Re: Help with access control settings in pg_hba.conf -- AAAARGH!

Victor Danilchenko wrote:
> Hi,
>
> I am trying to set up a database server with multiple DB
> clusters, so that in each cluster a number of users have their own
> database each, with passwordless access (we can trust the network
> security in our installation). The following is what seems like it
> *should* work:
>
> host all all 127.0.0.1 255.255.255.255 password
> host sameuser all xxx.xxx.xxx.0 255.255.255.128 ident sameuser
> host all @fac xxx.xxx.xxx.0 255.255.255.128 trust
>
> The second line ("host sameuser") is the problem. It doesn't
> work -- when tryign to connect, I keep getting error messages:
>
> $ whoami
> testuser
> $ psql -h db-edlab -p 7666 testuser testuser
> psql: FATAL: IDENT authentication failed for user "testuser"
>
> If I replace 'ident sameuser' with 'trust' there, it works fine
> -- but then any user can access anyone else's database, providing they
> request the same password.

you need to read the manual to understand what same user does/does not.

>
> The idea is that each user should be able to access only their
> database, only as themselves, without password -- but I can't figure out
> what I am doing wrong. Any help? if what I am trying to do is
> impossible, is there any other way to achieve such a goal -- i.e.
> passwordless access that allows each user to access only their own
> database over the network?
>

have not had the need for this, but i guess that the sql-commands GRANT and/or
REVOKE can be of help, look in the manual.

>
> BTW, as long as I am writing, a somewhat related question, which
> is not nearly as important as the previous one.
>
> I launch multiple postmatser processes, each servicing a
> dedicated DB cluster on a dedicated port. The problem is that I only
> ever see *one* local UNIX socket (/tmp/.s.PGSQL.<portnumber>) file.
> There is a .lock file created corresponding to each server/port combo,
> but it looks like each subsequent instance of the postmaster kills the
> previous instance's UNIX socket. Is this how it should be -- and if so,
> are there any pg_ctl options I can pass in to make it simply not create
> the UNIX sockets altogether, so that only network operations are
> supported? AT the moment, I am doing admin access though the loopback
> device, so it's not a big issue.
>