Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the default authentication method to SCRAM-SHA-256 #4125

Merged
merged 1 commit into from
Mar 10, 2025
Merged

Change the default authentication method to SCRAM-SHA-256 #4125

merged 1 commit into from
Mar 10, 2025

Conversation

cbandy
Copy link
Member

@cbandy cbandy commented Mar 6, 2025
edited
Loading

PostgreSQL has stored passwords as SCRAM-SHA-256 since PostgreSQL 14. PGO has stored passwords as SCRAM-SHA-256 since PostgreSQL 10.

Checklist:

  • Have you added an explanation of what your changes do and why you'd like them to be included?
  • Have you updated or added documentation for the change, as applicable?
  • Have you tested your changes on all related environments with successful results, as applicable?
    • Have you added automated tests?

Type of Changes:

  • Other

What is the current behavior (link to any open issues here)?

When not configured, PostgresCluster allows connections from users with an MD5 password stored in the database.

PGO has configured Postgres to hash new and rotated passwords with SCRAM for years.

What is the new behavior (if this is a feature change)?

  • Breaking change (fix or feature that would cause existing functionality to change)

When not configured, PostgresCluster requires users to have a SCRAM password in the database.

Passwords stored as MD5 are the exception now. In those cases, one can use spec.authentication.rules and spec.config.parameters to downgrade to MD5.

Other Information:

Issue: PGO-2290
See: https://www.postgresql.org/docs/current/auth-password.html

@cbandy
Change the default authentication method to SCRAM-SHA-256
8b5ad86 
PostgreSQL has stored passwords as SCRAM-SHA-256 since PostgreSQL 14.
PGO has stored passwords as SCRAM-SHA-256 since PostgreSQL 10.

The "spec.authentication.rules" and "spec.config.parameters" fields
allow users to downgrade to MD5 when necessary.

Issue: PGO-2290
See: https://www.postgresql.org/docs/current/auth-password.html
@cbandy cbandy requested a review from andrewlecuyer March 7, 2025 07:40
@cbandy cbandy merged commit b4be754 into CrunchyData:main Mar 10, 2025
19 checks passed
@cbandy cbandy deleted the scram-default branch March 10, 2025 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsessler7 dsessler7

@andrewlecuyer andrewlecuyer

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cbandy @dsessler7 @andrewlecuyer