Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitbabe05b

Browse files
committed
Turn password_encryption GUC into an enum.
This makes the parameter easier to extend, to support other password-basedauthentication protocols than MD5. (SCRAM is being worked on.)The GUC still accepts on/off as aliases for "md5" and "plain", althoughwe may want to remove those once we actually add support for anotherpassword hash type.Michael Paquier, reviewed by David Steele, with some further edits by me.Discussion: <CAB7nPqSMXU35g=W9X74HVeQp0uvgJxvYOuA4A-A3M+0wfEBv-w@mail.gmail.com>
1 parent72daabc commitbabe05b

File tree

5 files changed

+62
-34
lines changed

5 files changed

+62
-34
lines changed

‎doc/src/sgml/config.sgml

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1163,21 +1163,22 @@ include_dir 'conf.d'
11631163
</varlistentry>
11641164

11651165
<varlistentry id="guc-password-encryption" xreflabel="password_encryption">
1166-
<term><varname>password_encryption</varname> (<type>boolean</type>)
1166+
<term><varname>password_encryption</varname> (<type>enum</type>)
11671167
<indexterm>
11681168
<primary><varname>password_encryption</> configuration parameter</primary>
11691169
</indexterm>
11701170
</term>
11711171
<listitem>
11721172
<para>
1173-
When a password is specified in <xref
1174-
linkend="sql-createuser">or
1175-
<xref linkend="sql-alterrole">
1176-
without writing either<literal>ENCRYPTED</> or
1177-
<literal>UNENCRYPTED</>, this parameter determines whether the
1178-
password is to be encrypted. The default is<literal>on</>
1179-
(encrypt the password).
1173+
When a password is specified in <xref linkend="sql-createuser"> or
1174+
<xreflinkend="sql-alterrole">without writing either <literal>ENCRYPTED</>
1175+
or <literal>UNENCRYPTED</>, this parameter determines whether the
1176+
password is to be encrypted. The default value is<literal>md5</>, which
1177+
stores the password as an MD5 hash. Setting this to<literal>plain</> stores
1178+
it in plaintext. <literal>on</> and<literal>off</> are also accepted, as
1179+
aliases for <literal>md5</> and <literal>plain</>, respectively.
11801180
</para>
1181+
11811182
</listitem>
11821183
</varlistentry>
11831184

‎src/backend/commands/user.c

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ Oidbinary_upgrade_next_pg_authid_oid = InvalidOid;
4444

4545

4646
/* GUC parameter */
47-
externboolPassword_encryption;
47+
intPassword_encryption=PASSWORD_TYPE_MD5;
4848

4949
/* Hook to check passwords in CreateRole() and AlterRole() */
5050
check_password_hook_typecheck_password_hook=NULL;
@@ -80,7 +80,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
8080
ListCell*item;
8181
ListCell*option;
8282
char*password=NULL;/* user password */
83-
boolencrypt_password=Password_encryption;/* encrypt password? */
83+
intpassword_type=Password_encryption;
8484
charencrypted_password[MD5_PASSWD_LEN+1];
8585
boolissuper= false;/* Make the user a superuser? */
8686
boolinherit= true;/* Auto inherit privileges? */
@@ -140,9 +140,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
140140
parser_errposition(pstate,defel->location)));
141141
dpassword=defel;
142142
if (strcmp(defel->defname,"encryptedPassword")==0)
143-
encrypt_password=true;
143+
password_type=PASSWORD_TYPE_MD5;
144144
elseif (strcmp(defel->defname,"unencryptedPassword")==0)
145-
encrypt_password=false;
145+
password_type=PASSWORD_TYPE_PLAINTEXT;
146146
}
147147
elseif (strcmp(defel->defname,"sysid")==0)
148148
{
@@ -393,7 +393,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
393393

394394
if (password)
395395
{
396-
if (!encrypt_password||isMD5(password))
396+
if (password_type==PASSWORD_TYPE_PLAINTEXT||isMD5(password))
397397
new_record[Anum_pg_authid_rolpassword-1]=
398398
CStringGetTextDatum(password);
399399
else
@@ -505,7 +505,7 @@ AlterRole(AlterRoleStmt *stmt)
505505
ListCell*option;
506506
char*rolename=NULL;
507507
char*password=NULL;/* user password */
508-
boolencrypt_password=Password_encryption;/* encrypt password? */
508+
intpassword_type=Password_encryption;
509509
charencrypted_password[MD5_PASSWD_LEN+1];
510510
intissuper=-1;/* Make the user a superuser? */
511511
intinherit=-1;/* Auto inherit privileges? */
@@ -550,9 +550,9 @@ AlterRole(AlterRoleStmt *stmt)
550550
errmsg("conflicting or redundant options")));
551551
dpassword=defel;
552552
if (strcmp(defel->defname,"encryptedPassword")==0)
553-
encrypt_password=true;
553+
password_type=PASSWORD_TYPE_MD5;
554554
elseif (strcmp(defel->defname,"unencryptedPassword")==0)
555-
encrypt_password=false;
555+
password_type=PASSWORD_TYPE_PLAINTEXT;
556556
}
557557
elseif (strcmp(defel->defname,"superuser")==0)
558558
{
@@ -804,7 +804,7 @@ AlterRole(AlterRoleStmt *stmt)
804804
/* password */
805805
if (password)
806806
{
807-
if (!encrypt_password||isMD5(password))
807+
if (password_type==PASSWORD_TYPE_PLAINTEXT||isMD5(password))
808808
new_record[Anum_pg_authid_rolpassword-1]=
809809
CStringGetTextDatum(password);
810810
else

