In order to execute a query on a local PostgreSQL database (v10.14; Amazon RDS) that fetches data from a remote database, also PostgreSQL (RDS), we're using the foreign data wrapper (FDW) postgres_fdw server and user mapping. Currently the user mapping contains user/password credentials for the remote RDS, stored with the user mapping in the local RDS. To become more secure we would like to get rid of the stored credentials.
One way of doing so that we could imagine is using the IAM role of the local RDS to connect to the remote RDS. The question is, is that possible with postgres_fdw, are there maybe other FDWs with the same feature set as postgres_fdw and allow IAM authentication?
Are there other ways to set up an FDW like this without storing the credentials inside the local RDS?
Related
So, I've been looking around for more details, but can't find it.
I have a AWS RDS Postgresql cluster. In the typical sense, when I want to add a login to my database, I use the
create user xxxx with password 'yyy'
then I grant that user access to the tables and other rights.
Now, I tried to add another user with secrets manager linked to this RDS database.
I'm not sure what to do next....should that new user I only created in secrets, appear in the login for the database, because I don't see it? How would we grant access to the tables and other things for that user?
hoping for some help as I am very new to postgresql admin!
I have 2 servers added to pgadmin, server 1 is a hosted db on Heroku the other is local to the server
I want to add the Heroku db as foreign tables to the local db
can I link these 2 servers? as so far I have failed
I have the fdw extension setup locally, and I am able to use it across three local dbs ok, do I need the extension also setup on the Heroku db?
I have setup the fdw server as
host localhost --- should this be the Heroku host path? or is this ok since I have added - --server local? I get fsrvoption error if I add actual host path
dbname dbname
port 5432
and then setup user
user username
password password
any help appreciated!
mal
You don't have to set up anything on the remote server to access it via foreign data wrapper; the foreign data wrapper will access the remote database as a regular database client.
Once you hace set up postgres_fdw correctly, you can use it to access tables on the remote server just as if they were local tables. A foreign table is a bit like a view in some respects.
Maybe it helps to understand the objects involved:
The foreign data wrapper encapsulates the code to access the remote data source (PostgreSQL client).
The foreign server wraps the connect string for the remote database.
The user mapping contains the credentials for a user to access the foreign server.
The foreign table describes a table on the remote server.
You can use the command IMPORT FOREIGN SCHEMA to automatically define foreign tables for all (or part) of the tables in a schema on the remote server.
Once the foreign tables are defined correctly, you can use them in SQL statements just like local tables, but you will actually read and write data on the remote server.
After some debugging, the problem turned out to be this:
Creating the foreign server using pgAdmin caused a strange error with fsrvoption (running CREATE SERVER via the query tool worked).
Creating the foreign server with localhost rather than the correct server address unsurprisingly gave the error that the database doesn't exist.
I would like to connect to a hosted remote mySQL DB (mariadb 10.1.39). I use the available fusionauth docker images (app and search) from docker hub and the published docker compose file. The db hosting provider does not grant superuser credentials. The assigned user rights should be sufficient to maintain the tables of the schema. Unfortunately, using the docker container mysql superuser credentials seems to be mandatory.
I imported the DB dump of a local (dockerized) mariadb (10.1.40) to the remote db. Username and schema name are the same local and remote. I tried not to provide DATABASE_ROOT_USER with the docker-compose yaml, but this approach ends in maintenance mode.
Is there an approach to connect to a remote mysql db without superuser credentials?
We will be enhancing our automated setup to better support external db service providers. See https://github.com/FusionAuth/fusionauth-issues/issues/95
Your current option is to create the schema manually. https://fusionauth.io/docs/v1/tech/installation-guide/fusionauth-app#advanced-installation
You may also try to use your user credentials in the superuser fields, it may work.
Superuser permission is required to create a geodatabase in PostgreSQL.
However, in AWS RDS instance we are receiving:
rds_superuser permission and rds_superuser is not superuser.
Is there a way to enable geodatabase in AWS RDS PostgreSQL with rds_superuser permission?
You need to create the database and the sde login manually using e.g. pgAdmin, and grant the rds_superuser group role to the sde login. Also create a schema named sde in your database, and make the sde login the owner of that schema.
Then you can create a .sde database connection in ArcCatalog using the sde login and, importantly, the *.rds.amazonaws.com hostname. Finally you can run the Enable Enterprise Geodatabase using this connection as your input.
This only works if you connect to the database using the *.rds.amazonaws.com hostname. Apparently, ESRI uses the hostname to determine if the database in question is an RDS server.
Once you've enabled the geodatabase you can connect to it with .sde connections using other dns aliases as well.
Refer to the ESRI documentation for further details: http://server.arcgis.com/en/server/latest/cloud/amazon/create-geodatabase-in-amazon-rds-for-postgresql.htm
I have the following code which connects to a database on my remote server (the connection script resides on the same server):
Database::$ErrorHandle = new PDO('pgsql:host=111.222.33.44;dbname=mydatabase;', 'postgres', 'mypassword', $db_settings);
The problem is I can change the password to be anything at all and the connection is still made! Like seriously what the hell!?!
Can my database be connected to (providing you know the IP and db name) by anyone from a PHP script running on a different server?
How can I enforce passwords, I have looked at the following stack overflow page and did what they said but still no luck:
How to change PostgreSQL user password?
I am running Ubuntu 12.04 server with PHP 5.5 and Apache2
Off course your postgresql database can be properly configured to only connect with authenticated users even certain users (Roles in Postgres) from certain IPs/sockets.
Some considerations:
Do you see data? Or can you just connect to the server? Can you list the databases?
Look at your pg_hba.conf and setup the proper permissions, per role per database per source
Did you grant access to the mydatabase to everyone? Which roles did you grant access?
Does the database have its tables in the public scheme? And granted access to the public?
Yes, with this configuration everyone who knows your IP and database name can connect to your database.