If I create a user logged in as postgres to the root db and create a user... it doesn't work. What am I doing wrong?
postgres=> CREATE ROLE myUser WITH LOGIN PASSWORD 'xxx';
CREATE ROLE
postgres=> GRANT CONNECT ON DATABASE myDatabase TO myUser;
GRANT
postgres=> GRANT USAGE ON SCHEMA public to myUser;
GRANT
postgres=> GRANT SELECT ON ALL TABLES IN SCHEMA public TO myUser;
GRANT
When I go to authenticate I get an error.
psql -h $dbURL -U myUser myDatabase
FATAL: password authentication failed for user myUser
The user you created is "myuser", because case is ignored for SQL identifiers not within double quotes, and folded to lower case. But case is not ignored in command-line tools, so you are trying to log in as non-existent user "myUser". Since non-existent users don't have a password hash, password authentication must fail.
You might want to check if you have a .pgpass file present and inspect the environment variables to see if you have set a PGPASSWORD or PGPASSFILE. In any of these cases, psql will not prompt for the password and take it from the file or variable instead - and if what's there is incorrect, it will give you that exact error.
You can
unset the PGPASSWORD or PGPASSFILE variable
get rid of the .pgpass file
remove the entry corresponding to this connection from .pgpass file
correct the value of PGPASSFILE/PGPASSWORD variable or the contents of .pgpass file
use psql with a -W switch making it ignore other settings and always prompt for a password
alter the host-based authentication settings in pg_hba.conf file to change the authentication method or trust a certain type of connection
Related
I set up postgres according to the instructions for Windows 10 but every time I try to run psql it asks for a non superuser password which I haven't created. How do I make it ask for the superuser without using psql -U postgres command every time? Or how can I set/change a password for a non superuser? I've tried using ALTER ROLE to change the password but get role [username] does not exist as an error message.
By default, psql tries to use your OS username as a database username. Presumably this role hasn't been created in your database, hence the "does not exist" error.
You can override this default by setting the PGUSER environment variable.
I am launching postgres conatainer by placing sql script in docker-initdb. Everything is running fine. But can someone tell what's the password of my database created with below script?
CREATE DATABASE mydb;
CREATE USER mydbadmin WITH ENCRYPTED PASSWORD 'mypwd';
ALTER DATABASE mydb owner to mydbadmin;
GRANT ALL PRIVILEGES ON DATABASE mydb TO mydbadmin;
GRANT CONNECT ON DATABASE mydb to mydbadmin;
I am not providing any explicit password for DB. What would be default password in this case?
How can I provide my explicit password?
A database cannot have a password.
Only roles (users) can authenticate with the PostgreSQL server, so only they can have a password.
Database has no password, users have passwords. There is no "default password" (i guess that means new users would have pre-set password)
User mydbadmin has the password you have set. Other users will have the password you set when you CREATE USER
Make sure you have necessary settings in pg_hba.conf
Is it possible to create a user in PostgreSQL without providing the plain text password (ideally, I would like to be able to create a user providing only its password crypted with sha-256) ?
What I would like to do is to create a user with something like that :
CREATE USER "martin" WITH PASSWORD '$6$kH3l2bj8iT$KKrTAKDF4OoE7w.oy(...)BPwcTBN/V42hqE.';
Is there some way to do that ?
Thank you for your help.
You may provide the password already hashed with md5, as said in the doc (CREATE ROLE):
ENCRYPTED UNENCRYPTED These key words control whether the password is
stored encrypted in the system catalogs. (If neither is specified, the
default behavior is determined by the configuration parameter
password_encryption.) If the presented password string is already in
MD5-encrypted format, then it is stored encrypted as-is, regardless of
whether ENCRYPTED or UNENCRYPTED is specified (since the system cannot
decrypt the specified encrypted password string). This allows
reloading of encrypted passwords during dump/restore.
The information that's missing here is that the MD5-encrypted string should be the password concatened with the username, plus md5 at the beginning.
So for example to create u0 with the password foobar, knowing that md5('foobaru0') is ac4bbe016b808c3c0b816981f240dcae:
CREATE USER u0 PASSWORD 'md5ac4bbe016b808c3c0b816981f240dcae';
and then u0 will be able to log in by typing foobar as the password.
I don't think that there's currently a way to use SHA-256 instead of md5 for PostgreSQL passwords.
I'm not aware of a way to override the default md5 encryption of passwords, but if you have a ROLE (aka "USER") that has an already md5-encrypted password it appears that you can supply that. Verify this using pg_dumpall -g (to see the globals from the cluster)
Eg.
psql postgres
create role foo with encrypted password foobar;
\q
-- View the role from pg_dumpall -g
pg_dumpall -g | grep foo
CREATE ROLE foo;
ALTER ROLE foo WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN NOREPLICATION PASSWORD 'md5c98cbfeb6a347a47eb8e96cfb4c4b890';
Or get it from:
select * from pg_catalog.pg_shadow;
-- create the role again with the already-encrypted password
psql postgres
drop role foo;
CREATE ROLE foo;
ALTER ROLE foo WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN NOREPLICATION PASSWORD 'md5c98cbfeb6a347a47eb8e96cfb4c4b890';
\q
-- view the ROLE with the same password
pg_dumpall -g | grep foo
CREATE ROLE foo;
ALTER ROLE foo WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN NOREPLICATION PASSWORD 'md5c98cbfeb6a347a47eb8e96cfb4c4b890';
Docs for CREATE ROLE
At least from version 10.10, it's possible to use SCRAM-SHA-256 as well.
