[GENERAL] postgres user with password read-only user without?
Is there a way to configure authentication so that some users require a password and other users don't? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] 9.5rc1 RLS select policy on insert?
I see the insert policy check running but also the select policy using on insert. I don't understand why the select policy is being run. Could it possibly be related to using a sequence on the table? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] RLS 9.5rc1 configuration changes?
I had been using CrunchyDatas 9.4 with backported RLS but I decided since my ultimate target is 9.5 that I update to it. However now the function called for the SELECT policy is not being called. \dt shows the policy but EXPLAIN ANALYZE of a select doesn't show the filter. When I turn up debug in postghresql.conf in pgstartup.log I see the library loaded and the _PG_init function called and in the daily log I see the client auth function called each time I run psql. The only changes I made for 9.5 were to no longer set row_security to 'force' in postgresql.conf and to add: ALTER TABLE FORCE ROW LEVEL SECURITY; in addition to the: ALTER TABLE ENABLE ROW LEVEL SECURITY; which I was already doing as I want RLS to be used even for the owner of the table. Are there any other additional configuration changes needed to get RLS to work again? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] RLS 9.5rc1 configuration changes?
On Mon, Jan 4, 2016 at 4:54 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Ted Toth <txt...@gmail.com> writes: >> I had been using CrunchyDatas 9.4 with backported RLS but I decided >> since my ultimate target is 9.5 that I update to it. However now the >> function called for the SELECT policy is not being called. \dt shows >> the policy but EXPLAIN ANALYZE of a select doesn't show the filter. > > I'm not sure how Crunchy's 9.4 version behaves, but I'd expect the > policy USING condition to be visible in EXPLAIN in 9.5. > > Are you perhaps testing this as a superuser? Superusers bypass RLS > even with FORCE ROW LEVEL SECURITY. Yes I was a Superuser but without 'Bypass RLS'. So there's no way to enforce RLS for all users/roles? > >> ... The only >> changes I made for 9.5 were to no longer set row_security to 'force' >> in postgresql.conf > > What did you set it to instead? row_security=on. Maybe 'force' did what I wanted in Crunchy's 9.4 version :( > > regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] native api or odbc?
What are peoples experiences with either/both, pluses/minuses? Ted
[GENERAL] RLS policy issue
I'm work on understanding and implementing RLS. Since I work on systems using SELinux (MLS policy) I'm using the sepgsql module that I've modified slightly i.e. I've added a function named sepgsql_check_row_perm that I'm using in the policy for example I have a 'reports' table that looks like: Table public.reports Column | Type | Modifiers | Storage | Stats target | Description +-+--+--+--+- id | integer | not null default nextval('reports_id_seq'::regclass) | plain| | report | json| | extended | | message_id | integer | not null | plain| | location | geometry(Point) | | main | | security_label | text| default sepgsql_getcon() | extended | | Policies: POLICY check_report_delete_selinux FOR DELETE USING sepgsql_check_row_perm(security_label, sepgsql_getcon(), 'delete'::text) POLICY check_report_insert_selinux FOR INSERT WITH CHECK sepgsql_check_row_perm(security_label, sepgsql_getcon(), 'insert'::text) POLICY check_report_select_selinux FOR SELECT USING sepgsql_check_row_perm(sepgsql_getcon(), security_label, 'select'::text) POLICY check_report_update_selinux FOR UPDATE USING sepgsql_check_row_perm(security_label, sepgsql_getcon(), 'update'::text) WITH CHECK sepgsql_check_row_perm(security_label, sepgsql_getcon(), 'update'::text) When I do a select I expect sepgsql_check_row_perm to be called and at least output the elog message I added here's part of the patch I apply to add the sepgsql_check_row_perm funstion to the module: /* + * BOOL sepgsql_check_row_perm(TEXT, TEXT, TEXT) + * + * Check if perm allowed for tuple. + * This is a variant of sepgsql_avc_check_perms_label which allows the + * specifying