I have a PostgreSQL database. I have a library that accesses said database. I have test code to test that library.
Previously everything worked fine, but this morning my test logs have errors like this:
ERROR: permission denied for table configuration
In an attempt to narrow down the problem I created a script to recreate the database and all permissions from scratch. It is based upon countless similar scripts I have used previously. It starts like this:
DROP DATABASE boards_db;
DROP OWNED BY test_user;
DROP USER test_user;
CREATE USER test_user WITH PASSWORD 'testing';
CREATE DATABASE boards_db WITH ENCODING='UTF8' OWNER = test_user;
\c boards_db
GRANT ALL PRIVILEGES ON DATABASE boards_db to test_user;
ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO test_user;
ALTER DEFAULT PRIVILEGES GRANT ALL ON SEQUENCES TO test_user;
CREATE TABLE IF NOT EXISTS sessions (
user_id INTEGER PRIMARY KEY,
admin BOOLEAN NOT NULL,
session_id TEXT
);
In trying to debug this issue I foolishly meddled with the pg_hba.conf file. It now looks as below, and I can now log on as the test user (or other users) without specifying a hostname, thanks to the line "local all all md5" that I added
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
However, I STILL cannot actually do anything with any of the tables in the database.
$ psql -W -U test_user -d boards_db
Password:
psql (12.9 (Ubuntu 12.9-0ubuntu0.20.04.1))
Type "help" for help.
boards_db=> select * from sessions;
ERROR: permission denied for table sessions
The trick of setting default privileges before creating all the tables etc. has worked before in a multitude of database. Why doesn't it work here? Why can test_user not access the tables?
Related
I'm trying to configure my PostgreSql database ("mydb") in order to give login rights to the windows "LocalSystem" account.
I've created a user in my database named LocalSystem
SQL> CREATE USER LocalSystem;
Then, I've tried using SSPI config in pg_hba.conf, but maybe I've misconfigured the configuration line:
# TYPE DATABASE USER ADDRESS METHOD
host mydb LocalSystem 127.0.0.1/32 sspi
When I run a command using psql, I'm asked to provide a password...which i didn't expect..
EDIT:
I've also tried to map my domain account to a postgres user, using
pg_ident.conf
#MAPNAME SYSTEM-USERNAME PG-USERNAME
postgresname domain\username postgresname
pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
host mydb postgresname 127.0.0.1/32 sspi
Does someone know what should I do?
Thanks
It asks for the password of the Postgres account, not the Windows account. you can set the Postgres password through ALTER ROLE or in psql using the \password command
You need to add new mapping line to pg_ident.conf:
anyMappingName "SYSTEM#NT AUTHORITY" postgresUserName
Add this mapping to all active lines in pg_hba.conf:
host mydb all 127.0.0.1/32 sspi map=anyMappingName
Then you should connect to postgres db as postgresUserName user. I mean you should define Username in your connection string, and also define IntegratedSecurity as TRUE.
For example, postgresUserName can be "LocalSystem" user, that you created in postgres db earlier, or superuser "postgres".
I can't seem to access my superuser account for my posgresQL database.
Using the command:
psql -U postgres
I sucessfully login into the user 'postgres'. However, this is not the default superuser. Doing:
=# \du
I get:
List of roles
Role name | Attributes | Member of
-----------+-------------------------------------+-----------
pgsql | Superuser, Create DB | {}
postgres | Create role, Create DB, Replication | {}
So 'pgsql' appears to be my default superuser.
When trying:
psql -U pgsql
I get the following error:
psql: FATAL: database "pgsql" does not exist
I changed the pg_hba.conf file to the following:
# Database administrative login by Unix domain socket
local all all trust
and also tried:
# Database administrative login by Unix domain socket
local all pgsql trust
but I still get the same error regardless, that database 'pgsql' does not exist.
Any help would be greatly appreciated, I need to be able to access the database's superuser.
just define database:
psql -U pgsql -d postgres
if you get error that postgres database does not exist, connect as postgres and list databases with \l
I have a certain schema in a PG database that contains some very sensitive data. I'd like to prevent access to it for every role except one, but I can't figure it out from the documentation on permissions.
To begin with, I figured I'd only give CONNECT access to that one special role, but then every other role can connect to the schema. To make things worse, every role can also CREATE, DROP, and do everything else.
What have I missed?
Side question: in time, this schema will be a streaming destination from another instance of postgresql. In short, we have a master db server that supports a live web site, and we need a secondary, read-only copy of it on another machine to perform some computationally intensive queries on. We figured that streaming was the answer. Does this make sense? Is it still possible to protect access to it?
We are using version 9.5, in case this is relevant.
