How does user authentication work in Postgresql - postgresql

How exactly do users/roles work in Postgresql for access control and how are they different from users providing access control in the OS.
When installing Postgresql I can see that the user postgres is created as seen in /etc/passwd.
I can use psql through sudo and see the users/roles in Postgres.
$ sudo -u postgres psql
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
postgres | Superuser, Create role, Create DB, Replication | {}
This indicates that a role named postgres exists but attempts to use it instead of using sudo fail.
$ psql -U postgres
psql: FATAL: Peer authentication failed for user "postgres"
Why, and what is the connection between the postgres user in /etc/passwd and the postgres role that is printed by \du

The connection between the "postgres" OS user and the "postgres" role is:
They are spelled the same
If you don't specify -U option to psql, it defaults to using the operating system user name as the role name, which might be "postgres" if that is your OS user.
If you specify "peer" authorization in pg_hba.conf, which you seem to have done, then you have to be that os user to log in as that role. If you don't want that rule, change it to something else, like trust, md5, etc.

Related

Can't access psql due to authentication fail

I'm trying a tutorial for django that it uses postgresql but I have some issues in setting up the DB. I did change postgres password using sudo passwd postgres and I can login to postgres account using su postgres or sudo su - postgres but after that I can't access the postgres prompt with pqsl. It gives me the following error:
psql: FATAL: password authentication failed for user "postgres"
I've changed the pg_hba.conf file too (from peer to md5) but it didn't change anything.
I've never worked with postgresql and this is my first time using it so if you need any other information please ask me.
sudo passwd postgres is for the system user postgres which is why you can su to system user postgres shell. When you are doing psql -U postgres you are logging in as database user postgres. That is a different account. It is convention that the system user the Postgres server runs as is generally called postgres. Also by convention the Postgres server database 'root/superuser' is the name of the user that the server runs as, so again generally postgres. If you want to log in as postgres user to server using password you will need to create a password for the database user postgres. To do that I would see if in pg_hba.conf the local (not localhost) line is set to trust. If not set it to that and and do:
psql -U postgres -d postgres
Do not specify a -h. This will connect you via a local socket. Then you can :
https://www.postgresql.org/docs/12/sql-alteruser.html
ALTER USER postgres WITH PASSWORD 'your_password'
This will create a password for postgres user.
FYI, you don't have to log into system user postgres account to work as postgres user in database. All you have to do is specify -U postgres to any of the Postgres client programs, psql, pg_dump, etc. This also means you can work as postgres database user on remote servers.

Postgres `createuser` command not working [duplicate]

