fabric postgres password in command - postgresql

I have a fabric script that dumps database on server. And I can use it on multiple servers with the PostgreSQL database. The command is simple:
sudo("su postgres -c \"PGPASSWORD=%s pg_dump %s > /tmp/telemedia_newdb\""
% (HOST_SOURCE_DB_UPASS,HOST_SOURCE_DB))
But sometimes, Postgres does not ask for a password at all ...
Will this command fail without a password prompting from Postgres? (Or I know that it will not prompt and HOST_SOURCE_DB_UPASS=''). I want THIS code to work with or without password.

It all depends on how you set up access to your database in pg_hba.conf. There is a separate config file per database cluster (effectively per port) and settings can be different from database to database.
So, yes, if you have set it up that way, then the system user postgres will have password-less access to some databases but is prompted to enter a password for others. The default is that the system user postgres has password-less access to every database as database user of the same name (postgres).
If you provide a password in the command with the environment variable PGPASSWORD, but no password is needed, it will be ignored silently.
However, I quote the manual here:
PGPASSWORD (...) Use of this environment variable is not recommended for security reasons.
You can use a password file to provide passwords automatically (.pgpass on Unix systems). pg_dump will use it.
Finally, consider the command line options:
--no-password
--password
to force pg_dump to either prompt or not prompt for a password. If a password is required but disabled by --no-password, pg_dump will fail.
I would enable password-less access for the system user postgres to every database in the config file pg_hba.conf. Use peer or ident authentication methods. Then you don't have to provide a password and the script will always work:
local all postgres ident
Your script would be simplified to (untested):
sudo("su postgres -c \"pg_dump %s > /tmp/telemedia_newdb\"" % (HOST_SOURCE_DB))

Related

Postges command exection without password

I want to use rundeck to allow app user to reset their own password without admin access.
So I would like to execute this type of command:
export PASSFILE=/usr/pgsql-13/.pgpass ; /usr/pgsql-13/bin/psql -h hostname -U postgres -c """alter user ${job.username} PASSWORD '${option.Password}';"""
But the script fails because postgres ask for password
Any one have a workaround? The postgres DB is not a classic DB but aws aurora DB, so I don't have access to pg_hba file
Many thanks
If you want to use interactive commands on Rundeck you can use expect command, in that way you can "wrap" your command to "answer" any interactive command "question", that was answered here.
The environment valuable is called PGPASSFILE.
An alternative and simpler way is to specify the passfile connection parameter:
/usr/pgsql-13/bin/psql 'host=hostname user=postgres passfile=/usr/pgsql-13/.pgpass' -c "alter user ${job.username} PASSWORD '${option.Password}';"
You can also use the password parameter to specify the password in the connect string.

Postgresql: How do I set the password for the user 'postgres' when I can't access the postgresql database?

I'm running postgresql 10.12 on Ubuntu 18.04.
I'd like to experiment with a software package that uses postgres. This means I should figure out how to set up users, passwords and databases under postgres.
Postgres is running, but there's no way to log in to it.
I'm pretty sure there is a user called 'postgres'.
Logging in as this user without providing a password fails.
Also, attempting to use the passwords 'postgres' or 'root' fail.
How do I change the password for the user 'postgres' without being able to access the database?
This is a newbie-level recipe to modify initial password, which works on all fresh installations of the postgresql package on Linux Debian/Ubuntu and derivatives.
Go to the shell and switch user to postgres
(in user shell) sudo su - postgres
connect to the postgres database as postgres user
(in postgres shell) psql postgres postgres
now you can modify password of postgres user
(in postgres psql) ALTER USER postgres PASSWORD 'newsecret';
quit psql
(in postgres psql) \q
quit postgres shell
(in postgres shell) exit
test connection with new password
(in user shell) psql -h localhost postgres postgres
Note on remote postgres servers
In step 1 above, you can use ssh or kubectl exec or anything like that, if you have this kind of access.
Best Practice note
Above recipe (though it answers the OP question) is not a good practice. The best approach is:
Read and understand client auth -> https://www.postgresql.org/docs/current/client-authentication.html
Do not use postgres database user (or any other superuser!) for applications/development. Create your own user instead. For the simplest setup, use this:
(in psql shell)
CREATE USER myapp PASSWORD 'secret';
CREATE DATABASE myapp;
ALTER DATABASE myapp OWNER TO myapp;
-- alternative if you want to keep default ownership:
-- GRANT ALL ON DATABASE myapp TO myapp;
This should be done instead of modifying postgres user and/or postgres database.

How to provide password in one script to connect to postgresql database

I want to backup my postgresql database with a automatic backup program and that program only support a script line that backup with pg_dump.
I can't provide password in this script so I changed method from pg_hba.conf file from md5 to trust so that it won't ask for password and I used --no-password option.
How can I change this to md5 and provide password for it.
I would use a .pgpass file or use the peer authentication method. Details here:
Run batch file with psql command without password

Change my postgresql password in OSX?

I am trying to set my local postgresql so it does not have a password. I understand that this has to be done in the pg_hba.conf file and to acceess that file I have to be a postgres user. But to be a postgres user, I have to login with su postgres and enter the password that I don't have.
Any solution to this (I am on OSX)?
You're confusing several different concepts about the security model.
There is a postgres operating system user, which the PostgreSQL server runs as in order to isolate its data files and to limit damage in case of a security breach or application bug. PostgreSQL won't run as root for security. This user doesn't generally have a password, but you can change to it via the root account using sudo - you can sudo to this user with something like sudo -i -u postgres.
There is also a postgres database user, the default database superuser. This user doesn't generally have a password by default, but pg_hba.conf allows the postgres operating system user to connect as the postgres PostgreSQL user using peer authentication.
If you want you can change the configuration so that you use a password for the postgres database user, so you can psql -U postgres from any system user account:
ALTER USER postgres WITH ENCRYPTED PASSWORD 'blahblah';
Edit pg_hba.conf ("hba" is "host-based authentication") to use md5 authentication for local and host connections.
Re-start or re-load PostgreSQL
Similarly, if you want to allow any system user to connect as any database user without a password, you must modify pg_hba.conf and set trust as the authentication mode for local and host connection types. Please only use trust authentication for testing.
To learn more, see the client authentication chapter in the PostgreSQL documentation.

PostgreSQL multiple authentication methods

How can I set up multiple authentication methods for the same host/database/user rule? I want to be able to log in to my postgres user using both sudo -u postgres psql -U postgres (without having to enter a PostgreSQL password) and psql -U postgres --password. Something like the following in pg_hba.conf:
local all postgres md5
local all postgres peer
I can only get one method or the other working at the same time.
Thanks.
(I am using PostgreSQL 9.1).
Nope. Only one auth method is supported for any given configuration.
I'd love it if Pg could support fall-back authentication, where if an ident check fails it allows md5 auth instead. It doesn't support this at the moment, though, and I suspect (I haven't verified) that a protocol change would be required to support it.
What you can do is store the password in a $HOME/.pgpass file for the postgres system user. Give it mode 0600 so it's only readable by the postgres user and by root, both of whom can get direct access to the database files and configuration anyway. That way you get easy admin and md5 auth. On some systems you may have to set and create a home directory for the postgres user before you can do this. See getent passwd postgres to see if if the postgres user has a homedir and if so, where it is.
(UPDATE: used to read $HOME/.psqlrc - which is useful, but .pgpass is suitable for password storage)