Thread: Regarding access to a user
Dear Team
First of all I would like to thank you to provide a spatial database fro GIS developers and user. But I have doubt in the usage. I have created a few databases (i.e. X, Y, Z) in a default Server and I also created a user (i.e. Us). Now what I want is to set privilege that whenever the user log in as Us he can only see database Y, none other than that. The user Us could have all rights for database Y but can’t go for any other database (X or Z). I already tried for GRANT command but it doesn’t seems to be fruitful as such.
Please provide some assistance regarding the same as it is very required for the further proceeding of my work.
Thanks & Regards,
| Software Engineer | Geographical Information System
Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 |
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
>>> Shashwat_Nigam <Shashwat_Nigam@satyam.com> wrote: > Now what I want is to set privilege that whenever the user log in as Us > he can only see database Y, none other than that. The user Us could have all > rights for database Y but can't go for any other database (X or Z). The first thing you need to do is configure "host based authentication": http://www.postgresql.org/docs/8.3/interactive/auth-pg-hba-conf.html Among other things, this allows you to restrict which users can connect to which databases. -Kevin
Dear Kevin Thanks for the help. But still the user is able to see all the databases. I defined something like this # IPv4 local connections: host all all 127.0.0.1/32 md5 host HMRI_database hmri 127.0.0.1/32 md5 in the above case hmri is user and HMRI_database. But still when user is log in as 'hmri' it is able to access all the databases. Please provide a solution for the same. Thanks & Regards, Shashwat Nigam | Software Engineer | Geographical Information System Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 | -----Original Message----- From: Kevin Grittner [mailto:Kevin.Grittner@wicourts.gov] Sent: Wednesday, August 20, 2008 6:41 PM To: pgsql-admin@postgresql.org; Shashwat_Nigam Cc: pgsql-general@postgresql.org; pgsql-sql@postgresql.org Subject: Re: [ADMIN] Regarding access to a user >>> Shashwat_Nigam <Shashwat_Nigam@satyam.com> wrote: > Now what I want is to set privilege that whenever the user log in as Us > he can only see database Y, none other than that. The user Us could have all > rights for database Y but can't go for any other database (X or Z). The first thing you need to do is configure "host based authentication": http://www.postgresql.org/docs/8.3/interactive/auth-pg-hba-conf.html Among other things, this allows you to restrict which users can connect to which databases. -Kevin DISCLAIMER: This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain materialthat is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distributionor forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intendedrecipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
Dear Vishal
Thanks for the help but by doing this an error is generated at the time when the user is trying to log in with the following message:
“
Access to database denied
The server doesn't grant access to the database: the server reports
FATAL: no pg_hba.conf entry for host "127.0.0.1", user "hmri", database "postgres", SSL off
To access a database on a PostgreSQL server, you first have to grant primary access to the server for your client (Host Based Authentication). PostgreSQL will check the pg_hba.conf file if a pattern that matches your client address / username / database is present and enabled before any SQL GRANT access control lists are evaluated.
The initial settings in pg_hba.conf are quite restrictive, in order to avoid unwanted security holes caused by unreviewed but mandatory system settings. You'll probably want to add something like
host all all 192.168.0.0/24 md5
This example grants MD5 encrypted password access to all databases to all users on the private network 192.168.0.0/24.
You can use the pg_hba.conf editor that is built into pgAdmin III to edit the pg_hba.conf configuration file. After changing pg_hba.conf, you need to trigger a server configuration reload using pg_ctl or by stopping and restarting the server process.
“
Please provide futher proceedings
Thanks & Regards,
| Software Engineer | Geographical Information System
Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 |
From: Vishal Arora [mailto:aroravishal22@hotmail.com]
Sent: Thursday, August 21, 2008 2:29 PM
To: Shashwat_Nigam
Cc: pgsql-admin@postgresql.org
Subject: RE: [ADMIN] Regarding access to a user
> From: Shashwat_Nigam@satyam.com
> To: Kevin.Grittner@wicourts.gov
> CC: pgsql-general@postgresql.org; pgsql-sql@postgresql.org; pgsql-admin@postgresql.org
> Date: Thu, 21 Aug 2008 14:23:51 +0530
> Subject: Re: [ADMIN] Regarding access to a user
>
> Dear Kevin
> Thanks for the help. But still the user is able to see all the databases. I defined something like this
>
> # IPv4 local connections:
> host all all 127.0.0.1/32 md5
> host HMRI_database hmri 127.0.0.1/32 md5
You have to comment out the first entry made in your hba file. In this case it checks for the first line where all users are allowed to access all databases so it does not checks the second line.
>
> in the above case hmri is user and HMRI_database. But still when user is log in as 'hmri' it is able to access all the databases.
> Please provide a solution for the same.
