Обсуждение: [ADMIN] Acess Control !

Поиск
Список
Период
Сортировка

[ADMIN] Acess Control !

От
Elson Vaz
Дата:
gentlemen,

i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.

Thank you

Re: [ADMIN] Acess Control !

От
"David G. Johnston"
Дата:
On Tue, Oct 3, 2017 at 6:46 AM, Elson Vaz <elsonlei@gmail.com> wrote:
gentlemen,

i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.


The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.

David J.

Re: [ADMIN] Acess Control !

От
Elson Vaz
Дата:
thank you David J.,

But how i can do this?
for exemple i did this configuration, but is wroge.

# TYPE  DATABASE        USER         ADDRESS           METHOD
host       xpto                   system       10.75.15.60/32       md5
host       xpto                   system       10.72.18.0/24         reject


i want that user system, only conect to xpto database if it come from 10.75.15.60, but if this user "system" come from another adress i want reject this connection, it's possible?





2017-10-03 13:03 GMT-01:00 David G. Johnston <david.g.johnston@gmail.com>:
On Tue, Oct 3, 2017 at 6:46 AM, Elson Vaz <elsonlei@gmail.com> wrote:
gentlemen,

i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.


The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.

David J.

Re: [ADMIN] Acess Control !

От
Scott Mead
Дата:


On Tue, Oct 3, 2017 at 10:56 AM, Elson Vaz <elsonlei@gmail.com> wrote:
thank you David J.,

But how i can do this?
for exemple i did this configuration, but is wroge.

# TYPE  DATABASE        USER         ADDRESS           METHOD
host       xpto                   system       10.75.15.60/32       md5
host       xpto                   system       10.72.18.0/24         reject
   host        xpto                   system       0.0.0.0/0                 reject

Make sure to reload the DB when done.

--Scott
 


i want that user system, only conect to xpto database if it come from 10.75.15.60, but if this user "system" come from another adress i want reject this connection, it's possible?





2017-10-03 13:03 GMT-01:00 David G. Johnston <david.g.johnston@gmail.com>:
On Tue, Oct 3, 2017 at 6:46 AM, Elson Vaz <elsonlei@gmail.com> wrote:
gentlemen,

i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.


The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.

David J.




--
--
Scott Mead
Sr. Architect
OpenSCG

Re: [ADMIN] Acess Control !

От
Elson Vaz
Дата:
Thank you my friend, it's work good,

but i changed the position of reject, like that:

# TYPE  DATABASE        USER         ADDRESS           METHOD
host       xpto                   system       10.72.18.0/24         reject
   host        xpto                   system       0.0.0.0/0                 reject 
host       xpto                   system       10.75.15.60/32       md5



thank again.

2017-10-03 14:01 GMT-01:00 Scott Mead <scottm@openscg.com>:


On Tue, Oct 3, 2017 at 10:56 AM, Elson Vaz <elsonlei@gmail.com> wrote:
thank you David J.,

But how i can do this?
for exemple i did this configuration, but is wroge.

# TYPE  DATABASE        USER         ADDRESS           METHOD
host       xpto                   system       10.75.15.60/32       md5
host       xpto                   system       10.72.18.0/24         reject
   host        xpto                   system       0.0.0.0/0                 reject

Make sure to reload the DB when done.

--Scott
 


i want that user system, only conect to xpto database if it come from 10.75.15.60, but if this user "system" come from another adress i want reject this connection, it's possible?





2017-10-03 13:03 GMT-01:00 David G. Johnston <david.g.johnston@gmail.com>:
On Tue, Oct 3, 2017 at 6:46 AM, Elson Vaz <elsonlei@gmail.com> wrote:
gentlemen,

i have one system that conect with one specific user to data base, so i want block acess for this user only if he come from the aplication server.


The pg_hba.conf file is going to be required since you want the access to be conditional on the machine and grant/revoke cannot do that.

David J.




--
--
Scott Mead
Sr. Architect
OpenSCG

Re: [ADMIN] Acess Control !

От
pinker
Дата:
be careful with order change. This proposed by Scott was correct; yours will
reject all the connections made by user system to xpto. Documentation says:

> The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no "fall-through" or "backup": if one record is chosen and the
> authentication fails, subsequent records are not considered.





