Authenticate users in Postgres using kerberos without a password - postgresql

I'm trying to get authentication working using kerberos in Windows instead of username and password when connecting to PostgreSQL. Very new to this area and would appreciate any thoughts. In essence what I want to achieve is not having the password in the app configuration. Maybe there are other options apart from using kerberos?
Will the following work?
configure Postgres for SSPI authentication
create a user in Postgres with the same user name as the SPN of the user in the AD
pre-create kerberos authentication tickets (somehow magically) for the created user
connect to postgres using psql with the above user without providing the password
If this is at all possible I'm interested in how to achieve that magical part above ^^^
Thanks.

Related

"User_name" is not a babelfish user

I have created role under postgresql using PgAdmin.
CREATE ROLE user_name LOGIN PASSWORD 'xyz';
I'm able to login to server using pgAdmin using above credentials.
But when I try to connect from MSSQL Server (Babelfish) getting an following error:
But when I query using postgres user login I get the role details in babelfish.
SELECT * FROM pg_user;
The (sparse) documentation says:
You can use CREATE LOGIN to create a new Babelfish login with access to all databases. Babelfish logins are implemented as PostgreSQL login roles of the same name.
That could be more explicit, but you have to create the login in a TDS connection, not while you are connected with the PostgreSQL protocol.

After resetting the sonarqube admin password, I am still unable to login as admin despited password being updated in the database

I have a sonarqube instance running in a Kubernetes cluster, connected to postgres rds database. I'm trying to reset the admin password after Keycloak realm change disabled OIDC authentication and now I cannot log in to the instance. Running version 8.9.7.52159 CE, I followed the docs (https://docs.sonarqube.org/8.9/instance-administration/security/) and reset the password via sql query.
I checked the admin user in the database and user has been updated, But when attempting to login via admin username and admin password I get error authentication failed.
Checking logs of pod I can see following errors after realm change:
Caused by: com.nimbusds.oauth2.sdk.GeneralException: The returned issuer doesn't match the expected: https:/keycloak-realm-url
WARN [o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'oidc'
I can't login to the instance to modify security settings/realm etc. Any ideas why the password reset for admin user isn't working and how can I resolve. Thanks

FDW with an IAM DB Auth user

I have a user with role rds_iam so IAM DB Auth is required for the user to connect to my Aurora PostgreSQL server (server A). Which works as expected. I have added a role to Server B that has permissions to rds-db:connect to server A. Now I need to update FDW to connect to server A using the IAM-enabled user.
I don't understand what is suppose to be used for password for the following command:
CREATE USER MAPPING IF NOT EXISTS FOR <current user> SERVER <server name>
OPTIONS (USER <username>, PASSWORD <password>);"
Currently, I am getting the following error:
[08001] ERROR: could not connect to server "XXXXXX" Detail: FATAL: PAM authentication failed for user "user-xxxxx"
I suspect because passsword was actually a token that I generated when setting up the user. But tokens expire afte 15 minutes. So how do setup an IAM-user with FDW?
Unless Amazon hacks postgres_fdw to add this capability, I think you would need to write some code that does ALTER USER MAPPING every 15 minutes, or give up on using IAM for this.

Postgres Proxy User authentication

Any way to get Proxy User authentication done in PostgreSql?
As from Oracles
https://oracle-base.com/articles/misc/proxy-users-and-connect-through#proxy-user-and-connect-through

Postgres accepts any password

I have the following code which connects to a database on my remote server (the connection script resides on the same server):
Database::$ErrorHandle = new PDO('pgsql:host=111.222.33.44;dbname=mydatabase;', 'postgres', 'mypassword', $db_settings);
The problem is I can change the password to be anything at all and the connection is still made! Like seriously what the hell!?!
Can my database be connected to (providing you know the IP and db name) by anyone from a PHP script running on a different server?
How can I enforce passwords, I have looked at the following stack overflow page and did what they said but still no luck:
How to change PostgreSQL user password?
I am running Ubuntu 12.04 server with PHP 5.5 and Apache2
Off course your postgresql database can be properly configured to only connect with authenticated users even certain users (Roles in Postgres) from certain IPs/sockets.
Some considerations:
Do you see data? Or can you just connect to the server? Can you list the databases?
Look at your pg_hba.conf and setup the proper permissions, per role per database per source
Did you grant access to the mydatabase to everyone? Which roles did you grant access?
Does the database have its tables in the public scheme? And granted access to the public?
Yes, with this configuration everyone who knows your IP and database name can connect to your database.