>
> Thanks & Regards,
> Shashwat Nigam
> | Software Engineer | Geographical Information System
> Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 |
>
> -----Original Message-----
> From: Kevin Grittner [mailto:Kevin.Grittner@wicourts.gov]
> Sent: Wednesday, August 20, 2008 6:41 PM
> To: pgsql-admin@postgresql.org; Shashwat_Nigam
> Cc: pgsql-general@postgresql.org; pgsql-sql@postgresql.org
> Subject: Re: [ADMIN] Regarding access to a user
>
> >>> Shashwat_Nigam <Shashwat_Nigam@satyam.com> wrote:
>
> > Now what I want is to set privilege that whenever the user log in as
> Us
> > he can only see database Y, none other than that. The user Us could
> have all
> > rights for database Y but can't go for any other database (X or Z).
>
> The first thing you need to do is configure "host based
> authentication":
>
> http://www.postgresql.org/docs/8.3/interactive/auth-pg-hba-conf.html
>
> Among other things, this allows you to restrict which users can
> connect to which databases.
>
> -Kevin
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
Search for videos of Bollywood, Hollywood, Mollywood and every other wood, only on Live.com Try it now!
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
On 2008-08-21 10:53, Shashwat_Nigam wrote: > host all all 127.0.0.1/32 md5 > host HMRI_database hmri 127.0.0.1/32 md5 > in the above case hmri is user and HMRI_database. But still when user > is log in as 'hmri' it is able to access all the databases. Order matters: host HMRI_database hmri 127.0.0.1/32 md5 host all all 127.0.0.1/32 md5 Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh
Dear Tomasz I had done the same but still the problem is like that the user is able to access all the databases in the current server.Even the order is like same and if I comment the second line(all access) then the error is there. Please provide solution for the same. Thanks & Regards, Shashwat Nigam | Software Engineer | Geographical Information System Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 | -----Original Message----- From: Tomasz Ostrowski [mailto:tometzky@batory.org.pl] Sent: Thursday, August 21, 2008 2:37 PM To: Shashwat_Nigam Cc: pgsql-general@postgresql.org; pgsql-admin@postgresql.org Subject: Re: [ADMIN] Regarding access to a user On 2008-08-21 10:53, Shashwat_Nigam wrote: > host all all 127.0.0.1/32 md5 > host HMRI_database hmri 127.0.0.1/32 md5 > in the above case hmri is user and HMRI_database. But still when user > is log in as 'hmri' it is able to access all the databases. Order matters: host HMRI_database hmri 127.0.0.1/32 md5 host all all 127.0.0.1/32 md5 Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh DISCLAIMER: This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain materialthat is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distributionor forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intendedrecipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
On 2008-08-21 11:12, Shashwat_Nigam wrote: > I had done the same but still the problem is like that the user is > able to access all the databases in the current server. Even the > order is like same and if I comment the second line(all access) then > the error is there. You did issue "pg_ctl reload" or restart postgresql after making changes to pg_hba.conf? http://www.postgresql.org/docs/8.3/interactive/auth-pg-hba-conf.html The pg_hba.conf file is read on start-up and when the main server process receives a SIGHUP signal. If you edit the file on an active system, you will need to signal the server (using pg_ctl reload or kill -HUP) to make it re-read the file. > Please provide solution for the same. Please read the fine manual. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh
Hi Vishal
Ya you are right and the order is same and the command is like that only.
I am opening it through pgAdmin only..
Thanks & Regards,
| Software Engineer | Geographical Information System
Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 |
From: Vishal Arora [mailto:aroravishal22@hotmail.com]
Sent: Thursday, August 21, 2008 2:47 PM
To: Shashwat_Nigam; pgsql-admin@postgresql.org
Subject: RE: [ADMIN] Regarding access to a user
Hi Shashwat,
I presume your user is hmri and the database is hmri_database, is it correct?
if yes - your pg_hba.conf entry should be as following (if you are connecting to postgres on the same machine)
host hmri_database hmri 127.0.0.1/32 md5
Can you tell me what command are you using to connect to the server and what environment is it?
Regards
Vishal
From: Shashwat_Nigam@satyam.com
To: aroravishal22@hotmail.com; pgsql-admin@postgresql.org; Kevin.Grittner@wicourts.gov
CC: pgsql-general@postgresql.org; pgsql-sql@postgresql.org; pgsql-admin@postgresql.org
Date: Thu, 21 Aug 2008 14:35:43 +0530
Subject: Re: [ADMIN] Regarding access to a user
Dear Vishal
Thanks for the help but by doing this an error is generated at the time when the user is trying to log in with the following message:
“
Access to database denied
The server doesn't grant access to the database: the server reports
FATAL: no pg_hba.conf entry for host "127.0.0.1", user "hmri", database "postgres", SSL off
To access a database on a PostgreSQL server, you first have to grant primary access to the server for your client (Host Based Authentication). PostgreSQL will check the pg_hba.conf file if a pattern that matches your client address / username / database is present and enabled before any SQL GRANT access control lists are evaluated.
The initial settings in pg_hba.conf are quite restrictive, in order to avoid unwanted security holes caused by unreviewed but mandatory system settings. You'll probably want to add something like
host all all 192.168.0.0/24 md5
This example grants MD5 encrypted password access to all databases to all users on the private network 192.168.0.0/24.
You can use the pg_hba.conf editor that is built into pgAdmin III to edit the pg_hba.conf configuration file. After changing pg_hba.conf, you need to trigger a server configuration reload using pg_ctl or by stopping and restarting the server process.