--
Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html


-- 
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: [ADMIN] Acess Control !

От
Elson Vaz
Дата:
Good morning pinker,


Thank you for approch, but i maked this teste:
  1.  Reject xpto  connection from all adress and  after acept  xpto connection from this adress - result  = work good (lock connection for xtpo come from other adress and acept from this adress)

# TYPE  DATABASE        USER         ADDRESS           METHOD
host       xpto                   system       10.72.18.0/24         reject
   host        xpto                   system       0.0.0.0/0                 reject 
   host       xpto                   system       10.75.15.60/32       md5
              host       all                       all             0.0.0.0/0               md5  
 
 
  1.  acept xpto  connection from especific adress and  after reject from all connection - result = (acept all connection, that  come from all adress )

    # TYPE  DATABASE        USER         ADDRESS           METHOD
    host       xpto                   system       10.75.15.60/32       md5
                   host       all                       all             0.0.0.0/0                md5 
                   host       xpto                   system       10.72.18.0/24         reject
                   host        xpto                   system       0.0.0.0/0                 reject 


So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.

2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:
be careful with order change. This proposed by Scott was correct; yours will
reject all the connections made by user system to xpto. Documentation says:

> The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no "fall-through" or "backup": if one record is chosen and the
> authentication fails, subsequent records are not considered.





--
Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html


--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: [ADMIN] Acess Control !

От
Vasanth R
Дата:
It is read from up to down until specific criteria is true. It stops there and doesn't read thru rest of the lines.
On Wed, Oct 4, 2017 at 06:41 Elson Vaz <elsonlei@gmail.com> wrote:
Good morning pinker,


Thank you for approch, but i maked this teste:
  1.  Reject xpto  connection from all adress and  after acept  xpto connection from this adress - result  = work good (lock connection for xtpo come from other adress and acept from this adress)

# TYPE  DATABASE        USER         ADDRESS           METHOD
host       xpto                   system       10.72.18.0/24         reject
   host        xpto                   system       0.0.0.0/0                 reject 
   host       xpto                   system       10.75.15.60/32       md5
              host       all                       all             0.0.0.0/0               md5  
 
 
  1.  acept xpto  connection from especific adress and  after reject from all connection - result = (acept all connection, that  come from all adress )

    # TYPE  DATABASE        USER         ADDRESS           METHOD
    host       xpto                   system       10.75.15.60/32       md5
                   host       all                       all             0.0.0.0/0                md5 
                   host       xpto                   system       10.72.18.0/24         reject
                   host        xpto                   system       0.0.0.0/0                 reject 


    So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.

    2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:
    be careful with order change. This proposed by Scott was correct; yours will
    reject all the connections made by user system to xpto. Documentation says:

    > The first record with a matching connection type, client address,
    > requested database, and user name is used to perform authentication. There
    > is no "fall-through" or "backup": if one record is chosen and the
    > authentication fails, subsequent records are not considered.





    --
    Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html


    --
    Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
    To make changes to your subscription:
    http://www.postgresql.org/mailpref/pgsql-admin

    --
    Thanks
    Vasanth

    Re: [ADMIN] Acess Control !

    От
    Elson Vaz
    Дата:
    Okay, thanks, so why not block the xpto connection coming from 10.75.15.60, as we can see, the first configuration could block it ??

    # TYPE  DATABASE        USER         ADDRESS           METHOD
    host       xpto                   system       10.72.18.0/24         reject
       host        xpto                   system       0.0.0.0/0                 reject 
       host       xpto                   system       10.75.15.60/32       md5
                  host       all                       all             0.0.0.0/0               md5  

    2017-10-04 10:01 GMT-01:00 Vasanth R <rvasanth@gmail.com>:
    It is read from up to down until specific criteria is true. It stops there and doesn't read thru rest of the lines.

