Re: Andrew Dunstan 2019-11-01 <f941b95e-27ad-cb5c-2495-13c44f90b1bc@2ndQuadrant.com>
> {"password_required", UserMappingRelationId, false},
> + /*
> + * Extra room for the user mapping copies of sslcert and sslkey. These
> + * are really libpq options but we repeat them here to allow them to
> + * appear in both foreign server context (when we generate libpq
> + * options) and user mapping context (from here). Bit of a hack
> + * putting this in "non_libpq_options".
> + */
> + {"sslcert", UserMappingRelationId, true},
> + {"sslkey", UserMappingRelationId, true},
Nice feature, we were actually looking for exactly this yesterday.
I have some concerns about security, though. It's true that the
sslcert/sslkey options can only be set/modified by superusers when
"password_required" is set. But when password_required is not set, any
user and create user mappings that reference arbitrary files on the
server filesystem. I believe the options are still used in that case
for creating connections, even when that means the remote server isn't
set up for cert auth, which needs password_required=false to succeed.
In short, I believe these options need explicit superuser checks.
Christoph