of both the source and target contexts. For MLS + * (write up read down) dominance purposes in the case of + * INSERT/UPDATE/DELETE (write) the source is the tuples context + * and it must dominate the peers context however in the case of + * SELECT (read) the source is the peers context and it must dominate + * the tuples context. + */ +PG_FUNCTION_INFO_V1(sepgsql_check_row_perm); +Datum +sepgsql_check_row_perm(PG_FUNCTION_ARGS) +{ + const char *scontext; + const char *tcontext; + const char *perm_name; + access_vector_t av_perm; + + elog(DEBUG1, sepgsql_check_row_perm); I'd also expect that the rewrite would have added the POLICY SELECT USING clause to the query but I don't see any indication of that in the details that follow: 2015-05-21 16:59:39.030 CDT STATEMENT: select * from reports 2015-05-21 16:59:39.030 CDT LOG: rewritten parse tree: 2015-05-21 16:59:39.030 CDT DETAIL: ( {QUERY :commandType 1 :querySource 0 :canSetTag true :utilityStmt :resultRelation 0 :hasAggs false :hasWindowFuncs false :hasSubLinks false :hasDistinctOn false :hasRecursive false :hasModifyingCTE false :hasForUpdate false :hasRowSecurity true :cteList :rtable ( {RTE :alias :eref {ALIAS :aliasname reports :colnames (id report message_id location security_label) } :rtekind 0 :relid 19116 :relkind r :lateral false :inh true :inFromCl true :requiredPerms 2 :checkAsUser 0 :selectedCols (b 9 10 11 12 13) :modifiedCols (b) :securityQuals } ) :jointree {FROMEXPR :fromlist ( {RANGETBLREF :rtindex 1 } ) :quals } :targetList ( {TARGETENTRY :expr {VAR :varno 1 :varattno 1 :vartype 23 :vartypmod -1 :varcollid 0 :varlevelsup 0 :varnoold 1 :varoattno 1 :location 7 } :resno 1 :resname id :ressortgroupref 0 :resorigtbl 19116 :resorigcol 1 :resjunk false } {TARGETENTRY :expr {VAR :varno 1 :varattno 2 :vartype 114 :vartypmod -1 :varcollid 0 :varlevelsup 0 :varnoold 1 :varoattno 2 :location 7 } :resno 2 :resname report :ressortgroupref 0 :resorigtbl 19116
[GENERAL] 9.5 RLS 'check policy' function arguments
I'm contemplating writing a function for use with the CHECK POLICY statement. Where can I find documentation describing the arguments that will be passed to the function? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sepgsql where are the security labels
This table maintains information about the context of postgresql objects not the data in tables. On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver adrian.kla...@aklaver.com wrote: On 11/12/2014 02:45 PM, Ted Toth wrote: I'm running selinux mls policy I've got labeled ipsec working and my postgresql configured to load sepgsql. I've created a db, run the sepgsql.sql script on it, created tables and inserted data. How do I query the security labels on the data? I do not use SECURITY LABELS, but it seems they can be queried here: http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html As best I can tell there is no security_context column on either of the tables I've created that I see? How does the system column security_context get added to tables? I've read everything I can find on the web but a lot of it is dated. Here's how I'm creating my db and tables: -- Adrian Klaver adrian.kla...@aklaver.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sepgsql where are the security labels
Exactly what I talking about ... but unfortunately that appears to have been based on KaiGai's branch and is not in 9.3. The current discuss/work is around row-level-security with patches to 9.5 which is not much help to me now :( On Thu, Nov 13, 2014 at 9:26 AM, Adrian Klaver adrian.kla...@aklaver.com wrote: On 11/13/2014 05:58 AM, Ted Toth wrote: This table maintains information about the context of postgresql objects not the data in tables. http://www.slideshare.net/kaigai/label-based-mandatory-access-control-on-postgresql Slide 23 On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver adrian.kla...@aklaver.com wrote: On 11/12/2014 02:45 PM, Ted Toth wrote: I'm running selinux mls policy I've got labeled ipsec working and my postgresql configured to load sepgsql. I've created a db, run the sepgsql.sql script on it, created tables and inserted data. How do I query the security labels on the data? I do not use SECURITY LABELS, but it seems they can be queried here: http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html As best I can tell there is no security_context column on either of the tables I've created that I see? How does the system column security_context get added to tables? I've read everything I can find on the web but a lot of it is dated. Here's how I'm creating my db and tables: -- Adrian Klaver adrian.kla...@aklaver.com -- Adrian Klaver adrian.kla...@aklaver.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] sepgsql where are the security labels
