SlideShare a Scribd company logo

PGConf APAC 2018 - Lightening Talk #2 - Centralizing Authorization in PostgreSQL

PGConf APAC, profile picture
PGConf APAC

The document discusses implementing centralized authorization in PostgreSQL by synchronizing user roles and privileges with an LDAP server. It provides a step-by-step approach to setting up LDAP authentication in PostgreSQL and using scripts to synchronize user roles and privileges between the database and LDAP based on group membership. The synchronization scripts create roles for each LDAP user, grant privileges to roles based on mapping rules, and handle role inheritance.

Technology
Related topics:
Database Security Overview
1 of 17
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Centralising Authorization in PostgreSQL Experimenting with LDAP synchronization
Structure of this talk…  A summary of my experience with implementing a simple form of Centralized Authorisation  A step by step approach
Authentication versus Authorisation PostgreSQL LDAP Authentication ldap ldapserver=servername.ad.company.au ldaptls=1 ldapbasedn="ou=AU,dc=ad,dc=company,dc=au" ldapbinddn="cn=Gary Evans,ou=consultant,ou=ThirdParty Contractors,ou=Users, ou=AU,dc=ad,dc=corelogic,dc=asia" ldapbindpasswd="<the password>" ldapsearchattribute=sAMAccountName
Benefits of a centralized approach  Single point of control of database users  Adding a user can be done by help desk  Less error prone
Synchronisation Approach StarOne DBROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson privileges
Synchronisation Approach Server StarOne DBROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson privileges ldapsearch -Z -LLL -h ldapservername -D gevans@ldapservername -w password -b dc=ad,dc=companyname,dc=aus '(&(objectClass=user)(memberOf=CN='"${ADRow[0]}"' ,OU=SQL,OU=Groups,OU=AU,DC=ad,DC=ccompany name,DC=aus))' sAMAccountName | sed -e 's/sAMAccountName: ([a-zA-Z]*)/1/;tx;d;:x'
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Server Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB ID Hostname Dbname ADGroup Dbrole Enabled CRUD 1 Serverone AppOne DB_Report Read_only True F,T,F,F 2 Serverone StarOne DB_Report Reporting True F,T,T,F 3 Serverone AppOne DB_Admin Admin_user True T,T,T,T 4 Serverone StarOne DB_Analysts Analyst True F,T,F,F 5
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Server Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB ID Hostname Dbname ADGroup Dbrole Enabled CRUD 1 Serverone AppOne DB_Report Read_only True F,T,F,F 2 Serverone StarOne DB_Report Reporting True F,T,T,F 3 Serverone AppOne DB_Admin Admin_user True T,T,T,T 4 Serverone StarOne DB_Analysts Analyst True F,T,F,F 5 ${PSQL} ${DBMONITOR//HOST/localhost}/schemaname -qtAX --field-separator ' ' -c "SELECT distinct adgroup FROM mapping WHERE enabled = true and hostname='${hostname}'" | while read -a ADRow ; do for adname in $(ldapsearch -Z -LLL -h ldapservername -D gevans@ldapservername -w password -b dc=ad,dc=companyname,dc=aus '(&(objectClass=user)(memberOf=CN='"${ADRow[0]}"',OU=SQL,OU=Groups,OU=AU,DC=ad,DC=companyna me,DC=aus))' sAMAccountName | sed -e 's/sAMAccountName: ([a-zA-Z]*)/1/;tx;d;:x') do ${PSQL} ${PGMONITOR//HOST/$hostname}/ schemaname -qtAX --field-separator ' ' -c "CREATE ROLE ${adname} with LOGIN;“ ${PSQL} ${PGMONITOR//HOST/localhost}/ schemaname -qtAX --field-separator ' ' -c "SELECT distinct dbrole FROM mapping where enabled = true and hostname='${hostname}'" and adgroup = '${adname}' | while read -a DBRRow ; do ${PSQL} ${PGMONITOR//HOST/$hostname}/performance -qtAX --field-separator ' ' -c "GRANT ${DBRRow} TO ${adname};" done
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Server Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB ID Hostname Dbname ADGroup Dbrole Enabled CRUD 1 Serverone AppOne DB_Report Read_only True F,T,F,F 2 Serverone StarOne DB_Report Reporting True F,T,T,F 3 Serverone AppOne DB_Admin Admin_user True T,T,T,T 4 Serverone StarOne DB_Analysts Analyst True F,T,F,F 5 ${PSQL} ${DBMONITOR//HOST/localhost}/schemaname -qtAX --field-separator ' ' -c "SELECT distinct adgroup FROM mapping WHERE enabled = true and hostname='${hostname}'" | while read -a ADRow ; do for adname in $(ldapsearch -Z -LLL -h ldapservername -D gevans@ldapservername -w password -b dc=ad,dc=companyname,dc=aus '(&(objectClass=user)(memberOf=CN='"${ADRow[0]}"',OU=SQL,OU=Groups,OU=AU,DC=ad,DC=ccompanyn ame,DC=aus))' sAMAccountName | sed -e 's/sAMAccountName: ([a-zA-Z]*)/1/;tx;d;:x') do ${PSQL} ${PGMONITOR//HOST/$hostname}/ schemaname -qtAX --field-separator ' ' -c "CREATE ROLE ${adname} with LOGIN;“ ${PSQL} ${PGMONITOR//HOST/localhost}/performance -qtAX --field-separator ' ' -c "SELECT distinct dbrole FROM mapping where enabled = true and hostname='${hostname}'" and adgroup = '${adname}' | while read -a DBRRow ; do ${PSQL} ${PGMONITOR//HOST/$hostname}/ schemaname -qtAX --field-separator ' ' -c "GRANT ${DBRRow} TO ${adname};" done
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) DB_Report (NL) DB_Admin (NL) DB_Analysts (NL) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner Role inheritance
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) DB_Report (NL) DB_Admin (NL) DB_Analysts (NL) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner Role inheritance
Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) DB_Report (NL) DB_Admin (NL) DB_Analysts (NL) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner Role inheritance
Existing tool Pg-ldap-sync

