Thread: [OT?] permissions
im having a heck of a time here if this is off topic please redirect me lemme explain im trying to set up a 'one user one database scenario' while still maintaining the postgres user account here is the prob how do i set it up so i can do this iut would seem this would work in the pg_hba.conf: local all trust postgres host all 127.0.0.1 255.255.255.255 trust postgres but then anyone can psql -U postgres and get in without password! so i try #local ident not avail! right? host all 127.0.0.1 255.255.255.255 ident postgres and get this psql: No pg_hba.conf entry for host localhost, user postgres, database postgres even though it says 'all' is this right? or should i have to allow access on a database per database? thoe other problem is that local mydb password passwd host mydb 127.0.0.1 255.255.255.255 password passwd would allow anyone with access to postgres to connect to this db how would i strengthen this and still keep using the password ? one would think there should be an extra option on this of user to connect like local mydb password passwd myuser host mydb 127.0.0.1 255.255.255.255 password passwd myuser or is there a way to grant perms on a database? i could seem to do that ! so there seems to be a little problem in the clarity on how to do this i looked over the docs and bruce's book and i could seem to get it together any help most appreciated -- Psychiatry enables us to correct our faults by confessing our parents' shortcomings. -- Laurence J. Peter, "Peter's Principles"
Clayton Cottingham aka drfrog writes: > im trying to set up a 'one user one database scenario' local sameuser ident sameuser This allows a Unix user joe to connect only as database user joe and only to database joe. The catch is that local ident doesn't exist until release 7.2, but you can still use host ident. > while still maintaining the postgres user account local all ident specialmap where the specialmap only maps postgres to postgres. (This presumes only you have access to the Unix account postgres.) Another option is to use 'password specialfile', where the specialfile only contains an entry for postgres. Then you'd need a password to get in as postgres, but you can do so from any account. Now let's look at your mistakes: > local all trust postgres > host all 127.0.0.1 255.255.255.255 trust postgres > > but then anyone can > psql -U postgres > and get in without password! The word after "trust" doesn't mean anything. trust is trust. > so i try > > #local ident not avail! right? > host all 127.0.0.1 255.255.255.255 ident postgres > > and get this > psql: No pg_hba.conf entry for host localhost, user postgres, database postgres > even though it says 'all' I don't know if it's the cause of the message, but 'ident postgres' doesn't seem right. The word after ident is not a user name. > one would think there should be an extra option on this of user to connect > > like > > local mydb password passwd myuser > host mydb 127.0.0.1 255.255.255.255 password passwd > myuser There is: You only list the users you want to be able to get in in the 'passwd' file. -- Peter Eisentraut peter_e@gmx.net
Thanks Peter: On Mon, 19 Nov 2001 15:40:12 +0100 (CET), Peter Eisentraut said: > > so i try > > > > #local ident not avail! right? > > host all 127.0.0.1 255.255.255.255 ident postgres > > > > and get this > > psql: No pg_hba.conf entry for host localhost, user postgres, database postgres > > even though it says 'all' > > I don't know if it's the cause of the message, but 'ident postgres' > doesn't seem right. The word after ident is not a user name. > doh! ok those names are just mappings for pg_ident.conf correct or the special name sameuser are there any other keywords i should know? > > one would think there should be an extra option on this of user to connect > > > > like > > > > local mydb password passwd myuser > > host mydb 127.0.0.1 255.255.255.255 password passwd > > myuser > > There is: You only list the users you want to be able to get in in the > 'passwd' file. > ah yes as soon as i read this i was oh yeah sort of like apache ! Thanks Again