Skip site navigation (1) Skip section navigation (2)

Help with access control settings in pg_hba.conf -- AAAARGH!

From: Victor Danilchenko <danilche(at)cs(dot)umass(dot)edu>
To: pgsql-admin(at)postgresql(dot)org
Subject: Help with access control settings in pg_hba.conf -- AAAARGH!
Date: 2005-01-27 15:01:48
Message-ID: Pine.OSX.4.50.0501270949130.17513-100000@phobos.cs.umass.edu (view raw or flat)
Thread:
Lists: pgsql-admin
	Hi,

	I am trying to set up a database server with multiple DB
clusters, so that in each cluster a number of users have their own
database each, with passwordless access (we can trust the network
security in our installation). The following is what seems like it
*should* work:

host    all             all     127.0.0.1       255.255.255.255 password
host    sameuser        all     xxx.xxx.xxx.0   255.255.255.128 ident sameuser
host    all             @fac    xxx.xxx.xxx.0   255.255.255.128 trust

	The second line ("host sameuser") is the problem. It doesn't
work -- when tryign to connect, I keep getting error messages:

$ whoami
testuser
$ psql -h db-edlab -p 7666 testuser testuser
psql: FATAL:  IDENT authentication failed for user "testuser"

	If I replace 'ident sameuser' with 'trust' there, it works fine
-- but then any user can access anyone else's database, providing they
request the same password.

	The idea is that each user should be able to access only their
database, only as themselves, without password -- but I can't figure out
what I am doing wrong. Any help? if what I am trying to do is
impossible, is there any other way to achieve such a goal -- i.e.
passwordless access that allows each user to access only their own
database over the network?


	BTW, as long as I am writing, a somewhat related question, which
is not nearly as important as the previous one.

	I launch multiple postmatser processes, each servicing a
dedicated DB cluster on a dedicated port. The problem is that I only
ever see *one* local UNIX socket (/tmp/.s.PGSQL.<portnumber>) file.
There is a .lock file created corresponding to each server/port combo,
but it looks like each subsequent instance of the postmaster kills the
previous instance's UNIX socket. Is this how it should be -- and if so,
are there any pg_ctl options I can pass in to make it simply not create
the UNIX sockets altogether, so that only network operations are
supported? AT the moment, I am doing admin access though the loopback
device, so it's not a big issue.

-- 
|  Victor  Danilchenko  | Give a man a match, and he will be warm   |
| danilche(at)cs(dot)umass(dot)edu | for a moment; but set him on fire, and    |
|   CSCF   |   5-4231   | he will be warm for the rest of his life. |

Responses

pgsql-admin by date

Next:From: Victor DanilchenkoDate: 2005-01-27 15:18:04
Subject: Re: Help with access control settings in pg_hba.conf --
Previous:From: Luis SousaDate: 2005-01-27 10:01:27
Subject: Re: Restore postgres database problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group