| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Nick <lists2(at)ageofdream(dot)com> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Initial Postgres admin account setup using Ansible? |
| Date: | 2025-01-01 00:32:58 |
| Message-ID: | CAKFQuwbW_M6Bd5pncjrWRHzpWw1pUr093MAge53zRpayL02LdA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Dec 31, 2024 at 5:17 PM Nick <lists2(at)ageofdream(dot)com> wrote:
>
> ```
> local all all peer map=ansible_map
> ```
>
>
> In `pg_ident.conf`, add:
>
> ```
> ansible_map ansible postgres
> ansible_map postgres postgres
>
> ```
>
>
> This seems to work, but is it secure? If USER is `all` in
> `pg_hba.conf`, can any POSIX account login?
>
>
The presence of the mapping file reference makes the entry secure in the
sense that only those connection combinations that are explicitly permitted
can happen. The "all" is automatically restricted to those accounts listed
in the file. At worst you might get an unwanted failure if, say, you
wanted some other account "alice" to be able to connect to the cluster
using the role "alice". The "all" would match and use the mapping that
doesn't include "alice".
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jan Behrens | 2025-01-01 17:55:04 | Re: search_path for PL/pgSQL functions partially cached? |
| Previous Message | Nick | 2025-01-01 00:17:07 | Re: Initial Postgres admin account setup using Ansible? |