I have windows based application that communicates with PostgreSQL (installed on another Windows Server). Currently I use connection string with username and password (user is configured on PostgreSQL DB). Is it possible to somehow change it so that in connection automatically logged to windows User is passed and somehow configured on Postgres so that he can have access to db?
I need to do it in order to add some audit: when record is added to table I would like to add information in separate column about which user inserted it (it would be great to do it on :) thanks!
Answer depends on environment. If you work in domain and all your user do (careful on permissions), then it is possible on server side (see https://www.postgresql.org/docs/12/auth-methods.html)
But if not, then the easiest approach is to include information in insert call, or call function which performs insert, but takes user info as an argument.
If your server is on Windows too, the natural thing to do would be to use SSPI (Windows single-sign-on) authentication. For that, use sspi authentication in pg_hba.conf and add SSPI configuration parameters after that.
Related
we are using 2018.3 version of Tableau Server. The server stats like user login, and other stats are getting logged into PostgreSQL DB. and the same being cleared regularly after 1 week.
Is there any API available in Tableau to connect the DB and take backup of data somewhere like HDFS or any place in Linux server.
Kindly let me know if there are any other way other than API as well.
Thanks.
You can enable access to the underlying PostgreSQL repository database with the tsm command. Here is a link to the documentation for your (older) version of Tableau
https://help.tableau.com/v2018.3/server/en-us/cli_data-access.htm#repository-access-enable
It would be good security practice to limit access to only the machines (whitelisted) that need it, create or use an existing read-only account to access the repository, and ideally to disable access when your admin programs are complete (i.e.. enable access, do your query, disable access)
This way you can have any SQL client code you wish query the repository, create a mirror, create reports, run auditing procedures - whatever you like.
Personally, before writing significant custom code, I’d first see if the info you want is already available another way, in one of the built in admin views, via the REST API, or using the public domain LogShark or TabMon systems or with the Addon (for more recent versions of Tableau) the Server Management Add-on, or possibly the new Data Catalog.
I know at least one server admin who somehow clones the whole Postgres repository database periodically so he can analyze stats offline. Not sure what approach he uses to clone. So you have several options.
After reading some tutorials on installing PostgreSQL, I know that I must create a new OS user such as 'PostgreSQL' in the process of installing. However, I don't know the reason and what would happen if I just use my current user account?
The same question on Odoo.
My Account Setting
you have to define a "database owner". Normaly you use SQL on a Server with multible access accounts.
Nothing would happen if you use your own account to install it or define it as DB owned.
You should just recognize some PostgresSQL services running with you local account under der "services" section....
I am working on Mongodb authorization.
I added users and am using mongod --auth while connecting to the database so that only authorized users are able to see the database.
Right now, mongo db can only be able to access throught vpn.
Suppose if a hacker breaks into the server machine, he can close the existing mongod connection(which was running with security using --auth) and can start a new connection without authentication mode after which he can see all the data of the database.
How can we secure database so that everytime it asks for the username/password to be provided.
Or some other ways to prevent this.
Thanks.
If he breaks into the server machine, he won't restart mongo. He would simply copy the mongo database and open it on his own machine, without using mongo at all.
If the attacker has the control of a server running process P1, P2, ... each Pi has to be considered breached, including theirs data.
The exception is strong isolation (i.e. virtual machines) and crypto; if the application crypts all its data with a key whose generation is not fully automated (i.e. a passphrase to be inserted on the startup, a challenge/response the administrator needs to pass during the boot, etc ...) this may prevent the attacker from getting all the bits to decrypt it. Otherwise, if the application is able to encrypt and decrypt without any human help, the attacker is able to do it as well.
Those things do not apply to mongo, that does not have support for stuff like that. Good old SQLs have it but they are not trendy any more ;)
On the specific user: are you afraid they will break into as mongodb or as another user? Because if they get the user foo, they still may have problems in accessing mongodb (data or process) if local permissions are well set. But again, people tend to consider the local privilege escalation (i.e. moving from foo to root and then to mongodb) something that happens when someone breaches. In roughly 100 pentests I managed to get access to a machine, probably just once or twice I could not escalate.
I'm trying out MonjaDB (eclipse plugin) to access a remote sharded MongoDB database, but for every command I try to execute it keep asking the username and password, which makes the plugin baregly useful in this scenario.
The MonjaDB preferences page and connection wizard does not contain any information about how to persist credentials.
Sounds like a connectivity issue where you lose the connection very so often that you need to input your credentials every time you try to run a command. I've never had this issue and have been using MonjaDB for quite some time.
You may try connecting to a database on a different host, or from a different machine to see if you can reproduce this issue.
Alternatively, there are many non-eclipse GUI MongoDB clients for various platforms that you may have to resort to.
I am aware that I have to add the IP addresses of remote hosts in pg_hba.conf file and restart the PostgreSQL server for changes to take effect.
But I would like to get a list of hosts currently allowed for the host-based authentication, directly from the server that is already running.
Similar to how I can get the max_connections setting using show max_connections;, I would hypothetically imagine it to be something like show hosts; or select pg_hosts(); (neither really exists).
Is this possible?
EDIT: I understand exposing the hosts would present a security risk. But how about the psql utility invoked directly in the database server's terminal? Does it have a special command to get the list?
The psql command at the terminal has no permission to get the list. Only the PostgreSQL database does.
The best way to do this (if you really must) is to create a PL/PerlU function which reads the pg_hba.conf and parses it, and returns the information in the way you want it. You could even build a management system for the pg_hba.conf with such functions (reloading the db might get interesting but you could do this with a LISTEN/NOTIFY approach).
Note, however, if you do this, your functions have a security footprint. You would probably want to just revoke permission to run the functions from public, grant access to nobody, and thus require users be superusers in order to run the functions. I would personally avoid exposing such critical information to the db unless there was a compelling reason but I could imagine that there could be cases where it might be helpful on balance. It is certainly dangerous territory however.