diff --git a/libs/utils/src/postgres_backend.rs b/libs/utils/src/postgres_backend.rs index 5b34c7adfb..bac6f861c3 100644 --- a/libs/utils/src/postgres_backend.rs +++ b/libs/utils/src/postgres_backend.rs @@ -7,7 +7,6 @@ use crate::sock_split::{BidiStream, ReadStream, WriteStream}; use anyhow::{bail, ensure, Context, Result}; use bytes::{Bytes, BytesMut}; use pq_proto::{BeMessage, FeMessage, FeStartupPacket}; -use rand::Rng; use serde::{Deserialize, Serialize}; use std::fmt; use std::io::{self, Write}; @@ -33,11 +32,6 @@ pub trait Handler { Ok(()) } - /// Check auth md5 - fn check_auth_md5(&mut self, _pgb: &mut PostgresBackend, _md5_response: &[u8]) -> Result<()> { - bail!("MD5 auth failed") - } - /// Check auth jwt fn check_auth_jwt(&mut self, _pgb: &mut PostgresBackend, _jwt_response: &[u8]) -> Result<()> { bail!("JWT auth failed") @@ -61,7 +55,6 @@ pub enum ProtoState { #[derive(Debug, PartialEq, Eq, Clone, Copy, Serialize, Deserialize)] pub enum AuthType { Trust, - MD5, // This mimics postgres's AuthenticationCleartextPassword but instead of password expects JWT NeonJWT, } @@ -72,7 +65,6 @@ impl FromStr for AuthType { fn from_str(s: &str) -> Result { match s { "Trust" => Ok(Self::Trust), - "MD5" => Ok(Self::MD5), "NeonJWT" => Ok(Self::NeonJWT), _ => bail!("invalid value \"{s}\" for auth type"), } @@ -83,7 +75,6 @@ impl fmt::Display for AuthType { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.write_str(match self { AuthType::Trust => "Trust", - AuthType::MD5 => "MD5", AuthType::NeonJWT => "NeonJWT", }) } @@ -134,7 +125,6 @@ pub struct PostgresBackend { pub state: ProtoState, - md5_salt: [u8; 4], auth_type: AuthType, peer_addr: SocketAddr, @@ -187,7 +177,6 @@ impl PostgresBackend { stream: Some(Stream::Bidirectional(BidiStream::from_tcp(socket))), buf_out: BytesMut::with_capacity(10 * 1024), state: ProtoState::Initialization, - md5_salt: [0u8; 4], auth_type, tls_config, peer_addr, @@ -367,13 +356,6 @@ impl PostgresBackend { .write_message(&BeMessage::ReadyForQuery)?; self.state = ProtoState::Established; } - AuthType::MD5 => { - rand::thread_rng().fill(&mut self.md5_salt); - self.write_message(&BeMessage::AuthenticationMD5Password( - self.md5_salt, - ))?; - self.state = ProtoState::Authentication; - } AuthType::NeonJWT => { self.write_message(&BeMessage::AuthenticationCleartextPassword)?; self.state = ProtoState::Authentication; @@ -393,14 +375,6 @@ impl PostgresBackend { match self.auth_type { AuthType::Trust => unreachable!(), - AuthType::MD5 => { - let (_, md5_response) = m.split_last().context("protocol violation")?; - - if let Err(e) = handler.check_auth_md5(self, md5_response) { - self.write_message(&BeMessage::ErrorResponse(&e.to_string()))?; - bail!("auth failed: {}", e); - } - } AuthType::NeonJWT => { let (_, jwt_response) = m.split_last().context("protocol violation")?; diff --git a/libs/utils/src/postgres_backend_async.rs b/libs/utils/src/postgres_backend_async.rs index a22774c69e..dc93131b61 100644 --- a/libs/utils/src/postgres_backend_async.rs +++ b/libs/utils/src/postgres_backend_async.rs @@ -7,7 +7,6 @@ use crate::postgres_backend::AuthType; use anyhow::{bail, Context, Result}; use bytes::{Bytes, BytesMut}; use pq_proto::{BeMessage, FeMessage, FeStartupPacket}; -use rand::Rng; use std::future::Future; use std::net::SocketAddr; use std::pin::Pin; @@ -35,11 +34,6 @@ pub trait Handler { Ok(()) } - /// Check auth md5 - fn check_auth_md5(&mut self, _pgb: &mut PostgresBackend, _md5_response: &[u8]) -> Result<()> { - bail!("MD5 auth failed") - } - /// Check auth jwt fn check_auth_jwt(&mut self, _pgb: &mut PostgresBackend, _jwt_response: &[u8]) -> Result<()> { bail!("JWT auth failed") @@ -125,7 +119,6 @@ pub struct PostgresBackend { pub state: ProtoState, - md5_salt: [u8; 4], auth_type: AuthType, peer_addr: SocketAddr, @@ -160,7 +153,6 @@ impl PostgresBackend { stream: Stream::Unencrypted(BufReader::new(socket)), buf_out: BytesMut::with_capacity(10 * 1024), state: ProtoState::Initialization, - md5_salt: [0u8; 4], auth_type, tls_config, peer_addr, @@ -337,13 +329,6 @@ impl PostgresBackend { .write_message(&BeMessage::ReadyForQuery)?; self.state = ProtoState::Established; } - AuthType::MD5 => { - rand::thread_rng().fill(&mut self.md5_salt); - self.write_message(&BeMessage::AuthenticationMD5Password( - self.md5_salt, - ))?; - self.state = ProtoState::Authentication; - } AuthType::NeonJWT => { self.write_message(&BeMessage::AuthenticationCleartextPassword)?; self.state = ProtoState::Authentication; @@ -364,14 +349,6 @@ impl PostgresBackend { match self.auth_type { AuthType::Trust => unreachable!(), - AuthType::MD5 => { - let (_, md5_response) = m.split_last().context("protocol violation")?; - - if let Err(e) = handler.check_auth_md5(self, md5_response) { - self.write_message(&BeMessage::ErrorResponse(&e.to_string()))?; - bail!("auth failed: {}", e); - } - } AuthType::NeonJWT => { let (_, jwt_response) = m.split_last().context("protocol violation")?; diff --git a/pageserver/src/bin/pageserver.rs b/pageserver/src/bin/pageserver.rs index b3d9b0f809..a124bf85c2 100644 --- a/pageserver/src/bin/pageserver.rs +++ b/pageserver/src/bin/pageserver.rs @@ -255,7 +255,7 @@ fn start_pageserver(conf: &'static PageServerConf) -> anyhow::Result<()> { // Initialize authentication for incoming connections let auth = match &conf.auth_type { - AuthType::Trust | AuthType::MD5 => None, + AuthType::Trust => None, AuthType::NeonJWT => { // unwrap is ok because check is performed when creating config, so path is set and file exists let key_path = conf.auth_validation_public_key_path.as_ref().unwrap();