Re: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

Re: Andrew Dunstan 2019-11-01 <f941b95e-27ad-cb5c-2495-13c44f90b1bc@2ndQuadrant.com>
>          {"password_required", UserMappingRelationId, false},
> +        /*
> +         * Extra room for the user mapping copies of sslcert and sslkey. These
> +         * are really libpq options but we repeat them here to allow them to
> +         * appear in both foreign server context (when we generate libpq
> +         * options) and user mapping context (from here). Bit of a hack
> +         * putting this in "non_libpq_options".
> +         */
> +        {"sslcert", UserMappingRelationId, true},
> +        {"sslkey", UserMappingRelationId, true},

Nice feature, we were actually looking for exactly this yesterday.

I have some concerns about security, though. It's true that the
sslcert/sslkey options can only be set/modified by superusers when
"password_required" is set. But when password_required is not set, any
user and create user mappings that reference arbitrary files on the
server filesystem. I believe the options are still used in that case
for creating connections, even when that means the remote server isn't
set up for cert auth, which needs password_required=false to succeed.

In short, I believe these options need explicit superuser checks.

Christoph