‎src/backend/utils/misc/guc.c

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
#include"catalog/namespace.h"
3535
#include"commands/async.h"
3636
#include"commands/prepare.h"
37+
#include"commands/user.h"
3738
#include"commands/vacuum.h"
3839
#include"commands/variable.h"
3940
#include"commands/trigger.h"
@@ -393,6 +394,24 @@ static const struct config_enum_entry force_parallel_mode_options[] = {
393394
{NULL,0, false}
394395
};
395396

397+
/*
398+
* password_encryption used to be a boolean, so accept all the likely
399+
* variants of "on" and "off", too.
400+
*/
401+
staticconststructconfig_enum_entrypassword_encryption_options[]= {
402+
{"plain",PASSWORD_TYPE_PLAINTEXT, false},
403+
{"md5",PASSWORD_TYPE_MD5, false},
404+
{"off",PASSWORD_TYPE_PLAINTEXT, false},
405+
{"on",PASSWORD_TYPE_MD5, false},
406+
{"true",PASSWORD_TYPE_MD5, true},
407+
{"false",PASSWORD_TYPE_PLAINTEXT, true},
408+
{"yes",PASSWORD_TYPE_MD5, true},
409+
{"no",PASSWORD_TYPE_PLAINTEXT, true},
410+
{"1",PASSWORD_TYPE_MD5, true},
411+
{"0",PASSWORD_TYPE_PLAINTEXT, true},
412+
{NULL,0, false}
413+
};
414+
396415
/*
397416
* Options for enum values stored in other modules
398417
*/
@@ -423,8 +442,6 @@ boolcheck_function_bodies = true;
423442
booldefault_with_oids= false;
424443
boolSQL_inheritance= true;
425444

426-
boolPassword_encryption= true;
427-
428445
intlog_min_error_statement=ERROR;
429446
intlog_min_messages=WARNING;
430447
intclient_min_messages=NOTICE;
@@ -1313,17 +1330,6 @@ static struct config_bool ConfigureNamesBool[] =
13131330
true,
13141331
NULL,NULL,NULL
13151332
},
1316-
{
1317-
{"password_encryption",PGC_USERSET,CONN_AUTH_SECURITY,
1318-
gettext_noop("Encrypt passwords."),
1319-
gettext_noop("When a password is specified in CREATE USER or "
1320-
"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "
1321-
"this parameter determines whether the password is to be encrypted.")
1322-
},
1323-
&Password_encryption,
1324-
true,
1325-
NULL,NULL,NULL
1326-
},
13271333
{
13281334
{"transform_null_equals",PGC_USERSET,COMPAT_OPTIONS_CLIENT,
13291335
gettext_noop("Treats \"expr=NULL\" as \"expr IS NULL\"."),
@@ -3810,6 +3816,18 @@ static struct config_enum ConfigureNamesEnum[] =
38103816
NULL,NULL,NULL
38113817
},
38123818

3819+
{
3820+
{"password_encryption",PGC_USERSET,CONN_AUTH_SECURITY,
3821+
gettext_noop("Encrypt passwords."),
3822+
gettext_noop("When a password is specified in CREATE USER or "
3823+
"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "
3824+
"this parameter determines whether the password is to be encrypted.")
3825+
},
3826+
&Password_encryption,
3827+
PASSWORD_TYPE_MD5,password_encryption_options,
3828+
NULL,NULL,NULL
3829+
},
3830+
38133831
/* End-of-list marker */
38143832
{
38153833
{NULL,0,0,NULL,NULL},NULL,0,NULL,NULL,NULL,NULL

‎src/backend/utils/misc/postgresql.conf.sample

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@
8585
#ssl_key_file = 'server.key'# (change requires restart)
8686
#ssl_ca_file = ''# (change requires restart)
8787
#ssl_crl_file = ''# (change requires restart)
88-
#password_encryption =on
88+
#password_encryption =md5# md5 or plain
8989
#db_user_namespace = off
9090
#row_security = on
9191

‎src/include/commands/user.h

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,19 @@
1616
#include"parser/parse_node.h"
1717

1818

19-
/* Hook to check passwords in CreateRole() and AlterRole() */
20-
#definePASSWORD_TYPE_PLAINTEXT0
21-
#definePASSWORD_TYPE_MD51
19+
/*
20+
* Types of password, for Password_encryption GUC and the password_type
21+
* argument of the check-password hook.
22+
*/
23+
typedefenumPasswordType
24+
{
25+
PASSWORD_TYPE_PLAINTEXT=0,
26+
PASSWORD_TYPE_MD5
27+
}PasswordType;
2228

29+
externintPassword_encryption;/* GUC */
30+
31+
/* Hook to check passwords in CreateRole() and AlterRole() */
2332
typedefvoid (*check_password_hook_type) (constchar*username,constchar*password,intpassword_type,Datumvaliduntil_time,boolvaliduntil_null);
2433

2534
externPGDLLIMPORTcheck_password_hook_typecheck_password_hook;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp