Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit821a5df

Browse files
hlinnakaafiskon
authored andcommitted
Turn password_encryption GUC into an enum.
This makes the parameter easier to extend, to support other password-basedauthentication protocols than MD5. (SCRAM is being worked on.)The GUC still accepts on/off as aliases for "md5" and "plain", althoughwe may want to remove those once we actually add support for anotherpassword hash type.Michael Paquier, reviewed by David Steele, with some further edits by me.Discussion: <CAB7nPqSMXU35g=W9X74HVeQp0uvgJxvYOuA4A-A3M+0wfEBv-w@mail.gmail.com>
1 parent215cb4f commit821a5df

File tree

5 files changed

+62
-34
lines changed

5 files changed

+62
-34
lines changed

‎doc/src/sgml/config.sgml

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1166,21 +1166,22 @@ include_dir 'conf.d'
11661166
</varlistentry>
11671167

11681168
<varlistentry id="guc-password-encryption" xreflabel="password_encryption">
1169-
<term><varname>password_encryption</varname> (<type>boolean</type>)
1169+
<term><varname>password_encryption</varname> (<type>enum</type>)
11701170
<indexterm>
11711171
<primary><varname>password_encryption</> configuration parameter</primary>
11721172
</indexterm>
11731173
</term>
11741174
<listitem>
11751175
<para>
1176-
When a password is specified in <xref
1177-
linkend="sql-createuser">or
1178-
<xref linkend="sql-alterrole">
1179-
without writing either<literal>ENCRYPTED</> or
1180-
<literal>UNENCRYPTED</>, this parameter determines whether the
1181-
password is to be encrypted. The default is<literal>on</>
1182-
(encrypt the password).
1176+
When a password is specified in <xref linkend="sql-createuser"> or
1177+
<xreflinkend="sql-alterrole">without writing either <literal>ENCRYPTED</>
1178+
or <literal>UNENCRYPTED</>, this parameter determines whether the
1179+
password is to be encrypted. The default value is<literal>md5</>, which
1180+
stores the password as an MD5 hash. Setting this to<literal>plain</> stores
1181+
it in plaintext. <literal>on</> and<literal>off</> are also accepted, as
1182+
aliases for <literal>md5</> and <literal>plain</>, respectively.
11831183
</para>
1184+
11841185
</listitem>
11851186
</varlistentry>
11861187

‎src/backend/commands/user.c

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ Oidbinary_upgrade_next_pg_authid_oid = InvalidOid;
4444

4545

4646
/* GUC parameter */
47-
externboolPassword_encryption;
47+
intPassword_encryption=PASSWORD_TYPE_MD5;
4848

4949
/* Hook to check passwords in CreateRole() and AlterRole() */
5050
check_password_hook_typecheck_password_hook=NULL;
@@ -80,7 +80,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
8080
ListCell*item;
8181
ListCell*option;
8282
char*password=NULL;/* user password */
83-
boolencrypt_password=Password_encryption;/* encrypt password? */
83+
intpassword_type=Password_encryption;
8484
charencrypted_password[MD5_PASSWD_LEN+1];
8585
boolissuper= false;/* Make the user a superuser? */
8686
boolinherit= true;/* Auto inherit privileges? */
@@ -140,9 +140,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
140140
parser_errposition(pstate,defel->location)));
141141
dpassword=defel;
142142
if (strcmp(defel->defname,"encryptedPassword")==0)
143-
encrypt_password=true;
143+
password_type=PASSWORD_TYPE_MD5;
144144
elseif (strcmp(defel->defname,"unencryptedPassword")==0)
145-
encrypt_password=false;
145+
password_type=PASSWORD_TYPE_PLAINTEXT;
146146
}
147147
elseif (strcmp(defel->defname,"sysid")==0)
148148
{
@@ -393,7 +393,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
393393

394394
if (password)
395395
{
396-
if (!encrypt_password||isMD5(password))
396+
if (password_type==PASSWORD_TYPE_PLAINTEXT||isMD5(password))
397397
new_record[Anum_pg_authid_rolpassword-1]=
398398
CStringGetTextDatum(password);
399399
else
@@ -505,7 +505,7 @@ AlterRole(AlterRoleStmt *stmt)
505505
ListCell*option;
506506
char*rolename=NULL;
507507
char*password=NULL;/* user password */
508-
boolencrypt_password=Password_encryption;/* encrypt password? */
508+
intpassword_type=Password_encryption;
509509
charencrypted_password[MD5_PASSWD_LEN+1];
510510
intissuper=-1;/* Make the user a superuser? */
511511
intinherit=-1;/* Auto inherit privileges? */
@@ -550,9 +550,9 @@ AlterRole(AlterRoleStmt *stmt)
550550
errmsg("conflicting or redundant options")));
551551
dpassword=defel;
552552
if (strcmp(defel->defname,"encryptedPassword")==0)
553-
encrypt_password=true;
553+
password_type=PASSWORD_TYPE_MD5;
554554
elseif (strcmp(defel->defname,"unencryptedPassword")==0)
555-
encrypt_password=false;
555+
password_type=PASSWORD_TYPE_PLAINTEXT;
556556
}
557557
elseif (strcmp(defel->defname,"superuser")==0)
558558
{
@@ -804,7 +804,7 @@ AlterRole(AlterRoleStmt *stmt)
804804
/* password */
805805
if (password)
806806
{
807-
if (!encrypt_password||isMD5(password))
807+
if (password_type==PASSWORD_TYPE_PLAINTEXT||isMD5(password))
808808
new_record[Anum_pg_authid_rolpassword-1]=
809809
CStringGetTextDatum(password);
810810
else

