Обсуждение: BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity checklist
BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity checklist
От
PG Bug reporting form
Дата:
The following bug has been logged on the website: Bug reference: 18350 Logged by: Martin Nguyen Email address: martin.nguyen@oracle.com PostgreSQL version: 13.7 Operating system: RHEL Description: We have identified an issue where predefined roles are not modifiable, however a Dept. of VA security checklist requires that no roles have unlimited connections. The Predefined roles have unlimited connections, is there a way to modify these?
Re: BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity checklist
От
"David G. Johnston"
Дата:
On Fri, Feb 16, 2024 at 2:23 PM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 18350
Logged by: Martin Nguyen
Email address: martin.nguyen@oracle.com
PostgreSQL version: 13.7
Operating system: RHEL
Description:
We have identified an issue where predefined roles are not modifiable,
however a Dept. of VA security checklist requires that no roles have
unlimited connections. The Predefined roles have unlimited connections, is
there a way to modify these?
Pre-defined roles do not have the login attribute so the number of connections attribute is irrelevant.
Superusers are not so constrained.
David J.
PG Bug reporting form <noreply@postgresql.org> writes:
> We have identified an issue where predefined roles are not modifiable,
> however a Dept. of VA security checklist requires that no roles have
> unlimited connections. The Predefined roles have unlimited connections, is
> there a way to modify these?
Solution 1: explain to your compliance department that it's pointless
to worry about the connection limit for a role that can't log in.
Solution 2: do a manual UPDATE on pg_authid. This would have to
be done over after any major-version upgrade, though.
regards, tom lane
BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity checklist
От
"Wetmore, Matthew (CTR)"
Дата:
I think they mean the application connections from the UI to the backend, not backend SQL user login connection limits.
JAVA would be Hakari max_pool = 10 or something to that effect.
(I've been through this before), but you should check the requirement.
-----Original Message-----
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Friday, February 16, 2024 1:36 PM
To: martin.nguyen@oracle.com
Cc: pgsql-bugs@lists.postgresql.org
Subject: [EXTERNAL] Re: BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity
checklist
PG Bug reporting form <noreply@postgresql.org> writes:
> We have identified an issue where predefined roles are not modifiable,
> however a Dept. of VA security checklist requires that no roles have
> unlimited connections. The Predefined roles have unlimited
> connections, is there a way to modify these?
Solution 1: explain to your compliance department that it's pointless to worry about the connection limit for a role
thatcan't log in.
Solution 2: do a manual UPDATE on pg_authid. This would have to be done over after any major-version upgrade, though.
regards, tom lane
On 2024-02-16 Fr 16:35, Tom Lane wrote: > PG Bug reporting form <noreply@postgresql.org> writes: >> We have identified an issue where predefined roles are not modifiable, >> however a Dept. of VA security checklist requires that no roles have >> unlimited connections. The Predefined roles have unlimited connections, is >> there a way to modify these? > Solution 1: explain to your compliance department that it's pointless > to worry about the connection limit for a role that can't log in. > > Solution 2: do a manual UPDATE on pg_authid. This would have to > be done over after any major-version upgrade, though. > > Also note that this is not by any stretch of the imagination a bug. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com