“
Please provide futher proceedings
Thanks & Regards,
| Software Engineer | Geographical Information System
Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 |
From: Vishal Arora [mailto:aroravishal22@hotmail.com]
Sent: Thursday, August 21, 2008 2:29 PM
To: Shashwat_Nigam
Cc: pgsql-admin@postgresql.org
Subject: RE: [ADMIN] Regarding access to a user
> From: Shashwat_Nigam@satyam.com
> To: Kevin.Grittner@wicourts.gov
> CC: pgsql-general@postgresql.org; pgsql-sql@postgresql.org; pgsql-admin@postgresql.org
> Date: Thu, 21 Aug 2008 14:23:51 +0530
> Subject: Re: [ADMIN] Regarding access to a user
>
> Dear Kevin
> Thanks for the help. But still the user is able to see all the databases. I defined something like this
>
> # IPv4 local connections:
> host all all 127.0.0.1/32 md5
> host HMRI_database hmri 127.0.0.1/32 md5
You have to comment out the first entry made in your hba file. In this case it checks for the first line where all users are allowed to access all databases so it does not checks the second line.
>
> in the above case hmri is user and HMRI_database. But still when user is log in as 'hmri' it is able to access all the databases.
> Please provide a solution for the same.
>
> Thanks & Regards,
> Shashwat Nigam
> | Software Engineer | Geographical Information System
> Satyam Computer Services Limited, Hyderabad | MOBILE: +919951467324 |
>
> -----Original Message-----
> From: Kevin Grittner [mailto:Kevin.Grittner@wicourts.gov]
> Sent: Wednesday, August 20, 2008 6:41 PM
> To: pgsql-admin@postgresql.org; Shashwat_Nigam
> Cc: pgsql-general@postgresql.org; pgsql-sql@postgresql.org
> Subject: Re: [ADMIN] Regarding access to a user
>
> >>> Shashwat_Nigam <Shashwat_Nigam@satyam.com> wrote:
>
> > Now what I want is to set privilege that whenever the user log in as
> Us
> > he can only see database Y, none other than that. The user Us could
> have all
> > rights for database Y but can't go for any other database (X or Z).
>
> The first thing you need to do is configure "host based
> authentication":
>
> http://www.postgresql.org/docs/8.3/interactive/auth-pg-hba-conf.html
>
> Among other things, this allows you to restrict which users can
> connect to which databases.
>
> -Kevin
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
Search for videos of Bollywood, Hollywood, Mollywood and every other wood, only on Live.com Try it now!
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
Searching for weekend getaways? Try Live.com Try it!
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
Shashwat_Nigam wrote: > Thanks for the help. But still the user is able to see all > the databases. I defined something like this > > # IPv4 local connections: > host all all 127.0.0.1/32 md5 > host HMRI_database hmri 127.0.0.1/32 md5 > > > in the above case hmri is user and HMRI_database. But still > when user is log in as 'hmri' it is able to access all the databases. > Please provide a solution for the same. Remove the first line, and you'll be fine. PostgreSQL uses the first line in pg_hba.conf that matches the incoming connection. Yours, Laurenz Albe
On Thu, Aug 21, 2008 at 3:05 AM, Shashwat_Nigam <Shashwat_Nigam@satyam.com> wrote: > Dear Vishal > > Thanks for the help but by doing this an error is generated at the time when > the user is trying to log in with the following message: > > " > > Access to database denied > > The server doesn't grant access to the database: the server reports > > FATAL: no pg_hba.conf entry for host "127.0.0.1", user "hmri", database > "postgres", SSL off Notice that it says database postgres??? User hmri doesn't have permission to connect to the the postgres database. you need to connect to the hmri database.
> Date: Mon, 25 Aug 2008 11:08:14 -0600
> From: scott.marlowe@gmail.com
> To: Shashwat_Nigam@satyam.com
> Subject: Re: [ADMIN] Regarding access to a user
> CC: aroravishal22@hotmail.com; pgsql-admin@postgresql.org; Kevin.Grittner@wicourts.gov; pgsql-general@postgresql.org; pgsql-sql@postgresql.org
>
> On Thu, Aug 21, 2008 at 3:05 AM, Shashwat_Nigam
> <Shashwat_Nigam@satyam.com> wrote:
> > Dear Vishal
> >
> > Thanks for the help but by doing this an error is generated at the time when
> > the user is trying to log in with the following message:
> >
> > "
> >
> > Access to database denied
> >
> > The server doesn't grant access to the database: the server reports
> >
> > FATAL: no pg_hba.conf entry for host "127.0.0.1", user "hmri", database
> > "postgres", SSL off
>
> Notice that it says database postgres??? User hmri doesn't have
> permission to connect to the the postgres database. you need to
> connect to the hmri database.
He is using PgAdmin III to connect to the database. When you use pgAdminIII, it has one text field as Maintainance DB - that is by default marked as Postgres. Now when you make entries for specific user for specific database, you get this above error, if you do not change the maintainence db to the same as the user wants to connect to.
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
Search for videos of Bollywood, Hollywood, Mollywood and every other wood, only on Live.com Try it now!