Re: docs about security

speeves(at)unt(dot)edu (speeves) wrote in message news:<d6351bca(dot)0110171022(dot)1cce600(at)posting(dot)google(dot)com>...
> Hi!
>
> I am resending a plea for some good security docs, or locations
> thereof. I have been wrestling with security on Postgres for some
> time, and have finally given up for a time. Is there a chance that
> someone could write a good tutorial, or a chapter in a book, that can
> explain the various aspects of security on Postgres.
>
> The reason that I am asking, is because I have been trying to see if
> Postgres would/could be a replacement for our 30+ databases(access +
> sql server). From the understanding that I get from what I read it
> doesn't look like I can do the security scheme that I want. (I have
> great respect for all of you who are working on a great product, but
> as of now, I can't wrap my brain around your security scheme...:( )
>
> Thanks for letting me vent,
>
> Speeves
> Well, my book does cover it a little:
>
> http://www.postgresql.org/docs/awbook.html
>
> There is table-level security (GRANT), view-level security, and
> database/host access security.
>
> Tell us what you want to do and we can tell you if you can do it with
> PostgreSQL.
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
> + If your life is a hard drive, | 830 Blythe Avenue
> + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Thanks for the quick reply!:)

What I am trying to do, is, (for example), prepare a test setup for a
class. I have setup the pg_hba.conf file as :

host test1 123.456.789.45 255.255.255.255 password test1

(I am just using password, cause I want to understand what is going on
before I start messing with crypt and the other aspects of
authentication.)

The database resides on:

123.456.785.56

I have setup a password file using pg_passwd and set it in $PGDATA and
have tested it locally. (Except the pg_hba.conf file has:

(local computer w/ db)
host all 123.456.789.56 255.255.255.255 password test (test file
contains superuser, test1 doesn't)

When I sit at remote computer (123.456.789.45) I try to login to test1
db and it works but... I need to log-in the first time as a
super-user to allow it to update some server side information. Is
this a security default? Is there a way around it? If I have a class
of 10 people with 10 different db's, it's a pain to have to login as a
superuser to all of the db's. Esp. if they are only going to use it
one time. On a larger scale, am I going to have to sit at (ie) 5000
computers around campus to update the server side stuff for every new
dsn that is created? Or, is it that I can login once as superuser to
every db that is created and it will allow simple users to access the
db ever-after? (Still a pain...) (Oh, I am using PgAdmin on windows
machines for clients, and postgresql is running on a linux box.)

The next question is... Can I allow access to multiple dbs on one
line, such as:

host test1,test 123.456.789.45 255.255.255.255 password test1 (test1
contains username blah only)

Can I do it on multiple lines in the conf file? When doing this for a
large organization, this seems like an administrative behemoth... I
guess some sort of web interface would make it easier for the end-user
that needs to create db's...?

Is it possible to create containers so that multiple departments can
have a superuser that can create db's in their container, but not in
someone elses container? (We're talking about possibly 100's of
departments inside about 10 colleges and administrative offices.)
>From what I see now, a superuser can create db's any and everywhere on
the server...

I had some other's, but am unable to remember them.

Again, thanks for your help! (And by the way, I enjoyed your book:) )

--
Shannon Peevey
Central Web Support
UNT-Computing Center
speeves(at)unt(dot)edu
940-369-8876