More Related Content

PDF
How to teach an elephant to rock'n'roll
PGConf APAC
 
PDF
Modern query optimisation features in MySQL 8.
Mydbops
 
PDF
Flexible Indexing with Postgres
EDB
 
ODP
Msql
ksujitha
 
PPT
15 Ways to Kill Your Mysql Application Performance
guest9912e5
 
PDF
Agile Database Development with JSON
Chris Saxon
 
PDF
Writing A Foreign Data Wrapper
psoo1978
 
PDF
Data Exploration with Apache Drill: Day 1
Charles Givre
 
How to teach an elephant to rock'n'roll
PGConf APAC
 
Modern query optimisation features in MySQL 8.
Mydbops
 
Flexible Indexing with Postgres
EDB
 
Msql
ksujitha
 
15 Ways to Kill Your Mysql Application Performance
guest9912e5
 
Agile Database Development with JSON
Chris Saxon
 
Writing A Foreign Data Wrapper
psoo1978
 
Data Exploration with Apache Drill: Day 1
Charles Givre
 

What's hot (20)

PDF
Advanced pg_stat_statements: Filtering, Regression Testing & more
Lukas Fittl
 
PDF
QB Into the Box 2018
Ortus Solutions, Corp
 
PDF
Centralising Authorisation in PostgreSQL
Gary Evans
 
PDF
PerlApp2Postgresql (2)
Jerome Eteve
 
PDF
Accessing Data Through Hibernate; What DBAs Should Tell Developers and Vice V...
Marco Tusa
 
PDF
MySQL innoDB split and merge pages
Marco Tusa
 
PDF
Load Data Fast!
Karwin Software Solutions LLC
 
PDF
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
Cliff Seal
 
PPTX
Oracle Database 12.1.0.2 New Features
Alex Zaballa
 
PDF
Stefan Hochdörfer - The NoSQL Store everyone ignores: PostgreSQL - NoSQL matt...
NoSQLmatters
 
PDF
Accessing Databases from R
Jeffrey Breen
 
PDF
PGDay UK 2016 -- Performace for queries with grouping
Alexey Bashtanov
 
ODP
Chetan postgresql partitioning
suniltomar04
 
PDF
How to Use JSON in MySQL Wrong
Karwin Software Solutions LLC
 
PDF
Administering and Monitoring SolrCloud Clusters
lucenerevolution
 
PDF
Mongodb replication
PoguttuezhiniVP
 
PDF
15 MySQL Basics #burningkeyboards
Denis Ristic
 
PDF
MySQL Query Tuning for the Squeemish -- Fossetcon Orlando Sep 2014
Dave Stokes
 
TXT
Quick reference for mongo shell commands
Rajkumar Asohan, PMP
 
ODP
Beyond PHP - It's not (just) about the code
Wim Godden
 
Advanced pg_stat_statements: Filtering, Regression Testing & more
Lukas Fittl
 
QB Into the Box 2018
Ortus Solutions, Corp
 
Centralising Authorisation in PostgreSQL
Gary Evans
 
PerlApp2Postgresql (2)
Jerome Eteve
 
Accessing Data Through Hibernate; What DBAs Should Tell Developers and Vice V...
Marco Tusa
 
MySQL innoDB split and merge pages
Marco Tusa
 
Load Data Fast!
Karwin Software Solutions LLC
 
Temporary Cache Assistance (Transients API): WordCamp Phoenix 2014
Cliff Seal
 
Oracle Database 12.1.0.2 New Features
Alex Zaballa
 
Stefan Hochdörfer - The NoSQL Store everyone ignores: PostgreSQL - NoSQL matt...
NoSQLmatters
 
Accessing Databases from R
Jeffrey Breen
 
PGDay UK 2016 -- Performace for queries with grouping
Alexey Bashtanov
 
Chetan postgresql partitioning
suniltomar04
 
How to Use JSON in MySQL Wrong
Karwin Software Solutions LLC
 
Administering and Monitoring SolrCloud Clusters
lucenerevolution
 
Mongodb replication
PoguttuezhiniVP
 
15 MySQL Basics #burningkeyboards
Denis Ristic
 
MySQL Query Tuning for the Squeemish -- Fossetcon Orlando Sep 2014
Dave Stokes
 
Quick reference for mongo shell commands
Rajkumar Asohan, PMP
 
Beyond PHP - It's not (just) about the code
Wim Godden
 
Ad

Similar to PGConf APAC 2018 - Lightening Talk #2 - Centralizing Authorization in PostgreSQL (20)

PDF
Bag Of Tricks From Iusethis
Marcus Ramberg
 
PPTX
Windows power shell and active directory
Dan Morrill
 
PDF
Using OpenFire With OpenLDAP
Dashamir Hoxha
 
PDF
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
PDF
Service discovery and configuration provisioning
Source Ministry
 
PDF
Why is crud a bad idea - focus on real scenarios
Divante
 
PDF
FamilySearch Reference Client
Dallan Quass
 
PPT
XQuery Triggers in Native XML Database Sedna
maria.grineva
 
PPT
Framework
Nguyen Linh
 
KEY
Zend Framework Study@Tokyo #2
Shinya Ohyanagi
 
PDF
WordPress REST API hacking
Jeroen van Dijk
 
KEY
About Data::ObjectDriver
Yoshiki Kurihara
 
PDF
Creating and Maintaining WordPress Plugins
Mark Jaquith
 
PPTX
Talk MongoDB - Amil
removed_b0e2342824f6227286f54ba461ebc0fe
 
PPTX
Drupal II: The SQL
ddiers
 
KEY
Api Design
sartak
 
PDF
Doctrine For Beginners
Jonathan Wage
 
PPTX
Application Stack - TIAD Camp Microsoft Cloud Readiness
The Incredible Automation Day
 
PDF
Redis for your boss
Elena Kolevska
 
PDF
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
OlinData
 
Bag Of Tricks From Iusethis
Marcus Ramberg
 
Windows power shell and active directory
Dan Morrill
 
Using OpenFire With OpenLDAP
Dashamir Hoxha
 
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
Service discovery and configuration provisioning
Source Ministry
 
Why is crud a bad idea - focus on real scenarios
Divante
 
FamilySearch Reference Client
Dallan Quass
 
XQuery Triggers in Native XML Database Sedna
maria.grineva
 
Framework
Nguyen Linh
 
Zend Framework Study@Tokyo #2
Shinya Ohyanagi
 
WordPress REST API hacking
Jeroen van Dijk
 
About Data::ObjectDriver
Yoshiki Kurihara
 
Creating and Maintaining WordPress Plugins
Mark Jaquith
 
Talk MongoDB - Amil
removed_b0e2342824f6227286f54ba461ebc0fe
 
Drupal II: The SQL
ddiers
 
Api Design
sartak
 
Doctrine For Beginners
Jonathan Wage
 
Application Stack - TIAD Camp Microsoft Cloud Readiness
The Incredible Automation Day
 
Redis for your boss
Elena Kolevska
 
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
OlinData
 
Ad

More from PGConf APAC (20)

PDF
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC
 
PDF
PGConf APAC 2018: PostgreSQL 10 - Replication goes Logical
PGConf APAC
 
PDF
PGConf APAC 2018 - Lightening Talk #3: How To Contribute to PostgreSQL
PGConf APAC
 
PDF
Sponsored Talk @ PGConf APAC 2018 - Choosing the right partner in your Postgr...
PGConf APAC
 
PDF
PGConf APAC 2018 - A PostgreSQL DBAs Toolbelt for 2018
PGConf APAC
 
PDF
PGConf APAC 2018 - Patroni: Kubernetes-native PostgreSQL companion
PGConf APAC
 
