Обсуждение: [ADMIN] Acess Control !
gentlemen,
i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.
Thank you
gentlemen,i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.
The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.
David J.
thank you David J.,
But how i can do this?
for exemple i did this configuration, but is wroge.
# TYPE DATABASE USER ADDRESS METHOD
i want that user system, only conect to xpto database if it come from 10.75.15.60, but if this user "system" come from another adress i want reject this connection, it's possible?
2017-10-03 13:03 GMT-01:00 David G. Johnston <david.g.johnston@gmail.com>:
gentlemen,i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.David J.
On Tue, Oct 3, 2017 at 10:56 AM, Elson Vaz <elsonlei@gmail.com> wrote:
thank you David J.,But how i can do this?for exemple i did this configuration, but is wroge.# TYPE DATABASE USER ADDRESS METHODhost xpto system 10.75.15.60/32 md5host xpto system 10.72.18.0/24 reject
host xpto system 0.0.0.0/0 reject
Make sure to reload the DB when done.
--Scott
i want that user system, only conect to xpto database if it come from 10.75.15.60, but if this user "system" come from another adress i want reject this connection, it's possible?2017-10-03 13:03 GMT-01:00 David G. Johnston <david.g.johnston@gmail.com>:gentlemen,i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.David J.
Thank you my friend, it's work good,
but i changed the position of reject, like that:
# TYPE DATABASE USER ADDRESS METHOD
host xpto system 10.72.18.0/24 reject
host xpto system 10.75.15.60/32 md5
thank again.
2017-10-03 14:01 GMT-01:00 Scott Mead <scottm@openscg.com>:
On Tue, Oct 3, 2017 at 10:56 AM, Elson Vaz <elsonlei@gmail.com> wrote:thank you David J.,But how i can do this?for exemple i did this configuration, but is wroge.# TYPE DATABASE USER ADDRESS METHODhost xpto system 10.75.15.60/32 md5host xpto system 10.72.18.0/24 rejecthost xpto system 0.0.0.0/0 rejectMake sure to reload the DB when done.--Scotti want that user system, only conect to xpto database if it come from 10.75.15.60, but if this user "system" come from another adress i want reject this connection, it's possible?2017-10-03 13:03 GMT-01:00 David G. Johnston <david.g.johnston@gmail.com>:gentlemen,i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.David J.--
be careful with order change. This proposed by Scott was correct; yours will reject all the connections made by user system to xpto. Documentation says: > The first record with a matching connection type, client address, > requested database, and user name is used to perform authentication. There > is no "fall-through" or "backup": if one record is chosen and the > authentication fails, subsequent records are not considered. -- Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html -- Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
Good morning pinker,
Thank you for approch, but i maked this teste:
- Reject xpto connection from all adress and after acept xpto connection from this adress - result = work good (lock connection for xtpo come from other adress and acept from this adress)
# TYPE DATABASE USER ADDRESS METHOD
host xpto system 10.72.18.0/24 reject
host xpto system 0.0.0.0/0 reject
host xpto system 10.75.15.60/32 md5
host all all 0.0.0.0/0 md5
- acept xpto connection from especific adress and after reject from all connection - result = (acept all connection, that come from all adress )
# TYPE DATABASE USER ADDRESS METHOD
host xpto system 10.75.15.60/32 md5
host all all 0.0.0.0/0 md5
So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.
2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:
be careful with order change. This proposed by Scott was correct; yours will
reject all the connections made by user system to xpto. Documentation says:
> The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no "fall-through" or "backup": if one record is chosen and the
> authentication fails, subsequent records are not considered.
--
Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596. html
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
It is read from up to down until specific criteria is true. It stops there and doesn't read thru rest of the lines.
