public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: Nick <[email protected]>
Cc: [email protected]
Subject: Re: Initial Postgres admin account setup using Ansible?
Date: Tue, 31 Dec 2024 17:32:58 -0700
Message-ID: <CAKFQuwbW_M6Bd5pncjrWRHzpWw1pUr093MAge53zRpayL02LdA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<CAMDzVO_HnP+V6bL0myTt0=RRXYLNOfj4XszEKa+LvPSnePO9yg@mail.gmail.com>
<[email protected]>
On Tue, Dec 31, 2024 at 5:17 PM Nick <[email protected]> wrote:
>
> ```
> local all all peer map=ansible_map
> ```
>
>
> In `pg_ident.conf`, add:
>
> ```
> ansible_map ansible postgres
> ansible_map postgres postgres
>
> ```
>
>
> This seems to work, but is it secure? If USER is `all` in
> `pg_hba.conf`, can any POSIX account login?
>
>
The presence of the mapping file reference makes the entry secure in the
sense that only those connection combinations that are explicitly permitted
can happen. The "all" is automatically restricted to those accounts listed
in the file. At worst you might get an unwanted failure if, say, you
wanted some other account "alice" to be able to connect to the cluster
using the role "alice". The "all" would match and use the mapping that
doesn't include "alice".
David J.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Initial Postgres admin account setup using Ansible?
In-Reply-To: <CAKFQuwbW_M6Bd5pncjrWRHzpWw1pUr093MAge53zRpayL02LdA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox