[GENERAL] Feature request dblink: Security issue - dblink user+password parameters must be optional

[Hermann Muster]

When creating a view via DBLINK, the user=... and password=... 
parameters shall be optional. If they are left out, then the current 
user accessing the view shall be impersonated implicitely to the 
dblinked database as well. Forcing anybody to hardcode a password 
readable within the view definition should be an absolute DON'T!


Haven't found a better place to post this request. Hope the author of 
dblink is reading it here, too. :-)


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] Feature request dblink: Security issue - dblink user+password parameters must be optional

[Marko Kreen]

On 1/28/09, Hermann Muster hermann.mus...@gmx.de wrote:
 When creating a view via DBLINK, the user=... and password=... parameters
 shall be optional. If they are left out, then the current user accessing the
 view shall be impersonated implicitely to the dblinked database as well.
 Forcing anybody to hardcode a password readable within the view definition
 should be an absolute DON'T!

  Haven't found a better place to post this request. Hope the author of
 dblink is reading it here, too. :-)

I think this will be properly fixed by SQL-MED connection handling in 8.4.

In older version maybe you can use wrapper function around dblink
that constructs per-user connect string.

-- 
marko

-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general