Обсуждение: pg_hba, access control for a webserver, superuser, and joe user

Поиск
Список
Период
Сортировка

pg_hba, access control for a webserver, superuser, and joe user

От
jerry.nospam@theashergroup.com (Jerry Asher)
Дата:
I am running a system with three types of users:

A)  Joe User, who may have a pg database
        I don't care if Joe User, once logged in to the system
        has to type a password or not to get access to his db

          local sameuser md5
               or
          local all ident sameuser
               or ?

B)  Superuser (postgres) who will need access to all dbs, w/o
        typing any password other than that of the postgres'
        pg user.

        I think I can do this through the use of a line in pg_hba.conf
          local all md5 admins
        where admins contains the name of the superuser.

C)  Web Server, which will run under one username, but will at
        times be required to access the databases of many users.
        This webserver's db mechanism, relies on passwords being
        stored, in the clear, in flat files.

        I would like to avoid that.  I believe I can avoid that
        in a reasonably secure mode if I use the ident mechanism
        and manage an ident map in pg_ident.conf

But permute as I might, I have not been able to piece all of this
together.  I can accomplish two out of three of these, but the whole
solution eludes me.

Does the order of statements in pg_hba.conf matter?
Is there a priority and a fallback of sorts?  Try this first mechanism
and if that fails, try the next mechanism?

What do most people do in this circumstance?  Or, what should my
pg_hba.conf file look like?

Thanks,

Jerry Asher
jerry.nospam@theashergroup.com (remove the .nospam to send mail)

Re: pg_hba, access control for a webserver, superuser, and joe user

От
Bruno Wolff III
Дата:
On Tue, Jan 28, 2003 at 15:39:03 -0800,
  Jerry Asher <jerry.nospam@theashergroup.com> wrote:
>
> Does the order of statements in pg_hba.conf matter?
> Is there a priority and a fallback of sorts?  Try this first mechanism
> and if that fails, try the next mechanism?

Yes the order matters. Only the first rule that matches is used to
do the authentication. If it fails no other rules are tried.

For your kind of set up, you want to do the user specific rules first
(postgres and the web user) followed by the wildcard rule for users
connecting to a matching database.

Here is a sample that I use that is similar to what you are trying to do.

HBA:
local        all           postgres                                        ident postgres
local        area,book,cube,template1           bruno                                        ident sameuser
local        area,book           nobody                                        ident nobody
local        sameuser            all                                       ident sameuser

IDENT:
postgres    root    postgres
postgres    bruno    postgres
postgres    postgres    postgres
nobody    bruno    nobody
nobody    nobody    nobody