Re: Postgres_fdw- User Mapping with md5-hashed password

Thu, 10 Apr 2025 13:24:01 -0700 

On 4/8/25 13:00, Dirschel, Steve wrote:

I know I can create user steve_test with password testpassword122 as md5 by 
doing:

select 'md5'||md5('testpassword122steve_test');  Returns --> 
md5eb7e220574bf85096ee99370ad67cbd3

CREATE USER steve_test WITH  PASSWORD 'md5eb7e220574bf85096ee99370ad67cbd3';

And then I can login as steve_test with password testpassword122.

I'm trying to use similar logic when creating a user mapping:

CREATE USER MAPPING FOR postgres SERVER steve_snap0 OPTIONS (user 'steve_test', 
password 'md5eb7e220574bf85096ee99370ad67cbd3');

When I try and import a foreign schema I get an error:

ERROR:  could not connect to server "steve_snap0"

If I create the user mapping with the password:

CREATE USER MAPPING FOR postgres SERVER steve_snap0 OPTIONS (user 'steve_test', 
password 'testpassword122');

It works fine.

Is it not possible to use the same logic for the user mapping password that can 
be used when creating a user?


A) Short version

   No you can't.

b) Long version

From here:

CREATE ROLE

https://www.postgresql.org/docs/current/sql-createrole.html
"If the presented password string is already in MD5-encrypted or SCRAM-encrypted format, then it is stored as-is regardless of password_encryption (since the system cannot decrypt the specified encrypted password string, to encrypt it in a different format). This allows reloading of encrypted passwords during dump/restore." 

Whereas from here:

https://www.postgresql.org/docs/current/postgres-fdw.html
" user mapping, defined with CREATE USER MAPPING, is needed as well to identify the role that will be used on the remote server: 

CREATE USER MAPPING FOR local_user
        SERVER foreign_server
        OPTIONS (user 'foreign_user', password 'password');
"
In the above you are just supplying values to the connection string not actually creating a password as in the first case. 





Thanks in advance.
This e-mail is for the sole use of the intended recipient and contains 
information that may be privileged and/or confidential. If you are not an 
intended recipient, please notify the sender by return e-mail and delete this 
e-mail and any attachments. Certain required legal entity disclosures can be 
accessed on our website: 
https://www.thomsonreuters.com/en/resources/disclosures.html


--
Adrian Klaver
adrian.kla...@aklaver.com

Reply via email to