I'm running selinux mls policy I've got labeled ipsec working and my postgresql configured to load sepgsql. I've created a db, run the sepgsql.sql script on it, created tables and inserted data. How do I query the security labels on the data? As best I can tell there is no security_context column on either of the tables I've created that I see? How does the system column security_context get added to tables? I've read everything I can find on the web but a lot of it is dated. Here's how I'm creating my db and tables: CREATE DATABASE contacts WITH OWNER = jcdx ENCODING = 'UTF8' TABLESPACE = pg_default LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' CONNECTION LIMIT = -1; SECURITY LABEL FOR selinux ON DATABASE contacts IS 'user_u:object_r:sepgsql_db_t: s0'; -- -- PostgreSQL database dump -- SET statement_timeout = 0; SET lock_timeout = 0; SET client_encoding = 'UTF8'; SET standard_conforming_strings = on; SET check_function_bodies = false; SET client_min_messages = warning; -- -- Name: plpgsql; Type: EXTENSION; Schema: -; Owner: -- CREATE EXTENSION IF NOT EXISTS plpgsql WITH SCHEMA pg_catalog; -- -- Name: EXTENSION plpgsql; Type: COMMENT; Schema: -; Owner: -- COMMENT ON EXTENSION plpgsql IS 'PL/pgSQL procedural language'; -- -- Name: postgis; Type: EXTENSION; Schema: -; Owner: -- CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public; -- -- Name: EXTENSION postgis; Type: COMMENT; Schema: -; Owner: -- COMMENT ON EXTENSION postgis IS 'PostGIS geometry, geography, and raster spatial types and functions'; -- -- Name: pgrouting; Type: EXTENSION; Schema: -; Owner: -- CREATE EXTENSION IF NOT EXISTS pgrouting WITH SCHEMA public; -- -- Name: EXTENSION pgrouting; Type: COMMENT; Schema: -; Owner: -- COMMENT ON EXTENSION pgrouting IS 'pgRouting Extension'; SET search_path = public, pg_catalog; SET default_tablespace = ''; SET default_with_oids = false; -- -- Name: messages; Type: TABLE; Schema: public; Owner: jcdx; Tablespace: -- CREATE TABLE messages ( id integer NOT NULL, message json ); SECURITY LABEL FOR selinux ON TABLE messages IS 'user_u:object_r:sepgsql_table_t:s0'; ALTER TABLE public.messages OWNER TO jcdx; -- -- Name: messages_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx -- CREATE SEQUENCE messages_id_seq START WITH 1 INCREMENT BY 1 NO MINVALUE NO MAXVALUE CACHE 1; SECURITY LABEL FOR selinux ON SEQUENCE messages_id_seq IS 'user_u:object_r:sepgsql_seq_t:s0'; ALTER TABLE public.messages_id_seq OWNER TO jcdx; -- -- Name: messages_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx -- ALTER SEQUENCE messages_id_seq OWNED BY messages.id; -- -- Name: reports; Type: TABLE; Schema: public; Owner: jcdx; Tablespace: -- CREATE TABLE reports ( id integer NOT NULL, report json, message_id integer NOT NULL, location geometry(Point) ); SECURITY LABEL FOR selinux ON TABLE reports IS 'user_u:object_r:sepgsql_table_t:s0'; ALTER TABLE public.reports OWNER TO jcdx; -- -- Name: reports_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx -- CREATE SEQUENCE reports_id_seq START WITH 1 INCREMENT BY 1 NO MINVALUE NO MAXVALUE CACHE 1; SECURITY LABEL FOR selinux ON SEQUENCE reports_id_seq IS 'user_u:object_r:sepgsql_seq_t:s0'; ALTER TABLE public.reports_id_seq OWNER TO jcdx; -- -- Name: reports_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx -- ALTER SEQUENCE reports_id_seq OWNED BY reports.id; -- -- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx -- ALTER TABLE ONLY messages ALTER COLUMN id SET DEFAULT nextval('messages_id_seq'::regclass); -- -- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx -- ALTER TABLE ONLY reports ALTER COLUMN id SET DEFAULT nextval('reports_id_seq'::regclass); -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general