Re: docs about security - Mailing list pgsql-docs

speeves@unt.edu (speeves) wrote in message news:<d6351bca.0110171022.1cce600@posting.google.com>...
> Hi!
>
> I am resending a plea for some good security docs, or locations
> thereof.  I have been wrestling with security on Postgres for some
> time, and have finally given up for a time.  Is there a chance that
> someone could write a good tutorial, or a chapter in a book, that can
> explain the various aspects of security on Postgres.
>
> The reason that I am asking, is because I have been trying to see if
> Postgres would/could be a replacement for our 30+ databases(access +
> sql server).  From the understanding that I get from what I read it
> doesn't look like I can do the security scheme that I want.  (I have
> great respect for all of you who are working on a great product, but
> as of now, I can't wrap my brain around your security scheme...:(  )
>
> Thanks for letting me vent,
>
> Speeves
> Well, my book does cover it a little:
>
>         http://www.postgresql.org/docs/awbook.html
>
> There is table-level security (GRANT), view-level security, and
> database/host access security.
>
> Tell us what you want to do and we can tell you if you can do it with
> PostgreSQL.
>
> --
>   Bruce Momjian                        |  http://candle.pha.pa.us
>   pgman@candle.pha.pa.us               |  (610) 853-3000
>   +  If your life is a hard drive,     |  830 Blythe Avenue
>   +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
Thanks for the quick reply!:)

What I am trying to do, is, (for example), prepare a test setup for a
class.  I have setup the pg_hba.conf file as :

host  test1    123.456.789.45    255.255.255.255 password test1

(I am just using password, cause I want to understand what is going on
before I start messing with crypt and the other aspects of
authentication.)

The database resides on:

123.456.785.56

I have setup a password file using pg_passwd and set it in $PGDATA and
have tested it locally.  (Except the pg_hba.conf file has:

(local computer w/ db)
host all    123.456.789.56 255.255.255.255 password test  (test file
contains superuser, test1 doesn't)

When I sit at remote computer (123.456.789.45) I try to login to test1
db and it works but...  I need to log-in the first time as a
super-user to allow it to update some server side information.  Is
this a security default?  Is there a way around it?  If I have a class
of 10 people with 10 different db's, it's a pain to have to login as a
superuser to all of the db's.  Esp. if they are only going to use it
one time. On a larger scale, am I going to have to sit at (ie) 5000
computers around campus to update the server side stuff for every new
dsn that is created?  Or, is it that I can login once as superuser to
every db that is created and it will allow simple users to access the
db ever-after?  (Still a pain...)  (Oh, I am using PgAdmin on windows
machines for clients, and postgresql is running on a linux box.)

The next question is...  Can I allow access to multiple dbs on one
line, such as:

host test1,test 123.456.789.45 255.255.255.255 password test1  (test1
contains username blah only)

Can I do it on multiple lines in the conf file?  When doing this for a
large organization, this seems like an administrative behemoth...  I
guess some sort of web interface would make it easier for the end-user
that needs to create db's...?

Is it possible to create containers so that multiple departments can
have a superuser that can create db's in their container, but not in
someone elses container?  (We're talking about possibly 100's of
departments inside about 10 colleges and administrative offices.)
From what I see now, a superuser can create db's any and everywhere on
the server...

I had some other's, but am unable to remember them.

Again, thanks for your help!  (And by the way, I enjoyed your book:) )

--
Shannon Peevey
Central Web Support
UNT-Computing Center
speeves@unt.edu
940-369-8876