Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tSmg8-001UBw-HE
	for pgsql-general@arkaria.postgresql.org; Wed, 01 Jan 2025 00:33:40 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tSmg6-006GFo-Rj
	for pgsql-general@arkaria.postgresql.org; Wed, 01 Jan 2025 00:33:38 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <david.g.johnston@gmail.com>)
	id 1tSmg6-006GFf-Dw
	for pgsql-general@lists.postgresql.org; Wed, 01 Jan 2025 00:33:38 +0000
Received: from mail-oi1-x22d.google.com ([2607:f8b0:4864:20::22d])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <david.g.johnston@gmail.com>)
	id 1tSmg3-001TvW-30
	for pgsql-general@lists.postgresql.org;
	Wed, 01 Jan 2025 00:33:37 +0000
Received: by mail-oi1-x22d.google.com with SMTP id 5614622812f47-3ee29277d44so3586499b6e.1
        for <pgsql-general@lists.postgresql.org>; Tue, 31 Dec 2024 16:33:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1735691615; x=1736296415; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=wtPZsvw9JvEQCPTRHyq+X4x7J1rR+03Dj+x93Ko5a2M=;
        b=MFTatKuyrtnk41lDU4FcZkSUZLsLIMmo7fD2GE4CyCMudTatIvAKkvsAfOb2CMpSks
         26b2InsV9vrXM7s+5bNPM3g+vGrNWBNzmHFDNvSopAB0mbxQInNJU4Jpyl3CbqwdcBHZ
         SKw2PYI0Zu5bZCw6n4nzwhbuyQwAbInzeAJQTdH1UL8OJ8Kel8T1GPOC/nrDtKe23vWD
         0wiNUQ7NrBu+l9A+j7pNlxl2CCOfVYAzkQrxuu5OhNmU0rS4PaLkYlOX+cncE+53YziL
         tRcODSM+9DkpLVKghnpsLvA3WLGBggAbL7LxWhucBRhFbMcxIeB8XMKV9xXzxQuarFF1
         ljLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1735691615; x=1736296415;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wtPZsvw9JvEQCPTRHyq+X4x7J1rR+03Dj+x93Ko5a2M=;
        b=Qs+qnb/bRZdY8IxMP2QmNLSiFpIyeUEXK0aXO41adfrIuHQ/HRmKD9pYmGxaDAzXJc
         +M4P0mUY8flXDIc2cgjhB/l2zRNDePLvox6TQqEmZZtYK/k2PRCQpnYJbmWTVXRHDa99
         fB0WRB0FC7zTAUzl1q/gvzUba8vZFkJNxcNUw1RnXFHA1EClCzia+rfB21oU+VKEpgSe
         /US9twpFz5rOnG8GPEJKDD7OoRIup1+Ks9RPj5ayZD7bT139oNOJ43TtxNfVHHU6qYMP
         Ipbfbcgih7Ex3HGEAzEQAM1jERx3p9+Ip/vhvcUU9YxNPXvfx/ENSIG2ED41QJIwkhYp
         gtyQ==
X-Gm-Message-State: AOJu0Yyb+YknUWx+ANUnpQrxi0co7Gg1ZXIJJhmPJgDIphZuhq1CkzmA
	Bzj2xDqmJ2irwzFkQHr7TI30ySp1tO/ORzBNPyscNapaKeUW6wN2jvCOm0cKuSjtbX66Mpt8LER
	O1TfxYb8fw37Rx2+uS+TPzX0euEk=
X-Gm-Gg: ASbGnctykSlzdNkqIAELLezJvJGpc0FKPmtXidnEdYlH6VHQAbDwsTCX5KJRoMmVRtL
	dFDGZuLjg3PmjOJ2l+EzbGjIEyhEzHHS4XDvK6g==
X-Google-Smtp-Source: AGHT+IFYov4BmQW8QNcATdunVhU/NQqn9oXLngMrRoV8rL8N/MRmx1cDsHLrVq8NnPR618hjhw3JPvcC48v2SBoJghk=
X-Received: by 2002:a05:6808:10c9:b0:3eb:4f87:97b4 with SMTP id
 5614622812f47-3ed88f8890dmr26320668b6e.24.1735691615117; Tue, 31 Dec 2024
 16:33:35 -0800 (PST)
MIME-Version: 1.0
References: <75b177a0f2627519419009a2134fe050f3f623cb.camel@ageofdream.com>
 <CAMDzVO_HnP+V6bL0myTt0=RRXYLNOfj4XszEKa+LvPSnePO9yg@mail.gmail.com> <36cebb6894294c521aa92a8f1183d8e9dfb2e379.camel@ageofdream.com>
In-Reply-To: <36cebb6894294c521aa92a8f1183d8e9dfb2e379.camel@ageofdream.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
Date: Tue, 31 Dec 2024 17:32:58 -0700
Message-ID: <CAKFQuwbW_M6Bd5pncjrWRHzpWw1pUr093MAge53zRpayL02LdA@mail.gmail.com>
Subject: Re: Initial Postgres admin account setup using Ansible?
To: Nick <lists2@ageofdream.com>
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="00000000000028aadf062a9a32b3"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKFQuwbW_M6Bd5pncjrWRHzpWw1pUr093MAge53zRpayL02LdA%40mail.gmail.com>
Precedence: bulk

