diff --git a/proxy/src/auth/backend/classic.rs b/proxy/src/auth/backend/classic.rs index f35b3ecc05..853d89683a 100644 --- a/proxy/src/auth/backend/classic.rs +++ b/proxy/src/auth/backend/classic.rs @@ -45,6 +45,10 @@ pub(super) async fn authenticate( server_key: secret.server_key.as_bytes(), } } + AuthSecret::Cleartext => { + ctx.set_auth_method(crate::context::AuthMethod::Cleartext); + return super::hacks::authenticate_cleartext(ctx, creds, client, secret, config).await; + } }; Ok(ComputeCredentials { diff --git a/proxy/src/auth/backend/mod.rs b/proxy/src/auth/backend/mod.rs index e865f8079c..d24d24eee2 100644 --- a/proxy/src/auth/backend/mod.rs +++ b/proxy/src/auth/backend/mod.rs @@ -174,6 +174,8 @@ impl ComputeUserInfo { #[cfg_attr(test, derive(Debug))] pub(crate) enum ComputeCredentialKeys { + /// We don't convert passwords into auth keys, we just pass passwords onto postgres. + Password(Vec), AuthKeys(AuthKeys), JwtPayload(Vec), } @@ -244,11 +246,13 @@ async fn auth_quirks( let secret = if let Some(secret) = role_access.secret { secret } else { - // If we don't have an authentication secret, we mock one to - // prevent malicious probing (possible due to missing protocol steps). - // This mocked secret will never lead to successful authentication. - info!("authentication info not found, mocking it"); - AuthSecret::Scram(scram::ServerSecret::mock(rand::random())) + // // If we don't have an authentication secret, we mock one to + // // prevent malicious probing (possible due to missing protocol steps). + // // This mocked secret will never lead to successful authentication. + // info!("authentication info not found, mocking it"); + // AuthSecret::Scram(scram::ServerSecret::mock(rand::random())) + + AuthSecret::Cleartext }; match authenticate_with_secret( diff --git a/proxy/src/auth/flow.rs b/proxy/src/auth/flow.rs index c825d5bf4b..aa1ca1bc6b 100644 --- a/proxy/src/auth/flow.rs +++ b/proxy/src/auth/flow.rs @@ -187,5 +187,8 @@ pub(crate) async fn validate_password_and_exchange( postgres_client::config::AuthKeys::ScramSha256(keys), ))) } + AuthSecret::Cleartext => Ok(sasl::Outcome::Success(ComputeCredentialKeys::Password( + password.to_vec(), + ))), } } diff --git a/proxy/src/compute/mod.rs b/proxy/src/compute/mod.rs index f0452d1d79..7474508b7f 100644 --- a/proxy/src/compute/mod.rs +++ b/proxy/src/compute/mod.rs @@ -177,6 +177,7 @@ impl AuthInfo { ComputeCredentialKeys::AuthKeys(AuthKeys::ScramSha256(auth_keys)) => { Some(Auth::Scram(Box::new(auth_keys))) } + ComputeCredentialKeys::Password(pw) => Some(Auth::Password(pw)), ComputeCredentialKeys::JwtPayload(_) => None, }, server_params: StartupMessageParams::default(), diff --git a/proxy/src/control_plane/mod.rs b/proxy/src/control_plane/mod.rs index 6f326d789a..05911f10fe 100644 --- a/proxy/src/control_plane/mod.rs +++ b/proxy/src/control_plane/mod.rs @@ -43,6 +43,8 @@ pub mod mgmt; pub(crate) enum AuthSecret { /// [SCRAM](crate::scram) authentication info. Scram(scram::ServerSecret), + /// Do not authenticate, just take the cleartext password and give it to postgres. + Cleartext, } #[derive(Default)] diff --git a/proxy/src/lib.rs b/proxy/src/lib.rs index 6c65a4b1ee..9fe8b10845 100644 --- a/proxy/src/lib.rs +++ b/proxy/src/lib.rs @@ -76,6 +76,7 @@ // List of temporarily allowed lints to unblock beta/nightly. #![allow(unknown_lints)] #![expect( + unused_imports, dead_code, reason = " We are making minimal changes to proxy for lakebase-v2 integration. diff --git a/proxy/src/serverless/rest.rs b/proxy/src/serverless/rest.rs index 0c3d2c958d..8278b74fe7 100644 --- a/proxy/src/serverless/rest.rs +++ b/proxy/src/serverless/rest.rs @@ -800,7 +800,7 @@ async fn handle_rest_inner( .map_err(|e| RestError::SubzeroCore(JsonDeserialize { source: e }))?; Some(payload) } - ComputeCredentialKeys::AuthKeys(_) => None, + ComputeCredentialKeys::AuthKeys(_) | ComputeCredentialKeys::Password(_) => None, }; // read the role from the jwt claims (and set it to the "anon" role if not present)