I'm trying to set up Postgres for the first time, and I need to create a user with permissions to read and create databases. However, when I use:
createuser username
in my terminal I get the following message:
createuser: could not connect to database postgres: FATAL: role "tom" does not exist
Tom is my Ubuntu user account that I'm logged into right now. I'm trying to create a username of "postgres" then do a psql -U psql template1 so I can create a database and assign an owner to it for my Rails app.
You mentioned Ubuntu so I'm going to guess you installed the PostgreSQL packages from Ubuntu through apt.
If so, the postgres PostgreSQL user account already exists and is configured to be accessible via peer authentication for unix sockets in pg_hba.conf. You get to it by running commands as the postgres unix user, eg:
sudo -u postgres createuser owning_user
sudo -u postgres createdb -O owning_user dbname
This is all in the Ubuntu PostgreSQL documentation that's the first Google hit for "Ubuntu PostgreSQL" and is covered in numerous Stack Overflow questions.
(You've made this question a lot harder to answer by omitting details like the OS and version you're on, how you installed PostgreSQL, etc.)
See git gist with instructions here
Run this:
sudo -u postgres psql
OR
psql -U postgres
in your terminal to get into postgres
NB: If you're on a Mac and both of the commands above failed jump to the section about Mac below
postgres=#
Run
CREATE USER new_username;
Note: Replace new_username with the user you want to create, in your case that will be tom.
postgres=# CREATE USER new_username;
CREATE ROLE
Since you want that user to be able to create a DB, you need to alter the role to superuser
postgres=# ALTER USER new_username SUPERUSER CREATEDB;
ALTER ROLE
To confirm, everything was successful,
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
new_username | Superuser, Create DB | {}
postgres | Superuser, Create role, Create DB, Replication | {}
root | Superuser, Create role, Create DB | {}
postgres=#
Update/Modification (For Mac):
I recently encountered a similar error on my Mac:
psql: FATAL: role "postgres" does not exist
This was because my installation was setup with a database superuser whose role name is the same as your login (short) name.
But some linux scripts assume the superuser has the traditional role name of postgres
How did I resolve this?
If you installed with homebrew run:
/usr/local/opt/postgres/bin/createuser -s postgres
If you're using a specific version of postgres, say 10.5 then run:
/usr/local/Cellar/postgresql/10.5/bin/createuser -s postgres
OR:
/usr/local/Cellar/postgresql/10.5/bin/createuser -s new_username
OR:
/usr/local/opt/postgresql#11/bin/createuser -s postgres
If you installed with postgres.app for Mac run:
/Applications/Postgres.app/Contents/Versions/10.5/bin/createuser -s postgres
P.S: replace 10.5 with your PostgreSQL version
sudo -u postgres createuser -s tom
this should help you as this will happen if the administrator has not created a PostgreSQL user account for you. It could also be that you were assigned a PostgreSQL user name that is different from your operating system user name, in that case you need to use the -U switch.
Your error is posted in the official documentation. You can read this article.
I have copied the reason for you (and hyperlinked the URLs) from that article:
This will happen if the administrator has not created a PostgreSQL user account for you. (PostgreSQL user accounts are distinct from operating system user accounts.) If you are the administrator, see Chapter 20 for help creating accounts. You will need to become the operating system user under which PostgreSQL was installed (usually postgres) to create the first user account. It could also be that you were assigned a PostgreSQL user name that is different from your operating system user name; in that case you need to use the -U switch or set the PGUSER environment variable to specify your PostgreSQL user name
For your purposes, you can do:
1) Create a PostgreSQL user account:
sudo -u postgres createuser tom -d -P
(the -P option to set a password; the -d option for allowing the creation of database for your username 'tom'. Note that 'tom' is your operating system username. That way, you can execute PostgreSQL commands without sudoing.)
2) Now you should be able to execute createdb and other PostgreSQL commands.
1- Login as default PostgreSQL user (postgres)
sudo -u postgres -i
2- As postgres user. Add a new database user using the createuser command
[postgres]$ createuser --interactive
3-exit
[postgres]$ exit
If you don't want to change the authentication method (ident) and mess with pg_hba.conf use this:
First login as the default user
sudo su - postgres
then access psql and create a user with the same name as the one you are login in
postgres=# CREATE USER userOS WITH PASSWORD 'garbage' CREATEDB;
you can verify your user with the corresponding roles with
postgres=# \du
Afer this you can create your database and verify it with
psql -d dbName
\l
\q
I had the same issue, i just do this
sudo su - postgres
createuser odoo -U postgres -dRSP #P for password
(odoo or user name that you want o give the postgres access)
On Windows use:
C:\PostgreSQL\pg10\bin>createuser -U postgres --pwprompt <USER>
Add --superuser or --createdb as appropriate.
See https://www.postgresql.org/docs/current/static/app-createuser.html for further options.
For Linux, you can activate SUPERUSER to enable to create databases like this:
Go to terminal/shell
Enter inside postgres using
sudo -u postgres -i
Now your terminal will be like "postgres#anish-Latitude-E7450:~$"
Enter postgres terminal using
psql
Now your terminal will be like "postgres=#"
Enter alter user [postgres_user_name] createdb;
Now the user will be having access to create db.
Exit psql using '\q'
Logout postgres using exit
Hope this helps you.
You need to first run initdb. It will create the database cluster and the initial setup
See How to configure postgresql for the first time? and http://www.postgresql.org/docs/8.4/static/app-initdb.html

(Windows) Creating a new user in postgres9.4 with login, createdb, and createrole, but cannot login?

C:\Users\Thomas>psql -U Thomas -h localhost
Password for user Thomas:
psql: FATAL: password authentication failed for user "Thomas"
I can login fine using the posgres role. Have reassigned the password to user Thomas like five times ... it just doesn't sit in. What could possibly be wrong here ?
EDIT:
if I try to login as 'thomas' the ERROR becomes:
C:\Users\Thomas>psql -U thomas -h localhost
Password for user thomas:
psql: FATAL: database "thomas" does not exist
The \du lists as follows:
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
postgres | Superuser, Create role, Create DB, Replication | {}
thomas | Create role, Create DB | {}
EDIT 2:
If I GRANT CONNECT ON DATABASE thomastest TO thomas
Then it is possible to login but it needs extra info in the command line:
C:\Users\Thomas>psql -d thomastest -U thomas -h localhost
Is it possible to set this as the default login for this user ?
Is it possible to set this as the default login for this user ?
Yes, by setting the necessary environment variables:
PGUSER for the default user
PGDATABASE for the default database
You need to look at your pg_hba.conf file. psql uses domain sockets to connect to your database, which is different than what a program would do when coming from the outside. At the very top of the security declarations, you probably have something like:
local all all ident
change that to:
local all all md5
or, if you feel like it wouldn't be a security concern:
local all all trust
md5 will prompt for a password. trust will just let you in.
Oh, the reason that adding -h kinda works is because with -h, it uses the host entries in pg_hba.conf (not over local sockets), which are probably set to md5.
When you modify pg_hba, you either need to bounce postgres or run pg_ctl -D (whatever) reload

