Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Simple ACL example

See original GitHub issue

Hi,

I would like to control permissions of the objects in Postgres. Our scenario is that we have one database and I would like all objects (tables, schemas …) to be accessible to all. My current conf is (the ACL bit is taken from the cookbook):

acls:
  ro:
  - __usage_on_schemas__
  - __select_on_tables__

  rw:
  - ro
  - __all_on_tables__

  ddl:
  - rw
  - __create_on_schemas__

sync_map:
  - roles:
    - names: [owners, readers, writers]
      options: NOLOGIN
      database: company

  - grant:
    - acl: ro
      database: company
      schema: __all__
      role: readers

    - acl: rw
      database: company
      schema: __all__
      role: writers

    - acl: ddl
      database: company
      schema: __all__
      role: owners

  - ldap:
      base: "OU=People,OU=company,DC=int,DC=company,DC=com"
      attributes: sAMAccountName
    role:
      name_attribute: sAMAccountName
      options: LOGIN NOSUPERUSER NOCREATEDB
      parent: owners
    grant:
      - acl: ddl
        role: owners

As you can see above, all LDAP users are being asinged to the ddl group, however, when I run it it prevents users from logging in using pgadmin 4. I have tried a few variations of the above and got errors like (from postgresql.log): 1.

2018-01-25 18:28:06.141 UTC [20822] joshlk@postgres ERROR:  permission denied for function version
2018-01-25 18:28:06.141 UTC [20822] joshlk@postgres STATEMENT:  SELECT version()

2018-01-25 18:25:23.306 UTC [20810] joshlk@postgres ERROR:  permission denied for schema pg_catalog at character 143
2018-01-25 18:25:23.306 UTC [20810] joshlk@postgres STATEMENT:
	SELECT
	    oid as id, rolname as name, rolsuper as is_superuser,
	    rolcreaterole as can_create_role, rolcreatedb as can_create_db
	FROM
	    pg_catalog.pg_roles
	WHERE
	    rolname = current_user

2018-01-25 18:47:00.433 UTC [21181] joshlk@postgres ERROR:  permission denied for schema pg_catalog
2018-01-25 18:47:00.433 UTC [21181] joshlk@postgres STATEMENT:  SELECT CASE WHEN usesuper
	       THEN pg_is_in_recovery()
	       ELSE FALSE
	       END as inrecovery,
	       CASE WHEN usesuper AND pg_is_in_recovery()
	       THEN pg_is_xlog_replay_paused()
	       ELSE FALSE
	       END as isreplaypaused
	FROM pg_user WHERE usename=current_user

It looks like it is because of its locking users out from accessing the postgres default database and objects within it. Can I ask ldap2pg to exclude revoking permissions on the posgres database?

Do you have any recommendations on what ACL rules to use? What I want to prevent is someone creating a table or schema and then the rest of the team not been able to access it. My team is small so something simple would suffice.

Bonus question… is there a way that when a user is created a schema of the same name is also created? So for user joshlk it automatically creates a schema joshlk?

Many thanks for your help and really appreciate your work and giving to the open source community!

Josh

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
bersacecommented, Jan 26, 2018

I need to document this. Dont forget to star ldap2pg 😃

0reactions
bersacecommented, Jan 26, 2018

@joshlk congrats, it’s fun 😃

A tip: by default, ldap2pg consider superusers as owers. You should customize owers_query:

postgres:
  owners_query: |
    SELECT owner.rolname FROM pg_authid AS owner
    JOIN pg_auth_members ON pg_auth_members.member = owner.oid
    JOIN pg_authid AS "group"
      ON "group".oid = pg_auth_members.roleid AND "group".rolname = 'owners'

...

Checks this query before pasting it in the YAML !

Read more comments on GitHub >

github_iconTop Results From Across the Web

Configure Commonly Used IP ACLs - Cisco
This document describes sample configurations for commonly used IP Access Control Lists (ACLs), which filter IP packets.
Read more >
Access Control List Explained with Examples
This tutorial explains how to configure Cisco access control lists. Learn Cisco ACLs configuration commands with their arguments, options, ...
Read more >
Cisco Access List Configuration Examples (Standard ...
An Access Control List (ACL) is a list of rules that control and filter traffic based on source and destination IP addresses or...
Read more >
Standard access-list example on Cisco Router
Cisco IOS routers can use standard or extended access-lists. In this article you will learn how to configure the standard access-list.
Read more >
Standard Access-List - GeeksforGeeks
Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Create schema of same name when user is created

Next page

Unknown attribute u'samaccountname' after drop of attributes parameter in 4.2