I'm confused about a point of pg_pool-II's documentation. The health_check_user is used to determine the health of DB cluster servers, but what abilities does the health_check_user need? As there are no configuration options to get a password for this user, I'm assuming that pg-pool's health_check_user will likewise need trust level access to each DB?
It looks like it just needs permission to connect to the databases (same username for all databases).
You don't need to rely on trust auth either, I'm sure you can use a .pgpass file.
http://www.postgresql.org/docs/9.0/static/libpq-pgpass.html
As Richard said, it only needs to connect to the database.
And also you can set password for this user with health_check_password
Related
I have windows based application that communicates with PostgreSQL (installed on another Windows Server). Currently I use connection string with username and password (user is configured on PostgreSQL DB). Is it possible to somehow change it so that in connection automatically logged to windows User is passed and somehow configured on Postgres so that he can have access to db?
I need to do it in order to add some audit: when record is added to table I would like to add information in separate column about which user inserted it (it would be great to do it on :) thanks!
Answer depends on environment. If you work in domain and all your user do (careful on permissions), then it is possible on server side (see https://www.postgresql.org/docs/12/auth-methods.html)
But if not, then the easiest approach is to include information in insert call, or call function which performs insert, but takes user info as an argument.
If your server is on Windows too, the natural thing to do would be to use SSPI (Windows single-sign-on) authentication. For that, use sspi authentication in pg_hba.conf and add SSPI configuration parameters after that.
We are using AWS PostgreSQL RDS and we would like to limit some accounts to be accessed from a specific set of CIDR. Since RDS is managed DBMS by AWS we do not have access to pg_hba.conf.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html
By checking the CREATE ROLE and USER DDL in PG, it does not seem to be an option.
https://www.postgresql.org/docs/current/sql-createrole.html
https://www.postgresql.org/docs/current/sql-createuser.html
you can try to write you own rules via function/procedure checking, using SELECT inet_server_addr() (just keep in mind that it works only with non-localhost connections).
Also some useful functions here (like local/remote ip/port): https://www.postgresql.org/docs/9.4/functions-info.html
I am trying to get a mongoDB working with authentication, using both Java and PHP drivers. I've added user roles to the mongoDB but haven't yet turned on authentication (so clients can login with usernames and passwords, but they don't have to, and user roles are not yet enforced).
To check that everything is working, before actually turning authentication on, I've been looking at the mongod.log file. I see things like:
2015-11-17T08:47:19.052+0000 I NETWORK [initandlisten] connection accepted from ###:### #158126 (46 connections now open)
2015-11-17T08:47:19.960+0000 I ACCESS [conn158126] Successfully authenticated as ### on ###
But.... I also see quite a few connections without the "ACCESS" line. However, when cross referencing with logs of the clients, it seems they are trying to connect with authentication.
What can be going on?
Is it perhaps the case that the ACCESS log only occurs if some database action is taken? So, e.g. if a client connects but doesn't try to read or write, would I not see the 2nd line?
Is it perhaps the case that the ACCESS log only occurs if some database action is taken?
At least for the JAVA driver I'm using, "yes" is the answer. I ran a test, connecting, requesting a DB and collection, but doing nothing more, and no authentication check is triggered. It's only when you try to read/write that the authentication happens.
I am aware that I have to add the IP addresses of remote hosts in pg_hba.conf file and restart the PostgreSQL server for changes to take effect.
But I would like to get a list of hosts currently allowed for the host-based authentication, directly from the server that is already running.
Similar to how I can get the max_connections setting using show max_connections;, I would hypothetically imagine it to be something like show hosts; or select pg_hosts(); (neither really exists).
Is this possible?
EDIT: I understand exposing the hosts would present a security risk. But how about the psql utility invoked directly in the database server's terminal? Does it have a special command to get the list?
The psql command at the terminal has no permission to get the list. Only the PostgreSQL database does.
The best way to do this (if you really must) is to create a PL/PerlU function which reads the pg_hba.conf and parses it, and returns the information in the way you want it. You could even build a management system for the pg_hba.conf with such functions (reloading the db might get interesting but you could do this with a LISTEN/NOTIFY approach).
Note, however, if you do this, your functions have a security footprint. You would probably want to just revoke permission to run the functions from public, grant access to nobody, and thus require users be superusers in order to run the functions. I would personally avoid exposing such critical information to the db unless there was a compelling reason but I could imagine that there could be cases where it might be helpful on balance. It is certainly dangerous territory however.
My database is hosted in a shared hosting. I connect my database remotely in Management Studio Express. Whenever i try to connect to sqlserver instance it shows all the databases that are hosted in that server instance. This annoying to find out your database out of 400 database of the other users all the time.
Is there a any way to filter down the list of databases to those i won or have permission ? i don't want to see databases that i don't have permission or i don't own.
Remember my database is hosted in a shared hosting and as a user i have limited privilege.
I've researched a similar issue and the only method I've found that works for this is a little hackish, however it may work for you in this case. If you (or the administrator of your shared host) is able to make your login the DBO of your database, and then also DENY VIEW to all databases for your login, you should only see the database that your login owns when you connect. So the t-sql would be:
`USE AdventureWorks2008R2
ALTER AUTHORIZATION ON DATABASE::AdventureWorks2008R2 to TestLogin
USE MASTER
DENY VIEW ANY DATABASE TO TestLogin`
Not sure if this is a fit for your scenario, and definitely not saying it is a best practice, but maybe it helps!
I have created the solutio for this problem in SSMSBoost add-in for SSMS (I am the developer of this add-in).
There is a special "Smart connection switch" combobox on the toolbar, that you can configure to show your favorite connections (Preferred connections), also you can display all local databases, BUT only those, that you can access.