‎src/backend/utils/misc/guc.c

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@
3535
#include"catalog/namespace.h"
3636
#include"commands/async.h"
3737
#include"commands/prepare.h"
38+
#include"commands/user.h"
3839
#include"commands/vacuum.h"
3940
#include"commands/variable.h"
4041
#include"commands/trigger.h"
@@ -395,6 +396,24 @@ static const struct config_enum_entry force_parallel_mode_options[] = {
395396
{NULL,0, false}
396397
};
397398

399+
/*
400+
* password_encryption used to be a boolean, so accept all the likely
401+
* variants of "on" and "off", too.
402+
*/
403+
staticconststructconfig_enum_entrypassword_encryption_options[]= {
404+
{"plain",PASSWORD_TYPE_PLAINTEXT, false},
405+
{"md5",PASSWORD_TYPE_MD5, false},
406+
{"off",PASSWORD_TYPE_PLAINTEXT, false},
407+
{"on",PASSWORD_TYPE_MD5, false},
408+
{"true",PASSWORD_TYPE_MD5, true},
409+
{"false",PASSWORD_TYPE_PLAINTEXT, true},
410+
{"yes",PASSWORD_TYPE_MD5, true},
411+
{"no",PASSWORD_TYPE_PLAINTEXT, true},
412+
{"1",PASSWORD_TYPE_MD5, true},
413+
{"0",PASSWORD_TYPE_PLAINTEXT, true},
414+
{NULL,0, false}
415+
};
416+
398417
/*
399418
* Options for enum values stored in other modules
400419
*/
@@ -425,8 +444,6 @@ boolcheck_function_bodies = true;
425444
booldefault_with_oids= false;
426445
boolSQL_inheritance= true;
427446

428-
boolPassword_encryption= true;
429-
430447
intlog_min_error_statement=ERROR;
431448
intlog_min_messages=WARNING;
432449
intclient_min_messages=NOTICE;
@@ -1325,17 +1342,6 @@ static struct config_bool ConfigureNamesBool[] =
13251342
true,
13261343
NULL,NULL,NULL
13271344
},
1328-
{
1329-
{"password_encryption",PGC_USERSET,CONN_AUTH_SECURITY,
1330-
gettext_noop("Encrypt passwords."),
1331-
gettext_noop("When a password is specified in CREATE USER or "
1332-
"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "
1333-
"this parameter determines whether the password is to be encrypted.")
1334-
},
1335-
&Password_encryption,
1336-
true,
1337-
NULL,NULL,NULL
1338-
},
13391345
{
13401346
{"transform_null_equals",PGC_USERSET,COMPAT_OPTIONS_CLIENT,
13411347
gettext_noop("Treats \"expr=NULL\" as \"expr IS NULL\"."),
@@ -3907,6 +3913,18 @@ static struct config_enum ConfigureNamesEnum[] =
39073913
NULL,NULL,NULL
39083914
},
39093915

3916+
{
3917+
{"password_encryption",PGC_USERSET,CONN_AUTH_SECURITY,
3918+
gettext_noop("Encrypt passwords."),
3919+
gettext_noop("When a password is specified in CREATE USER or "
3920+
"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "
3921+
"this parameter determines whether the password is to be encrypted.")
3922+
},
3923+
&Password_encryption,
3924+
PASSWORD_TYPE_MD5,password_encryption_options,
3925+
NULL,NULL,NULL
3926+
},
3927+
39103928
/* End-of-list marker */
39113929
{
39123930
{NULL,0,0,NULL,NULL},NULL,0,NULL,NULL,NULL,NULL

‎src/backend/utils/misc/postgresql.conf.sample

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ listen_addresses = '*'# what IP address(es) to listen on;
8585
#ssl_key_file = 'server.key'# (change requires restart)
8686
#ssl_ca_file = ''# (change requires restart)
8787
#ssl_crl_file = ''# (change requires restart)
88-
#password_encryption =on
88+
#password_encryption =md5# md5 or plain
8989
#db_user_namespace = off
9090
#row_security = on
9191

‎src/include/commands/user.h

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,19 @@
1616
#include"parser/parse_node.h"
1717

1818

19-
/* Hook to check passwords in CreateRole() and AlterRole() */
20-
#definePASSWORD_TYPE_PLAINTEXT0
21-
#definePASSWORD_TYPE_MD51
19+
/*
20+
* Types of password, for Password_encryption GUC and the password_type
21+
* argument of the check-password hook.
22+
*/
23+
typedefenumPasswordType
24+
{
25+
PASSWORD_TYPE_PLAINTEXT=0,
26+
PASSWORD_TYPE_MD5
27+
}PasswordType;
2228

29+
externintPassword_encryption;/* GUC */
30+
31+
/* Hook to check passwords in CreateRole() and AlterRole() */
2332
typedefvoid (*check_password_hook_type) (constchar*username,constchar*password,intpassword_type,Datumvaliduntil_time,boolvaliduntil_null);
2433

2534
externPGDLLIMPORTcheck_password_hook_typecheck_password_hook;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp