My notes on what I learned, so I can re-read them when I need to. And because they might be useful for somebody else, too, I post them here.
Architecture:
- Completely unlike MySQL, Postgresql authentication is (can be) related to the Linux user accounts on the system.
- By default, after a fresh installation, at least on Arch Linux, all users on the system are allowed to access all Postgres databases. (Yes! Who would have thought that.) No passwords are required, because by default, Postgresql delegates authentication to the OS, and whoever runs a process on the system was authenticated by the OS.
- The authentication policies are configurable, through. They key files are:
/var/lib/postgres/data/pg_hpa.conf
on Arch,/ubos/lib/postgres/data/pg_hpa.conf
on UBOS: defines which authentication policies apply to which users, which databases and where they are connecting from. You want to require passwords for all of them, except for the postgres user (so you can still log on). Something like this.trust
means trust the OS that it has done its job, andscram-sha-256
basically means use a password:local all postgres trust host all postgres 127.0.0.1/32 trust host all postgres ::1/128 trust local all all scram-sha-256 host all all 127.0.0.1/32 scram-sha-256 host all all ::1/128 scram-sha-256
/var/lib/postgres/data/postgresql.conf
on Arch,/ubos/lib/postgres/data/postgresql.conf
on UBOS: defines, among many other things, how passwords are encrypted in the database. You wantpassword_encryption = scram-sha-256
(notmd5
). Note that this value must be set before setting any passwords, as they (obviously) cannot be automatically migrated.
- To do something as user postgres, you now do
sudo -u postgres psql ...
and it won’t require a password. All other users, for all databases, require a password. - Also, there are two kinds of permissions a user can have:
- enumerated permissions on particular database object (“grant”).
- enumerated default permissions on database objects to be created in the future (“default privileges”).
- Privileges on “tables” and on “sequences” are maintained separately, and have different enumerated values. And if you create a table using SQL, that will sometimes create a Postgres tables and one or more sequence objects. If you naively set the permissions on the table you just created, you might have missed the ones on the sequences that were also created.
Operations:
-
- To create a new user interactively with a password: run
createuser -P <name>
. There are many other options. - To create a new user from a script: run
createuser <name>
and then set a password:ALTER ROLE "<name>" WITH PASSWORD '<pass>
‘ (note the different types of quotes) - To give a user new privileges on an existing database object:
GRANT <priv> ON <table> TO <name>
. - To give a user new default privileges which will be used for database objects created in the future:
ALTER DEFAULT PRIVILEGES IN SCHEMA "public" GRANT <priv> ON TABLES TO "<name>
andALTER DEFAULT PRIVILEGES IN SCHEMA "public" GRANT USAGE ON SEQUENCES TO "<name>
.
- To create a new user interactively with a password: run
- To determine the default privileges of a user:
\dpp <name>
- To determine who gets to access a given table:
\dp <table>
Other useful Postgresl commands worth remembering:
-
- Appending a
+
to the command shows (a little bit) more info - Show list of databases:
\l
- Use different database:
\c <name>
- Show list of tables in the current database:
\dt
- Show list of users:
\du
- Appending a