On Wed, Oct 4, 2017 at 06:41 Elson Vaz <elsonlei@gmail.com> wrote:
Good morning pinker,Thank you for approch, but i maked this teste:
- Reject xpto connection from all adress and after acept xpto connection from this adress - result = work good (lock connection for xtpo come from other adress and acept from this adress)
host xpto system 0.0.0.0/0 reject
host xpto system 10.75.15.60/32 md5host all all 0.0.0.0/0 md5
- acept xpto connection from especific adress and after reject from all connection - result = (acept all connection, that come from all adress )
# TYPE DATABASE USER ADDRESS METHOD
host xpto system 10.75.15.60/32 md5
host all all 0.0.0.0/0 md5So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:be careful with order change. This proposed by Scott was correct; yours will
reject all the connections made by user system to xpto. Documentation says:
> The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no "fall-through" or "backup": if one record is chosen and the
> authentication fails, subsequent records are not considered.
--
Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
--
Thanks
Vasanth
Vasanth
Okay, thanks, so why not block the xpto connection coming from 10.75.15.60, as we can see, the first configuration could block it ??
# TYPE DATABASE USER ADDRESS METHOD
host xpto system 10.72.18.0/24 reject
host xpto system 0.0.0.0/0 reject
host xpto system 10.75.15.60/32 md5
host all all 0.0.0.0/0 md5
2017-10-04 10:01 GMT-01:00 Vasanth R <rvasanth@gmail.com>:
It is read from up to down until specific criteria is true. It stops there and doesn't read thru rest of the lines.On Wed, Oct 4, 2017 at 06:41 Elson Vaz <elsonlei@gmail.com> wrote:Good morning pinker,Thank you for approch, but i maked this teste:
- Reject xpto connection from all adress and after acept xpto connection from this adress - result = work good (lock connection for xtpo come from other adress and acept from this adress)
host xpto system 0.0.0.0/0 reject
host xpto system 10.75.15.60/32 md5host all all 0.0.0.0/0 md5
- acept xpto connection from especific adress and after reject from all connection - result = (acept all connection, that come from all adress )
# TYPE DATABASE USER ADDRESS METHOD
host xpto system 10.75.15.60/32 md5
host all all 0.0.0.0/0 md5So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:be careful with order change. This proposed by Scott was correct; yours will
reject all the connections made by user system to xpto. Documentation says:
> The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no "fall-through" or "backup": if one record is chosen and the
> authentication fails, subsequent records are not considered.
--
Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596. html
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin --Thanks
Vasanth
From the posted message on the second part of the test it is allowed to accept connection from 10.75.... And not reject.
On Wed, Oct 4, 2017 at 07:16 Elson Vaz <elsonlei@gmail.com> wrote:
Okay, thanks, so why not block the xpto connection coming from 10.75.15.60, as we can see, the first configuration could block it ??# TYPE DATABASE USER ADDRESS METHODhost xpto system 10.72.18.0/24 rejecthost xpto system 0.0.0.0/0 reject
host xpto system 10.75.15.60/32 md5host all all 0.0.0.0/0 md52017-10-04 10:01 GMT-01:00 Vasanth R <rvasanth@gmail.com>:It is read from up to down until specific criteria is true. It stops there and doesn't read thru rest of the lines.On Wed, Oct 4, 2017 at 06:41 Elson Vaz <elsonlei@gmail.com> wrote:Good morning pinker,Thank you for approch, but i maked this teste:
- Reject xpto connection from all adress and after acept xpto connection from this adress - result = work good (lock connection for xtpo come from other adress and acept from this adress)
host xpto system 0.0.0.0/0 reject
host xpto system 10.75.15.60/32 md5host all all 0.0.0.0/0 md5
- acept xpto connection from especific adress and after reject from all connection - result = (acept all connection, that come from all adress )
# TYPE DATABASE USER ADDRESS METHOD
host xpto system 10.75.15.60/32 md5
host all all 0.0.0.0/0 md5So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:be careful with order change. This proposed by Scott was correct; yours will
reject all the connections made by user system to xpto. Documentation says:
> The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no "fall-through" or "backup": if one record is chosen and the
> authentication fails, subsequent records are not considered.
--
Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin--Thanks
Vasanth
--
Thanks
Vasanth
Vasanth