Re: [HACKERS] USER Profiles for PostgreSQL

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: John R Pierce <pierce(at)hogranch(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: [HACKERS] USER Profiles for PostgreSQL
Date: 2017-09-20 13:55:47
Message-ID: 20170920135547.GD4628@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

John,

* John R Pierce (pierce(at)hogranch(dot)com) wrote:
> On 9/19/2017 3:32 PM, chiru r wrote:
> >How those application accounts get recognized in database?
> >
> >Let say  App_user1 authenticated through application ,after that
> >how the App_user1 get access to DB?
> >
> >can you please provide more information ,how the app users are
> >accessing database ?
>
> the user isn't accessing the database, the application itself is
> accessing the database.   a web app might have 10s of 1000s of
> unique users, but a web app typically only uses a single application
> account to access the database.

While that's one approach, it's certainly not the only one (and not
necessairly considered a good approach either..).

If AD is in the mix here, then there's no need to have things happening
at the database level when it comes to passwords- configure PG to use
Kerberos and create a princ in AD and put that on the database server
and then users can authenticate that way.

Further, applications can be configured to accept and proxy Kerberos
credentials from the user to authenticate with to the database, allowing
the application to actually be logged in as the user for that session,
with only those rights the user has.

Group/Role membership does still have to be sync'd between the AD/LDAP
directory and the database for those permissions to be set up, but that
isn't all that hard to do using a cronjob and ldap_fdw, or similar,
people just have to realize that there's a bit of lag. The same goes
for creating accounts in the first place in the database, of course.

Thanks!

Stephen

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Job 2017-09-20 14:10:58 Inserting millions of record in a partitioned Table
Previous Message Igor Korot 2017-09-20 13:30:00 Re: libpq confusion

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2017-09-20 14:02:35 Re: Allow GiST opcalsses without compress\decompres functions
Previous Message Peter Eisentraut 2017-09-20 13:42:08 Re: SCRAM in the PG 10 release notes