Any way to get Proxy User authentication done in PostgreSql?
As from Oracles
https://oracle-base.com/articles/misc/proxy-users-and-connect-through#proxy-user-and-connect-through
Related
I have created role under postgresql using PgAdmin.
CREATE ROLE user_name LOGIN PASSWORD 'xyz';
I'm able to login to server using pgAdmin using above credentials.
But when I try to connect from MSSQL Server (Babelfish) getting an following error:
But when I query using postgres user login I get the role details in babelfish.
SELECT * FROM pg_user;
The (sparse) documentation says:
You can use CREATE LOGIN to create a new Babelfish login with access to all databases. Babelfish logins are implemented as PostgreSQL login roles of the same name.
That could be more explicit, but you have to create the login in a TDS connection, not while you are connected with the PostgreSQL protocol.
I'm trying to get authentication working using kerberos in Windows instead of username and password when connecting to PostgreSQL. Very new to this area and would appreciate any thoughts. In essence what I want to achieve is not having the password in the app configuration. Maybe there are other options apart from using kerberos?
Will the following work?
configure Postgres for SSPI authentication
create a user in Postgres with the same user name as the SPN of the user in the AD
pre-create kerberos authentication tickets (somehow magically) for the created user
connect to postgres using psql with the above user without providing the password
If this is at all possible I'm interested in how to achieve that magical part above ^^^
Thanks.
I have a sonarqube instance running in a Kubernetes cluster, connected to postgres rds database. I'm trying to reset the admin password after Keycloak realm change disabled OIDC authentication and now I cannot log in to the instance. Running version 8.9.7.52159 CE, I followed the docs (https://docs.sonarqube.org/8.9/instance-administration/security/) and reset the password via sql query.
I checked the admin user in the database and user has been updated, But when attempting to login via admin username and admin password I get error authentication failed.
Checking logs of pod I can see following errors after realm change:
Caused by: com.nimbusds.oauth2.sdk.GeneralException: The returned issuer doesn't match the expected: https:/keycloak-realm-url
WARN [o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'oidc'
I can't login to the instance to modify security settings/realm etc. Any ideas why the password reset for admin user isn't working and how can I resolve. Thanks
I have a user with role rds_iam so IAM DB Auth is required for the user to connect to my Aurora PostgreSQL server (server A). Which works as expected. I have added a role to Server B that has permissions to rds-db:connect to server A. Now I need to update FDW to connect to server A using the IAM-enabled user.
I don't understand what is suppose to be used for password for the following command:
CREATE USER MAPPING IF NOT EXISTS FOR <current user> SERVER <server name>
OPTIONS (USER <username>, PASSWORD <password>);"
Currently, I am getting the following error:
[08001] ERROR: could not connect to server "XXXXXX" Detail: FATAL: PAM authentication failed for user "user-xxxxx"
I suspect because passsword was actually a token that I generated when setting up the user. But tokens expire afte 15 minutes. So how do setup an IAM-user with FDW?
Unless Amazon hacks postgres_fdw to add this capability, I think you would need to write some code that does ALTER USER MAPPING every 15 minutes, or give up on using IAM for this.
I was able to get SCRAM-SHA-256 authentication to work with pgpool, but I haven't been able to find a good example how to set this up in pgbouncer. I'm trying to use auth_query. In postgres, the user that pgbouncer will connect as has the password encrypted and stored in SCRAM-SHA-256. But I don't know how to create the entries in userlist.txt. This is supposed to be the format:
SCRAM-SHA-256$<iterations>:<salt>$<storedkey>:<serverkey>
What exactly are the storedkey and serverkey and how do I generate those? Which tools can I use to create this? In pgpool, I can use pg_enc but I don't see anything for pgbouncer.
You don't construct the SCRAM hashed password yourself, you get it by querying the pg_authid table in the PostgreSQL database:
SELECT rolpassword
FROM pg_authid
WHERE rolname = 'pgbouncer';
However, as the documentation says:
The passwords or secrets stored in the authentication file serve two purposes. First, they are used to verify the passwords of incoming client connections, if a password-based authentication method is configured. Second, they are used as the passwords for outgoing connections to the backend server, if the backend server requires password-based authentication (unless the password is specified directly in the database's connection string). The latter works if the password is stored in plain text or MD5-hashed. SCRAM secrets can only be used for logging into a server if the client authentication also uses SCRAM, the PgBouncer database definition does not specify a user name, and the SCRAM secrets are identical in PgBouncer and the PostgreSQL server (same salt and iterations, not merely the same password). This is due to an inherent security property of SCRAM: The stored SCRAM secret cannot by itself be used for deriving login credentials.
So if that user is used as auth_user, you cannot use a SCRAM hashed password for that user, but you have to use the clear text password.