--00000000000028aadf062a9a32b3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 31, 2024 at 5:17=E2=80=AFPM Nick <lists2@ageofdream.com> wrote:

>
> ```
> local    all             all             peer map=3Dansible_map
> ```
>
>
> In `pg_ident.conf`, add:
>
> ```
> ansible_map     ansible                 postgres
> ansible_map     postgres                postgres
>
> ```
>
>
> This seems to work, but is it secure? If USER is `all` in
> `pg_hba.conf`, can any POSIX account login?
>
>
The presence of the mapping file reference makes the entry secure in the
sense that only those connection combinations that are explicitly permitted
can happen.  The "all" is automatically restricted to those accounts listed
in the file.  At worst you might get an unwanted failure if, say, you
wanted some other account "alice" to be able to connect to the cluster
using the role "alice".  The "all" would match and use the mapping that
doesn't include "alice".

David J.

--00000000000028aadf062a9a32b3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif"><span style=3D"font-family:Arial,Helve=
tica,sans-serif">On Tue, Dec 31, 2024 at 5:17=E2=80=AFPM Nick &lt;<a href=
=3D"mailto:lists2@ageofdream.com">lists2@ageofdream.com</a>&gt; wrote:</spa=
n></div></div><div class=3D"gmail_quote gmail_quote_container"><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
id rgb(204,204,204);padding-left:1ex"><span class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif"></span><br>
```<br>
local=C2=A0 =C2=A0 all=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0all=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0peer map=3Dansible_map<br>
```<br>
<br>
<br>
In `pg_ident.conf`, add:<br>
<br>
```<br>
ansible_map=C2=A0 =C2=A0 =C2=A0ansible=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0postgres<br>
ansible_map=C2=A0 =C2=A0 =C2=A0postgres=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 postgres<br>
<br>
```<br><br>
<br>
This seems to work, but is it secure? If USER is `all` in<br>
`pg_hba.conf`, can any POSIX account login?<br><br></blockquote><div><br></=
div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-=
serif">The presence of the mapping file reference makes the entry secure in=
 the sense that only those connection combinations that are explicitly perm=
itted can happen.=C2=A0 The &quot;all&quot; is automatically restricted to =
those accounts listed in the file.=C2=A0 At worst you might get an unwanted=
 failure if, say, you wanted some other account &quot;alice&quot; to be abl=
e to connect to the cluster using the role &quot;alice&quot;.=C2=A0 The &qu=
ot;all&quot; would match and use the mapping that doesn&#39;t include &quot=
;alice&quot;.</div><div class=3D"gmail_default" style=3D"font-family:arial,=
helvetica,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-=
family:arial,helvetica,sans-serif">David J.</div><div class=3D"gmail_defaul=
t" style=3D"font-family:arial,helvetica,sans-serif"><br></div></div></div>

--00000000000028aadf062a9a32b3--