Re: GRANT USAGE on FOREIGN SERVER exposes passwords

On 2/5/15 10:48 AM, Tom Lane wrote:
> Stephen Frost<sfrost@snowman.net>  writes:
>> >* Robert Haas (robertmhaas@gmail.com) wrote:
>>> >>On Thu, Feb 5, 2015 at 10:48 AM, Stephen Frost<sfrost@snowman.net>  wrote:
>>>> >>>And I thought this was about FDW options and not about dblink, really..
>>> >>The OP is pretty clearly asking about dblink.
>> >I was just pointing out that it was an issue that all FDWs suffer from,
>> >since we don't have any way for an FDW to say "don't show this option",
>> >as discussed.
> The dblink example is entirely uncompelling, given that as you said
> somebody with access to a dblink connection could execute ALTER USER on
> the far end.

Actually, you can eliminate that by not granting direct access to dblink 
functions. Instead you create a SECURITY DEFINER function that sanity 
checks the SQL you're trying to run and rejects things like ALTER USER. 
While you're doing that, you can also lock away the connection 
information. A former coworker actually built a system that does this, 
at least to a limited degree.
-- 
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com