You can edit the file /etc/postgresql/9.5/main/pg_hba.conf and put this content:
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# IPv4 local connections:
host all YOUR_USER [USER_IP]/32 md5
It will allow connections with a password for this specific user from this specific LAN/WAN IP.
Only this user and postgres will be allowed.
in time, this database will be a streaming destination from another instance of postgresql.
When this database becomes a replication master you can add the following to the same file:
# Allow replication connections from localhost, by a user with the
# replication privilege.
host replication REPL_USER [REPL_HOST]/32 md5
More info on how to set up the replication here: https://www.gab.lc/articles/replication_postgresql
After the changes you need to reload PostgreSQL with:
service postgresql reload
You can drop the roles you don't want to allow.
Update:
If you wish to revoke privileges with a query you can run:
-- Grant privileges to whitelisted user:
GRANT ALL PRIVILEGES ON [database name] TO [good_user];
-- Revoke privileges for other users:
REVOKE ALL PRIVILEGES ON [database name] FROM [bad_user];
I'm using PostgreSQL on Cloude9. I'm trying to run a nodejs program which creates a schema in a database and then creates some tables in the schema. Here is what I'm trying to do and the error I get:
CREATE SCHEMA IF NOT EXISTS salesforce;
CREATE TABLE IF NOT EXISTS salesforce.contact (
id BIGSERIAL,
firstName TEXT,
lastName TEXT,
email TEXT,
mobilePhone TEXT,
leadsource TEXT,
accountid TEXT,
pictureURL__c TEXT,
preference__c TEXT,
size__c TEXT,
loyaltyid__c TEXT,
password__c TEXT,
createddate timestamp
);
Error initializing Postgres tables initialized
{ [Error: permission denied for schema salesforce]
severity: 'ERROR',
code: '42501',
file: 'aclchk.c',
line: '3371',
routine: 'aclcheck_error' }
the PostgreSQL is running under user postgresql, I'm running under user ubuntu, but I granted all privileges on the database to user ubuntu.
I also edited the pg_hba.conf file to:
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 md5
what am I doing wrong?
Thanks,
Nir.
started all from scratch and after creating a role with superuser and login options, it worked fine.
I'm pretty new to PostreSQL. I've spent all morning trying to get user logins working properly, and I'm terribly frustrated by now!
So, I have a PostGIS database, version 9.2, as part of the OpenGeo suite of software. I could access the database with the postgres user, but want to make a group role and user with access to a database so that it can create tables and update/select/delete etc. in that database.
I can create a user, that works, and I can login with that user. I can create a group role and assign privileges to the role. I can then add the user to the group role, and then can NO LONGER LOGIN!
It even got so that when I added the user postgres to the group, that user can't login. I remove the group but the inability to login persists.
Now, I have played with pg_hba.conf a lot. And I can now login as postgres, but only if 'trust' is enabled, and I can't login with any software, such as PGAdminIII.
It would be great to get some advice as to what is going wrong, and to enable authenticated logins again.
pg_hba:
Code:
# Database administrative login by Unix domain socket
local all postgres trust
local all gisadmin trust
# TYPE DATABASE USER ADDRESS METHOD
local all opengeo md5
local all opengeo md5
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all gisadmin localhost trust
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5
Just as a final note, I would like to be able to login via a SSH tunnel. I could do that originally with the 'postgres' user, but now that I added and removed that user from a group, I can't.
Edit: the error messages...
If I login via SSH tunnel in PGAdmin with the correct password, I get the error "FATAL: password authentication failed for the user ..."
If I try to login via SSH tunnel in PGAdmin without a password, while the trust option is set, I get the error: "error connecting to the server: fe_sendauth: no password supplied".
The first error still happens when logging in locally, just via SSH and psql, but the second one goes away and I can log in.
output of \du+:
output of \dg+
I think this behaviour may be related with pgAdminIII, because i'm having similar issues and it seems every time i connect to my db as postgres using pgAIII and look at the definition tab in user properties, the check box for the "expiring date" is checked and either 1/1/1970 or 31/12/1969 are set as expiring date. The solution proposed by Daniel works, so it's obvious the problem is the expiration of the password.
Seems that this bug was corrected in pgAdmin 1.16.2 as you can see in the changelog:
http://www.pgadmin.org/development/changelog.php
Cheers
In the \du+ output, the Password valid until 1970-01-01 00:00:00+00... look quite suspicious. Strictly speaking, the passwords for gisadmin, postgisrw and postgres are no longer valid so that might explain why password-based authentication methods fail for these accounts.
You may try ALTER USER username valid until 'infinity' on these accounts and see if that solves the problem.
Also when connecting to PG through a SSH tunnel, be aware that the pg_hba.conf entries starting with host are ignored. These entries are only considered for connections to Unix domain sockets. Sometimes users confuse that with connections from localhost to itself.