    On Wed, Oct 4, 2017 at 06:41 Elson Vaz <elsonlei@gmail.com> wrote:
    Good morning pinker,


    Thank you for approch, but i maked this teste:
    1.  Reject xpto  connection from all adress and  after acept  xpto connection from this adress - result  = work good (lock connection for xtpo come from other adress and acept from this adress)

    # TYPE  DATABASE        USER         ADDRESS           METHOD
    host       xpto                   system       10.72.18.0/24         reject
       host        xpto                   system       0.0.0.0/0                 reject 
       host       xpto                   system       10.75.15.60/32       md5
                  host       all                       all             0.0.0.0/0               md5  
     
     
    1.  acept xpto  connection from especific adress and  after reject from all connection - result = (acept all connection, that  come from all adress )

      # TYPE  DATABASE        USER         ADDRESS           METHOD
      host       xpto                   system       10.75.15.60/32       md5
                     host       all                       all             0.0.0.0/0                md5 
                     host       xpto                   system       10.72.18.0/24         reject
                     host        xpto                   system       0.0.0.0/0                 reject 


      So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.

      2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:
      be careful with order change. This proposed by Scott was correct; yours will
      reject all the connections made by user system to xpto. Documentation says:

      > The first record with a matching connection type, client address,
      > requested database, and user name is used to perform authentication. There
      > is no "fall-through" or "backup": if one record is chosen and the
      > authentication fails, subsequent records are not considered.





      --
      Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html


      --
      Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
      To make changes to your subscription:
      http://www.postgresql.org/mailpref/pgsql-admin

      --
      Thanks
      Vasanth

      Re: [ADMIN] Acess Control !

      От
      Vasanth R
      Дата:
      From the posted message on the second part of the test it is allowed to accept connection from 10.75.... And not reject.
      On Wed, Oct 4, 2017 at 07:16 Elson Vaz <elsonlei@gmail.com> wrote:
      Okay, thanks, so why not block the xpto connection coming from 10.75.15.60, as we can see, the first configuration could block it ??

      # TYPE  DATABASE        USER         ADDRESS           METHOD
      host       xpto                   system       10.72.18.0/24         reject
         host        xpto                   system       0.0.0.0/0                 reject 
         host       xpto                   system       10.75.15.60/32       md5
                    host       all                       all             0.0.0.0/0               md5  

      2017-10-04 10:01 GMT-01:00 Vasanth R <rvasanth@gmail.com>:
      It is read from up to down until specific criteria is true. It stops there and doesn't read thru rest of the lines.

      On Wed, Oct 4, 2017 at 06:41 Elson Vaz <elsonlei@gmail.com> wrote:
      Good morning pinker,


      Thank you for approch, but i maked this teste:
      1.  Reject xpto  connection from all adress and  after acept  xpto connection from this adress - result  = work good (lock connection for xtpo come from other adress and acept from this adress)

      # TYPE  DATABASE        USER         ADDRESS           METHOD
      host       xpto                   system       10.72.18.0/24         reject
         host        xpto                   system       0.0.0.0/0                 reject 
         host       xpto                   system       10.75.15.60/32       md5
                    host       all                       all             0.0.0.0/0               md5  
       
       
      1.  acept xpto  connection from especific adress and  after reject from all connection - result = (acept all connection, that  come from all adress )

        # TYPE  DATABASE        USER         ADDRESS           METHOD
        host       xpto                   system       10.75.15.60/32       md5
                       host       all                       all             0.0.0.0/0                md5 
                       host       xpto                   system       10.72.18.0/24         reject
                       host        xpto                   system       0.0.0.0/0                 reject 


        So, maybe the read come from up to down? or have other explanation? i don't know, i use postgres 9.4.

        2017-10-03 20:55 GMT-01:00 pinker <pinker@onet.eu>:
        be careful with order change. This proposed by Scott was correct; yours will
        reject all the connections made by user system to xpto. Documentation says:

        > The first record with a matching connection type, client address,
        > requested database, and user name is used to perform authentication. There
        > is no "fall-through" or "backup": if one record is chosen and the
        > authentication fails, subsequent records are not considered.





        --
        Sent from: http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html


        --
        Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
        To make changes to your subscription:
        http://www.postgresql.org/mailpref/pgsql-admin

        --
        Thanks
        Vasanth

        --
        Thanks
        Vasanth