Обсуждение: pg_hba, access control for a webserver, superuser, and joe user
pg_hba, access control for a webserver, superuser, and joe user
От
jerry.nospam@theashergroup.com (Jerry Asher)
Дата:
I am running a system with three types of users: A) Joe User, who may have a pg database I don't care if Joe User, once logged in to the system has to type a password or not to get access to his db local sameuser md5 or local all ident sameuser or ? B) Superuser (postgres) who will need access to all dbs, w/o typing any password other than that of the postgres' pg user. I think I can do this through the use of a line in pg_hba.conf local all md5 admins where admins contains the name of the superuser. C) Web Server, which will run under one username, but will at times be required to access the databases of many users. This webserver's db mechanism, relies on passwords being stored, in the clear, in flat files. I would like to avoid that. I believe I can avoid that in a reasonably secure mode if I use the ident mechanism and manage an ident map in pg_ident.conf But permute as I might, I have not been able to piece all of this together. I can accomplish two out of three of these, but the whole solution eludes me. Does the order of statements in pg_hba.conf matter? Is there a priority and a fallback of sorts? Try this first mechanism and if that fails, try the next mechanism? What do most people do in this circumstance? Or, what should my pg_hba.conf file look like? Thanks, Jerry Asher jerry.nospam@theashergroup.com (remove the .nospam to send mail)
On Tue, Jan 28, 2003 at 15:39:03 -0800, Jerry Asher <jerry.nospam@theashergroup.com> wrote: > > Does the order of statements in pg_hba.conf matter? > Is there a priority and a fallback of sorts? Try this first mechanism > and if that fails, try the next mechanism? Yes the order matters. Only the first rule that matches is used to do the authentication. If it fails no other rules are tried. For your kind of set up, you want to do the user specific rules first (postgres and the web user) followed by the wildcard rule for users connecting to a matching database. Here is a sample that I use that is similar to what you are trying to do. HBA: local all postgres ident postgres local area,book,cube,template1 bruno ident sameuser local area,book nobody ident nobody local sameuser all ident sameuser IDENT: postgres root postgres postgres bruno postgres postgres postgres postgres nobody bruno nobody nobody nobody nobody