passwords in a prompt of
some kind when starting the postmaster, to avoid it?


-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Reply via email to