I'm having trouble using SSL to connect to a foreign server using postgres_fdw. I had this working on a different server, but seemingly the same process is not working on my new machine.
I mostly follow the same steps as this Percona blog and create my server with the following command:
create
server my_fdw
foreign data wrapper postgres_fdw
options (
host 'localhost',
port '5432',
dbname 'my_foreign_db',
use_remote_estimate 'on',
sslrootcert '/home/myhome/.postgresql/root.crt',
sslcert '/home/myhome/.postgresql/postgresql.crt',
sslkey '/home/myhome/.postgresql/postgresql.key',
sslmode 'verify-full'
)
;
grant usage on foreign server my_fdw to myuser;
create user mapping
for myuser
server my_fdw
options (password_required 'false')
;
I have no problem connecting to the primary database using SSL.
However, when I try to access the foreign server, e.g.:
import
foreign schema foreign_schema
from server my_fdw
into local_schema
;
I get the following error:
ERROR: could not connect to server "my_fdw"
DETAIL: connection to server at "localhost" (::1), port 5432 failed: could not read root certificate file "/home/myhome/.postgresql/root.crt": Permission denied
The root.crt file is owned by the myhome user and permissions are set to 0600.
I can (temporarily) change the permissions of the root.crt file to be more permissive, which will bypass this specific error, but then I will get the same error for the other files. However, changing the permissions of these files will cause postgres to fail because they must be 0600 or lower.
It seems that postgres is trying to access the SSL files as a different OS user when executing a command related to the foreign server. Any ideas on what is going on or how to solve the problem?
Sure, it is using a different user--the user who owns the database server processes. This would usually be 'postgres'. You might need to make a copy of those files, and do a chown on the copy.
Related
I tried to create server it it says:
Unable to connect to server:
FATAL: password authentication failed for user "postgres"
https://prnt.sc/ric1vl
What operating system are you using? maybe you need to change the password of the postgres user. In my case I use Debian GNU Linux, to change the password of the postgres user, I do it in the following way:
root#alpha:~$ passwd postgres
and then I enter a new password for the user.
Could you also verify that the postgres user has permission to connect to the server? To do this, you can check the pg_hba.config file in the PostgreSQL. installation directory.
root#alpha:~$ nano /etc/postgresql/11/main/pg_hba.conf
By default PostgreSQL, only allows connections from local addresses (localhost)
Make sure to have your local postgres server running
Hit pgadmin tool connect to server and to create database
Right-click on the server button to your left, select create then server, insert name of the server, make sure it is as descriptive as possible, that way you can find your way back to if you remember
Move to connection tab; host name is the server where the SQL database is running, most likely you will be starting with your machine as database(db), insert localhost or 127.0.0.1.
leave default port as it is '5432'
maintenance db leave as 'postgres'
username leave as default 'postgres'
password : same as you registered with during installation
To your left, you should see the database under 'server', you should see the postgres default created underlink databases.
Right click on the databases button and select create, then database, insert your descriptive database name, click save.
Click on your new database, roll down, highlight Schema, go to Tools, select Query Tool...
You can go ahead to create or import tables as you deem fit.
EMPHASIS SHOULD BE ON THE PASSWORD, IT MUST BE SAME AS USED DURING INSTALLATION
hoping for some help as I am very new to postgresql admin!
I have 2 servers added to pgadmin, server 1 is a hosted db on Heroku the other is local to the server
I want to add the Heroku db as foreign tables to the local db
can I link these 2 servers? as so far I have failed
I have the fdw extension setup locally, and I am able to use it across three local dbs ok, do I need the extension also setup on the Heroku db?
I have setup the fdw server as
host localhost --- should this be the Heroku host path? or is this ok since I have added - --server local? I get fsrvoption error if I add actual host path
dbname dbname
port 5432
and then setup user
user username
password password
any help appreciated!
mal
You don't have to set up anything on the remote server to access it via foreign data wrapper; the foreign data wrapper will access the remote database as a regular database client.
Once you hace set up postgres_fdw correctly, you can use it to access tables on the remote server just as if they were local tables. A foreign table is a bit like a view in some respects.
Maybe it helps to understand the objects involved:
The foreign data wrapper encapsulates the code to access the remote data source (PostgreSQL client).
The foreign server wraps the connect string for the remote database.
The user mapping contains the credentials for a user to access the foreign server.
The foreign table describes a table on the remote server.
You can use the command IMPORT FOREIGN SCHEMA to automatically define foreign tables for all (or part) of the tables in a schema on the remote server.
Once the foreign tables are defined correctly, you can use them in SQL statements just like local tables, but you will actually read and write data on the remote server.
After some debugging, the problem turned out to be this:
Creating the foreign server using pgAdmin caused a strange error with fsrvoption (running CREATE SERVER via the query tool worked).
Creating the foreign server with localhost rather than the correct server address unsurprisingly gave the error that the database doesn't exist.
i want to give read only access to a user in my Postgres database.
I have created the user and gave read access to certain schema's and add his IP in pg_hba.config file,but the issue is that the user don't have a particular IP ,today he connects from a different IP and get's the same error.So adding the IP to pg_hba is not an option.
FATAL: no pg_hba.conf entry for host "67.xxx.xxx.53", user "abc_read", database "postgres", SSL on FATAL: no pg_hba.conf entry for host "67.xxx.xxx.53"
So is there a way to give access via SSH Key or certificates, not sure how certificates works in postgres?
can anyone give me a hint/suggestion on this?
