I am trying to create a user mapping in PostgreSQL without a password, but I am encountering an error that says "ERROR: password is required" when I try to access a table. Here is the command that I used to create the user mapping:
CREATE USER MAPPING for app_user SERVER testmachine02 OPTIONS (user 'test');
I also created a pgpass file with the following entries:
localhost:5432:local_db:app_user:app_user123
192.168.56.10:5432:admin:admin:admin123
192.168.56.10:5432:remote_db:test:test123
testmachine02:5432:local_db:test:test123
Despite these steps, I am still unable to access the table without a password. How can I create a user mapping without a password and access the table?
If this were PostgreSQL v13 or better, the documentation would tell you what to do:
Only superusers may create or modify user mappings with the sslcert or sslkey settings.
Only superusers may connect to foreign servers without password authentication, so always specify the password option for user mappings belonging to non-superusers.
A superuser may override this check on a per-user-mapping basis by setting the user mapping option password_required 'false', e.g.,
ALTER USER MAPPING FOR some_non_superuser SERVER loopback_nopw
OPTIONS (ADD password_required 'false');
But in PostgreSQL v11, there is not way to connect without a password unless you are a superuser.
Related
I am trying to create a user mapping in PostgreSQL without a password, but I am encountering an error that says.
local_db=> select * from employee;
ERROR: could not connect to server "testmachine02"
DETAIL: connection to server at "192.168.56.10", port 5432 failed: fe_sendauth: no password supplied
Here is the command that I used to create the user mapping:
CREATE USER MAPPING for app_user SERVER testmachine02 OPTIONS (password_required 'false');
I also created a pgpass file with the following entries:
localhost:5432:local_db:app_user:app_user123
192.168.56.10:5432:admin:admin:admin123
192.168.56.10:5432:remote_db:test:test123
Despite these steps, I am still unable to access the table without a password. How can I create a user mapping without a password and access the table?
here is what I am getting after creating a .pgpass file under /pgsql:
The password file does not get proxied through your client to be used by server. The .pgpass file you need the password in is the one which would be used for the OS user who runs the database server. So often that would be something like "/var/lib/postgresql/.pgpass", not something like "/home/arahal/.pgpass". If you do this and set (password_required 'false'), it will work.
But why not just stick the password in the user mapping and be done with it? The purpose of password_required is to give you the option of using non-password-based authentication methods.
Suppose I have a login metamanager\test which shows when I execute T-SQL, but it is not there when when I expand Security -> Login in SSMS.
Same with a database user.
I try to replicate but failed
use master
select * from sys.syslogins is used for login
use DB
select * from sys.sysusers is used for database user
A LOGIN and a USER are completely different objects.
A LOGIN is a server object, and appear in sys.syslogins, as you see.
A USER is a database object, and for a LOGIN to have access to a database, it needs to have a USER mapped to the LOGIN in that database. A LOGIN with no mapped logins in any databases, and without any server level roles, will be unable to access any of the database on the instance, apart from those that the public roles has in tempdb and master.
It appears, here, you need to create the user in the database, and then give it the appropriate permissions. You can create the USER with the following:
USE {YourDatabase};
GO
CREATE USER 'metamanager\test' FOR LOGIN 'metamanager\test';
You'll need to give it the appropriate permissions afterwards.
Also, after you have created the user, ensure you have refreshed your object explorer. Object explorer doesn't automatically refresh after you create an object.
Not sure if you explaining it correctly, but syslogins and server_principals are about the same. Only the difference that server_principals include "Roles".
As far as I know it is impossible to have something in syslogins, which does not exist in server_principals.
Is it somehow possible to set the user permissions per connection in SQL-Server?
for example:
DENY insert ON all TO user
DENY update ON all TO user
DENY delete ON all TO user
So, suppose a user is connected as sa (* see EDIT) in my application, can I somehow change (and possibly restore) permissions at some point for this user (so for e.g. at that point he has a read-only access)?
EDIT: sorry for giving a wrong example. the user is NOT sa but other user with full access.
As I mentioned in the comments, permissions aren't set at connection level, they are set at Login and User level.
If you have a connection, and you change the permissions of the login/user being used, those permissions will be applied immediately to that connection, and any others; thus a connection using the Login and User AppUser cannot have different permissions to another connection user the exact same Login and User.
If you need an application to have different permissions for different things, there's nothing wrong with creating multiple Logins and Users; each with their own permissions. You then control the Login the application uses my using different connection string, depending on the role needed. This is quite a common practice; for example you might have a different database for your application's security model, and thus a different login is used to make changes to that database.
there are system stored procedures about security section and i guess that would be the only way since SQL gotta be secured.
https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/security-stored-procedures-transact-sql?view=sql-server-2017
https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-dropsrvrolemember-transact-sql?view=sql-server-2017
EXEC sp_dropsrvrolemember 'JackO', 'sysadmin';
I've recently created a App Service + SQL in my Azure account and I want to give access to some external user, maybe using SQL authentication with username and password. I know I must allow this user IP, but I cannot find where I can create credentials or a new user for him.
I've tried creating a new login and user using SQL statements but I can't access master database.
Is what I'm trying to do possible?
Thanks
There's no need to grant users access to Master. Instead connect to the target database as an administrator and simply add the user using CREATE USER
CREATE USER SomeUserName WITH PASSWORD = 'somestrongpassword123'
See generally Controlling and granting database access
I have a contained database with users authenticated in the database only (i.e. SQL user with password). What I am looking to do is the "uncontain" the database. Before I can change alter the database to containment 'NONE', I must remove all contained users. What I really want to do is create a SQL login for the user retaining the same password.
With a server login, I can use LOGINPROPERTY('myusername', 'PasswordHash') to get the password hash. For a SQL user with password (a contained user), this returns null. Where can I get the password hash for a contained user?
This article has the answer http://sqlblog.com/blogs/argenis_fernandez/archive/2014/07/28/scripting-out-contained-database-users.aspx
The article states that for contained database users, there is (currently) no method of obtaining SID or password hashes without connecting to the DAC (Dedicated Administrator Connection). Once you establish a DAC connection, the following query will give you the password hash:
SELECT password FROM sys.sysowners WHERE name = 'ContainedUser'
For information on how to connect get a DAC with SSMS, see https://technet.microsoft.com/en-us/library/ms178068(v=sql.105).aspx
Have you tried the sp_help_revlogin stored procedure?