CREATE USER user_name
WITH PASSWORD 'SCRAM-SHA-256$4096:UunGvPETiX/JNGBvjOgW9A==$CPGNh7/MRfs0ispH9/HSJajOI8Uhp+UCRo/b/ToXIEY=:L6NzxQ3XUeWEeRa+oiuajC9Vgl7wk6ZpHAHl+pv4m00=';
GRANT CONNECT ON DATABASE database_name TO user_name;
(It's important not to forget to GRANT privileges to the new user)
If you want SCRAM to be used by default, you can set the password_cryptography to SCRAM-SHA-256:
ALTER SYSTEM SET password_encryption = 'scram-sha-256';
SELECT pg_reload_conf();
I know it's possible to set the passwords also avoiding SQL statements, this link to the documentation should help. Maybe, this is a bit less verbose.
Anyway, md5 should be avoided when possible, SCRAM is a more robust way to store passwords.
In case you cannot find a way to create the SCRAM string accepted by Postgres, you can let it crate one for you with the following code.
Remember to set the password_encryption to SCRAM
ALTER SYSTEM SET password_encryption = 'scram-sha-256';
SELECT pg_reload_conf();
This cannot be run in a transaction block. If for instance, you're using migration files, you probably have to create two different files just ofr those two commands.
Create a user with the password you need to encode.
CREATE USER tmp_user_to_create_a_password
WITH PASSWORD 'your_password';
Read the password with SCRAM encryption.
SELECT rolpassword
FROM pg_catalog.pg_authid
WHERE rolname='tmp_user_to_create_a_password';
Drop the user
DROP USER IF EXISTS tmp_user_to_create_a_password;
Now you can create your user without using plain text.
CREATE USER user_name
WITH PASSWORD 'SCRAM-SHA-256$4096:3Lctb6GmH15cSO4bjcDsXg==$BSuI1c10J+NZ/Wmx4hwP4TvpdKEO9rl2hekZ8/DVuyA=:j8G9NJ30Xbz3Za2mjXF/j6O3DJbWyqvX886haFe4aCs=';
GRANT CONNECT ON DATABASE database_name TO user_name;
You can now use 'user_name' and 'your_password' to log-in.
Much easier way to to this is:
CREATE USER u0 PASSWORD 'foobar';
select * from pg_catalog.pg_shadow;
Gives passwd: md5ac4bbe016b808c3c0b816981f240dcae
I'm attempting to add a new user "svcUatOlapEdw" to an existing RHEL 7 server running PSQL 9.4.
Using inet authentication (after su - postgres) and working from a PSQL prompt as follows:
-bash-4.2$ psql
psql (9.4.6)
Type "help" for help.
postgres=#
The commands I successfully executed were:
CREATE USER svcUatOlapEdw
GRANT readonly to svcUatOlapEdw
However, when attempting to connect from a client, I'm getting:
-bash-4.1$ psql -h myserver -d postgres -U svcUatOlapEdw -W
Password for user svcUatOlapEdw:
psql: FATAL: role "svcUatOlapEdw" does not exist
I'm not sure what I'm doing wrong here - any help would be appreciated.
Additionally, I also tried:
CREATE ROLE svcUatOlapEdw
which didn't resolve the issue either.
Thanks
Unquoted identifiers are folded to lower case in Postgres. So CREATE USER svcUatOlapEdw creates a user with the name svcuatolapedw. Any identifier you pass through SQL statements is also folded to lower case, that's why GRANT readonly to svcUatOlapEdw works (it's executed as GRANT readonly to svcuatolapedw).
However, psql passes the user name "as-is" and tries to log on with a user named "svcUatOlapEdw". You need to pass the username in lower case:
psql -h myserver -d postgres -U svcuatolapedw -W
Edit
If you want to create a user with upper/lower case name you have to use a quoted identifier:
CREATE USER "svcUatOlapEdw";
GRANT readonly to "svcUatOlapEdw";
sudo -u postgres psql
CREATE ROLE read_only_user WITH LOGIN PASSWORD 'StrongPass123123123' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION VALID UNTIL 'infinity';
GRANT CONNECT ON DATABASE "yourdatabase" TO read_only_user;
GRANT USAGE ON SCHEMA public TO read_only_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO read_only_user;
It works on Psql 14, Ubuntu 18
I recently created a test database but I would like it to be accessible to all users.
I created the database as user postgres then use the command
GRANT ALL ON DATABASE dbname TO public;
But when I log out and try to connect to it with a different user I get this error
psql -d dbname
psql: FATAL: role "username" does not exist
I don't want to have to create a user for each person who will be accessing the database which is the reason i wanted to make it public. Is there a permission that I am still missing?
Although access to everybody (public) is granted, the user you connect with has to exist. The default for psql is the username of your system account. You can, of course, create a passwordless anonymous user everybody can use to connect:
psql -U anonymous dbname