PostgreSQL error Fatal: role “username” does not exist

I'm setting up my PostgreSQL 9.1 in windows.
I can't do anything with PostgreSQL: can't createdb, can't createuser; all operations return the error message
Fatal: role root does not exist
root is my account name, which I created while installing Postgresql
But I am able to connect using:
username : postgres
How can I connect to postgres using role root?
There is a solution mentioned for linux platforms using su command here but not able to figure out solution for windows7
Thanks in Advance
If you want to login to Postgres using the username root you need to first create such a user.
You first need to login as the Postgres super user. This is typically postgres (and is specified during installation):
psql -U postgres <user-name>
Then you can create roles and databases:
psql (9.4.0)
Type "help" for help.
postgres=# create user root with password 'verysecret';
CREATE ROLE
postgres=# \q
c:\
c:\>psql -U root postgres
psql (9.4.0)
Type "help" for help.
postgres=>
Logged in as the superuser you can also grant the root user the necessary privileges.
All parameters for psql are documented in the manual.
Creating users and databases is also documented in the manual:
connecting to the database
create user
create database
In some cases, when you install postgres the initial DB is not created.
You need to execute initdb.
Same issue appeared while restoring DB/table on postgres docker container .
. When you connect to Postgres DB(psql shell) from inside the docker container, the default user would be a "root" (unless you specify psql -U "some-user-name")
[Manjunath-MacBook-Air:$ sudo docker exec -it a2ff6075344e bash
bash-5.0# psql -U postgres postgres < testdb_pg_dump
So, the issue gets resolved, by logging to psql shell with appropriate username
Here , -U postgres specifies that user connecting to DB is "postgres"

How to configure postgresql so it accepts login+password auth?

I have a fresh ubuntu 10.10 install with all updates and postgresql 8.4
In order for postgresql to accept login+password connections i have configured it via:
sudo su postgres
psql
ALTER USER postgres WITH PASSWORD 'password';
CREATE DATABASE myapp;
\q
exit
sudo vi /etc/postgresql/8.4/main/pg_hba.conf
change "local all all indent" to "local all all trust"
But, surprisingly, this is not working! The command
psql -U postgres password
Evaluates with error:
psql: FATAL: Ident authentication failed for user "postgres"
Any hints how i can make the psql -U to work?
It is probably a good idea to leave the "postgres" user with ident authentication. By default I believe Ubuntu uses the "postgres" user to perform upgrades, backups, etc, and that requires that it is able to login without a specified password.
I recommend creating another user (probably with your own username) and giving it admin privileges as well. Then you can use that user with passwords on local connections.
Here is what the relevant parts of my pg_hba.conf look like:
# allow postgres user to use "ident" authentication on Unix sockets
# (as per recent comments, omit "sameuser" if on postgres 8.4 or later)
local all postgres ident sameuser
# allow all other users to use "md5" authentication on Unix sockets
local all all md5
# for users connected via local IPv4 or IPv6 connections, always require md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
Also note that psql -U postgres password will not do what you want. The password should never be specified on the commandline. That will try to login as user "postgres" to a database named "password".
You should use psql -U postgres myapp instead. Postgres will automatically prompt you for a password, if it is configured properly to require one.
In case we want the password be filled-in automatically, place it in $HOME/.pgpass file
I think your pg_ident.conf file is misconfigured. Also, have you tried
psql -U postgres -W
Another thing that can cause this is expired credentials. I don't think this happened in version 8, but in version 9 when you create a new role in pgadmin, it is created in an expired state and you need to change or clear the role's expiration date before you will be able to login with it.
You may find it helpful to create the database's user and schema in PostgreSQL:
Log into PostgreSQL from the postgres user
$ sudo -u postgres psql postgres
Once in, create the user and database
CREATE ROLE myuser LOGIN PASSWORD 'mypass';
CREATE DATABASE mydatabase WITH OWNER = myuser;
Log into PostgreSQL from the new user account
$ psql -h localhost -d mydatabase -U myuser -p <port>