Drop Down MenusCSS Drop Down MenuPure CSS Dropdown Menu

How do you use pgAgent with securely

-
pgAgent is a scheduling agent for PostgreSQL which is used to run scheduled batch/shell or SQL tasks. pgAgent doesn’t come bundled with PostgreSQL, it needs to be installed(installation)and set-up separately as it run as a stand alone daemon. pgAgent being a powerful tool has some security concerns to be aware of. This post describes, how to set up pgAgent in a way that security threats are minimized.

 Security concerns:
Database password - DO NOT be tempted to include a password in the pgAgent connection string - on Unix systems it may be visible to all users in ‘ps’ output, and on Windows systems it will be stored in the registry in plain text. Instead, use a libpq ~/.pgpass file to store the passwords for every database that pgAgent must access. Details of this technique may be found in the PostgreSQL documentation on .pgpass file.

System/database access - all jobs run by pgAgent will run with the security privileges of the pgAgent user. SQL steps will run as the user that pgAgent connects to the database as, and batch/shell scripts will run as the operating system user that the pgAgent service or daemon is running under. Because of this, it is essential to maintain control over the users that are able to create and modify jobs. By default, only the user that created the pgAgent database objects will be able to do this - this will normally be the PostgreSQL superuser.

1. Limit privileges for the operating system user

pgAgent will run the batch or shell script as the operating system user under which it’s daemon is running. So, it is advised to create a separate user with limited privileges for running pgAgent daemon. In a Unix environment, the following command will do it:
sudo useradd pgagent

2. Setting permissions for the Database user

It is always advised not to use a user with superuser privileges for pgAgent. Instead, create a normal user and grant access to the objects which are required by the Job. For instance, here we created a user pgagent and granted access to all objects in pgagent schema.
CREATE ROLE pgagent LOGIN  NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
 
GRANT ALL on SCEHEMA pgagent to pgagent;
 
GRANT ALL ON ALL TABLES IN SCHEMA pgagent to pgagent;
 
GRANT ALL ON ALL SEQUENCES IN SCHEMA pgagent TO pgagent;
Now, lets assume we have a pgAgent Job which delete all logs, which are older than a certain amount of time, from the table logs , located in schema, test_schema of database, test_db. We have to again set permissions as follows:
GRANT CONNECT ON DATABASE test_db TO pgagent;
 
GRANT USAGE ON SCHEMA test_schema TO pgagent;
 
GRANT DELETE ON TABLE test_schema.logs TO pgagent;
In this way we have to grant access to all objects like, tables, functions and sequences which are required by the Job.
Finally, we can start the pgAgent daemon by running a command like the one below from terminal:
sudo su pgagent
pgagent hostaddr=localhsot dbname=postgres user=pgagent port=5432 -l 1

Comments

Post a Comment

Popular posts from this blog

How to find the server is whether standby (slave) or primary(master) in Postgresql replication ?

-
Method 1 You can check the mode of the server using "pg_controldata". [pgsql@test~]$ pg_controldata /usr/local/pgsql/data84/ Database cluster state: in archive recovery --> This is Standby Database Database cluster state: in production --> This is Production Database [Master] Method 2 You can use pg_is_in_recovery() which returns True if recovery is still in progress(so the server is running in standby mode or slave) postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- t (1 row) If Return    false   so the server is running in primary mode or master postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- f (1 row)
Read more

7 Steps to configure BDR replication in postgresql

-
Image
 The  BDR  (Bi-Directional Replication) project adds multi-master replication to PostgreSQL 9.4.  Postgres-BDR has a lower impact on the masters(s) than trigger-based replication solutions. There is no write-amplification, as it does not require triggers to write to queue tables in order to replicate writes.   Here We are using  postgres version 9.4.12 and bdr version 1.0.2. for configuring  multi master replication . Simply Following 7 steps you can configure the multi master replication in postgresql. To download the bdr in below link. .   https://github.com/2ndQuadrant/bdr/archive/bdr-pg/REL9_4_12-1.tar.gz $ tar -xzvf REL9_4_12-1.tar.gz $ wget https://github.com/2ndQuadrant/bdr/archive/bdr-plugin/1.0.2.tar.gz $ tar -xzvf 1.0.2.tar.gz 1. To install BDR. $ cd ~/bdr-bdr-pg-REL9_4_12-1 $ ./configure --prefix=/usr/lib/postgresql/9.4 --enable-debug --with-openssl $ make -j4 -s install-world $ cd ~/bdr-bdr-plugin-1.0.2 $ PATH=/usr/lib/postgresql/9.4/bin:"$PATH" ./c
Read more

How to Get Table Size, Database Size, Indexes Size, schema Size, Tablespace Size, column Size in PostgreSQL Database

-
In this post, I am sharing few important function for finding the size of database, table and index in PostgreSQL. Finding object size in postgresql database is very important and common. Is it very useful to know the exact size occupied by the object at the tablespace. The object size in the following scripts is in GB. The scripts have been formatted to work very easily with PUTTY SQL Editor. 1. Checking table size excluding table dependency: SELECT pg_size_pretty(pg_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 238 MB (1 row) 2. Checking table size including table dependency: SELECT pg_size_pretty(pg_total_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 268 MB (1 row) 3. Finding individual postgresql database size SELECT pg_size_pretty(pg_database_size('db_name')); 4. Finding individual table size for postgresql database -including dependency index: SELECT pg_size_pretty(pg_total_rel
Read more

Ora2PG - Oracle/MySQL to Postgres DB migration Version 20.0

-
Ora2Pg is a free tool used to  migrate  an  Oracle  or MySQL database to a  PostgreSQL  compatible schema. It connects your  Oracle  database, scan it automatically and extracts its structure or data, it then generates SQL scripts that you can load into your  PostgreSQL  database. ora2pg version 20.0 software : ora2pg-20.0.tar ora2pg-20.0   https://github.com/darold/ora2pg/releases/tag/v20.0 Some Blogs about DB Migration : https://2ndquadrant.in/postgresmigration/oracle-to-postgresql-migration/ https://2ndquadrant.in/database-migration-from-oracle-to-postgres/ INSTALLATION All Perl modules can always be found at CPAN ( http://search.cpan.org/ ). Just type the full name of the module (ex: DBD::Oracle) into the search input box, it will brings you the page for download. Releases of Ora2Pg stay at SF.net ( https://sourceforge.net/projects/ora2pg/ ). Under Windows you should install Strawberry Perl ( http://strawberryperl.com/ ) and the OSes corresponding Oracle clients. I
Read more

PostgreSQL Introduction

-
PostgreSQL tutorial provides basic and advanced concepts of SQL. Our PostgreSQL tutorial is designed for beginners and professionals. PostgreSQL is an opens-source object-relational database management system (ORDBMS). Our PostgreSQL tutorial includes all topics of PostgreSQL language such as create database, create table, drop database, drop table, select database, select table, insert record, update record, delete record, triggers, functions, procedures, cursors etc. There are also given PostgreSQL interview questions and quizzes to help you better understand the PostgreSQL language. Prerequisite: Before you start doing practice with various types of examples given in this reference, I'm making an assumption that you are already aware about what is database, especially RDBMS and what is a computer programming language. you must have the basic knowledge of SQL Problem: We assure that you will not find any problem in this PostgreSQL tutorial. But if there is any mistake
Read more