Hello i am a beginner to postgresql, I am unable to connect Postgresql database on linux system from windows through pgadmin client . I am getting the following error
FATAL: no pg_hba.conf entry for host "192.168.1.42", user "postgres", database "postgres", SSL off
Kindly suggest me how to do.Thanks in advance
On the db server, edit your pg_hba.conf file and add a line similar to this:
host all all 192.168.1.42/32 md5
If you don't want to use a password (I won't get into the security aspects), you can switch the "md5" for "trust". If you only want to allow the postgres user access to the postgres maintenance database, then switch both "all" words with "postgres" (no quotes).
You'll need to reload the config files after making any changes.
Eg.
pg_ctl reload
or
select pg_reload_conf(); -- as the superuser
If you don't know which pg_hba.conf file your database cluster is using, if you can connect to any of the databases, issue select current_setting('hba_file');
by default, postgresql deny all connexion if it's not from "localhost"
here is a link for you :
https://wiki.debian.org/PhpPgAdmin
I want to do some cross database references in my application. Briefly, i have two databases called meta and op. I want to do some select query from meta to a table in op database like below but getting the below error. I tried with password and without password. by the way caixa user is a non-super user and my target server (op db server is having MD5 authentication mode.)
meta=> select * from dblink('dbname=op password=caixa','SELECT op_col from op_table') AS t(op_col varchar);
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
What the HINT in the above error message suggests? do i need to change the server's auth mode? Without changing the server's auth mode (MD5) can't i run the above query?
From documentation:
Only superusers may use dblink_connect to create
non-password-authenticated connections. If non-superusers need this
capability, use dblink_connect_u instead.
and
dblink_connect_u() is identical to dblink_connect(), except that it
will allow non-superusers to connect using any authentication method.
That means your dblink call is using dblink_connect implicitly. Use dblink_connect_u instead or change your auth method to e.g. md5.
Note that you also need grant execute privilege to caixa role, for example by:
GRANT EXECUTE ON FUNCTION dblink_connect_u(text) TO caixa;
GRANT EXECUTE ON FUNCTION dblink_connect_u(text, text) TO caixa;
Working example (after GRANT):
meta=> SELECT dblink_connect_u('conn1', 'dbname=op');
meta=> SELECT * FROM dblink('conn1','SELECT op_col from op_table')
AS t(op_col varchar);
op_col
--------
aaa
bbb
ccc
(3 rows)
meta=> SELECT dblink_disconnect('conn1');
EDIT:
Sorry for slightly misleading answer. Of course you don't need dblink_connect_u for md5 authenticated
connection. There is one possibility I see. PostgreSQL has two different connection types: host and local.
Running:
psql -h localhost ..
incorporates host connection, but
dblink_connect('mycon','dbname=vchitta_op user=caixa password=caixa');
uses local type, so if you have non-password method for local connection (for example ident method or trust), then it returns
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
Check
dblink_connect('mycon','hostaddr=127.0.0.1 dbname=vchitta_op user=caixa password=caixa')
for host connection. For clarity if possible please post your pg_hba.conf.
I also checked what about CONNECT privilege on vchitta_op DB, but error message is different:
REVOKE CONNECT ON DATABASE vchitta_op FROM PUBLIC;
REVOKE CONNECT ON DATABASE vchitta_op FROM caixa;
SELECT dblink_connect('mycon','dbname=vchitta_op user=caixa password=caixa');
ERROR: could not establish connection
DETAIL: FATAL: permission denied for database "vchitta_op"
DETAIL: User does not have CONNECT privilege.
There's a workaround that did the trick for me. Non-superusers can execute functions with privileges of a superuser if "SECURITY DEFINER" option is set.
( http://www.postgresql.org/docs/9.1/static/sql-createfunction.html )
That means you can create a function (with superuser owner and SECURITY DEFINER option) that does cross-database manipulation (using dblink() without password) and execute it under non-superuser
I have a similar but a different issue. I have two servers with identical postgres.conf and pg_hba.conf. However one on version 9.2.3 and one on 9.2.4
9.2.3
pg_hba.conf has
local all dblinkuser trust
then I connect to database using any ordinary user
theater_map=# select dblink_connect('dbname=TheaterDB user=dblinkuser password=dbl123');
dblink_connect
----------------
OK
(1 row)
success in connection.
9.2.4
my pg_hba.conf has the same entry as above
theater_map=> select dblink_connect('dbname=TheaterDB user=dblinkuser password=dbl123');
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
NOW
I change my pg_hba.conf on 9.2.4 as below
local all dblinkuser md5
and restart postgres
theater_map=> select dblink_connect('dbname=TheaterDB user=dblinkuser password=dbl123');
dblink_connect
----------------
OK
(1 row)
I Checked the change log between versions 9.2.3 and 9.2.4 but could not find any details.
note: changing auth method from trust to md5 on 9.2.3 does not make any difference and still works.
I found this question googling for same error message, though I use fdw extension rather than db_link. Following steps helped to fix my problem:
find user has no password and set it on - alter user myuser with password 'mypassword'
find authentication method is trust and set it to md5 - vim /var/lib/postgresql/data_/pg_hba.conf
reload pg_hba.conf - SELECT pg_reload_conf(); from psql (log out and log in to verify password is required)
(optionally try access from remote machine, db browser etc.)
setup foreign server and its user mapping - CREATE USER MAPPING FOR CURRENT_USER SERVER myserver OPTIONS (user 'myuser', password 'mypassword');
PostgreSQL 11.10
SELECT ext.column1 from
dblink('hostaddr=192.192.192.192 dbname=yourDbname user=yourUsername password=yourpass',
'select a."column1" from "Table1" a where a."column2"=2')
as ext(column1 text)