Thread: [OT?] permissions

[OT?] permissions

From
"Clayton Cottingham aka drfrog"
Date:
im having a heck of a time here

if this is off topic please redirect me 


lemme explain

im trying to set up a 'one user one database scenario'
while still maintaining the postgres user account

here is the prob 
how do i set it up so i can do this 
iut would seem this would work in the pg_hba.conf:


local         all                     trust    postgres
host         all     127.0.0.1     255.255.255.255     trust     postgres

but then anyone can 
psql -U postgres
and get in without password!
so i try

#local ident not avail! right?
host         all     127.0.0.1     255.255.255.255     ident     postgres

and get this
psql: No pg_hba.conf entry for host localhost, user postgres, database postgres
even though it says 'all'

is this right?
or should i have to allow access on a database per database?




thoe other problem is that

local         mydb                 password passwd
host         mydb       127.0.0.1     255.255.255.255    password passwd

would allow anyone with access to postgres  to connect to this db 

how would i strengthen this and still keep using the password ?

one would think there should be an extra option on this of user to connect 

like 

local         mydb                 password passwd myuser
host         mydb       127.0.0.1     255.255.255.255    password passwd
myuser

or is there a way to grant perms on a database? 
i could seem to do that !
so there seems to be a little problem in the clarity on how to do this
i looked over the docs and bruce's book and i could seem to get it together


any help
most appreciated


-- 
Psychiatry enables us to correct our faults by confessing our parents'
shortcomings.    -- Laurence J. Peter, "Peter's Principles"




Re: [OT?] permissions

From
Peter Eisentraut
Date:
Clayton Cottingham aka drfrog writes:

> im trying to set up a 'one user one database scenario'

local    sameuser    ident    sameuser

This allows a Unix user joe to connect only as database user joe and only
to database joe.  The catch is that local ident doesn't exist until
release 7.2, but you can still use host ident.

> while still maintaining the postgres user account

local    all        ident    specialmap

where the specialmap only maps postgres to postgres.  (This presumes only
you have access to the Unix account postgres.)  Another option is to use
'password specialfile', where the specialfile only contains an entry for
postgres.  Then you'd need a password to get in as postgres, but you can
do so from any account.

Now let's look at your mistakes:

> local         all                     trust    postgres
> host         all     127.0.0.1     255.255.255.255     trust     postgres
>
> but then anyone can
> psql -U postgres
> and get in without password!

The word after "trust" doesn't mean anything.  trust is trust.

> so i try
>
> #local ident not avail! right?
> host         all     127.0.0.1     255.255.255.255     ident     postgres
>
> and get this
> psql: No pg_hba.conf entry for host localhost, user postgres, database postgres
> even though it says 'all'

I don't know if it's the cause of the message, but 'ident postgres'
doesn't seem right.  The word after ident is not a user name.

> one would think there should be an extra option on this of user to connect
>
> like
>
> local         mydb                 password passwd myuser
> host         mydb       127.0.0.1     255.255.255.255    password passwd
> myuser

There is:  You only list the users you want to be able to get in in the
'passwd' file.

-- 
Peter Eisentraut   peter_e@gmx.net



Re: [OT?] permissions

From
"Clayton Cottingham aka drfrog"
Date:
Thanks Peter:


On Mon, 19 Nov 2001 15:40:12 +0100 (CET), Peter Eisentraut said:

>  > so i try
>  >
>  > #local ident not avail! right?
>  > host         all     127.0.0.1     255.255.255.255     ident     postgres
>  >
>  > and get this
>  > psql: No pg_hba.conf entry for host localhost, user postgres, database postgres
>  > even though it says 'all'
>  
>  I don't know if it's the cause of the message, but 'ident postgres'
>  doesn't seem right.  The word after ident is not a user name.
>  

doh!
ok 

those names are just mappings for pg_ident.conf
correct or the special name sameuser

are there any other keywords i should know?


>  > one would think there should be an extra option on this of user to connect
>  >
>  > like
>  >
>  > local         mydb                 password passwd myuser
>  > host         mydb       127.0.0.1     255.255.255.255    password passwd
>  > myuser
>  
>  There is:  You only list the users you want to be able to get in in the
>  'passwd' file.
>  

ah yes
as soon as i read this i was oh yeah sort of  like apache !


Thanks Again