PDF
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC
 
PDF
PGConf APAC 2018 - Monitoring PostgreSQL at Scale
PGConf APAC
 
PDF
PGConf APAC 2018 - Where's Waldo - Text Search and Pattern in PostgreSQL
PGConf APAC
 
PDF
PGConf APAC 2018 - Managing replication clusters with repmgr, Barman and PgBo...
PGConf APAC
 
PDF
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC
 
PDF
PGConf APAC 2018 - PostgreSQL performance comparison in various clouds
PGConf APAC
 
PDF
Sponsored Talk @ PGConf APAC 2018 - Migrating Oracle to EDB Postgres Approach...
PGConf APAC
 
PDF
PGConf APAC 2018 - Tale from Trenches
PGConf APAC
 
PDF
PGConf APAC 2018 Keynote: PostgreSQL goes eleven
PGConf APAC
 
PDF
Amazon (AWS) Aurora
PGConf APAC
 
PDF
Use Case: PostGIS and Agribotics
PGConf APAC
 
PDF
PostgreSQL on Amazon RDS
PGConf APAC
 
PDF
PostgreSQL WAL for DBAs
PGConf APAC
 
PDF
Lightening Talk - PostgreSQL Worst Practices
PGConf APAC
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC
 
PGConf APAC 2018: PostgreSQL 10 - Replication goes Logical
PGConf APAC
 
PGConf APAC 2018 - Lightening Talk #3: How To Contribute to PostgreSQL
PGConf APAC
 
Sponsored Talk @ PGConf APAC 2018 - Choosing the right partner in your Postgr...
PGConf APAC
 
PGConf APAC 2018 - A PostgreSQL DBAs Toolbelt for 2018
PGConf APAC
 
PGConf APAC 2018 - Patroni: Kubernetes-native PostgreSQL companion
PGConf APAC
 
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC
 
PGConf APAC 2018 - Monitoring PostgreSQL at Scale
PGConf APAC
 
PGConf APAC 2018 - Where's Waldo - Text Search and Pattern in PostgreSQL
PGConf APAC
 
PGConf APAC 2018 - Managing replication clusters with repmgr, Barman and PgBo...
PGConf APAC
 
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC
 
PGConf APAC 2018 - PostgreSQL performance comparison in various clouds
PGConf APAC
 
Sponsored Talk @ PGConf APAC 2018 - Migrating Oracle to EDB Postgres Approach...
PGConf APAC
 
PGConf APAC 2018 - Tale from Trenches
PGConf APAC
 
PGConf APAC 2018 Keynote: PostgreSQL goes eleven
PGConf APAC
 
Amazon (AWS) Aurora
PGConf APAC
 
Use Case: PostGIS and Agribotics
PGConf APAC
 
PostgreSQL on Amazon RDS
PGConf APAC
 
PostgreSQL WAL for DBAs
PGConf APAC
 
Lightening Talk - PostgreSQL Worst Practices
PGConf APAC
 

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KodekX | Application Modernization Development
KodekX
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Teaching material agriculture food technology
LiaRayya
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 

PGConf APAC 2018 - Lightening Talk #2 - Centralizing Authorization in PostgreSQL

  • 1. Centralising Authorization in PostgreSQL Experimenting with LDAP synchronization
  • 2. Structure of this talk…  A summary of my experience with implementing a simple form of Centralized Authorisation  A step by step approach
  • 3. Authentication versus Authorisation PostgreSQL LDAP Authentication ldap ldapserver=servername.ad.company.au ldaptls=1 ldapbasedn="ou=AU,dc=ad,dc=company,dc=au" ldapbinddn="cn=Gary Evans,ou=consultant,ou=ThirdParty Contractors,ou=Users, ou=AU,dc=ad,dc=corelogic,dc=asia" ldapbindpasswd="<the password>" ldapsearchattribute=sAMAccountName
  • 4. Benefits of a centralized approach  Single point of control of database users  Adding a user can be done by help desk  Less error prone
  • 6. Synchronisation Approach Server StarOne DBROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson privileges ldapsearch -Z -LLL -h ldapservername -D gevans@ldapservername -w password -b dc=ad,dc=companyname,dc=aus '(&(objectClass=user)(memberOf=CN='"${ADRow[0]}"' ,OU=SQL,OU=Groups,OU=AU,DC=ad,DC=ccompany name,DC=aus))' sAMAccountName | sed -e 's/sAMAccountName: ([a-zA-Z]*)/1/;tx;d;:x'
  • 7. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB
  • 8. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB
  • 9. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Server Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB ID Hostname Dbname ADGroup Dbrole Enabled CRUD 1 Serverone AppOne DB_Report Read_only True F,T,F,F 2 Serverone StarOne DB_Report Reporting True F,T,T,F 3 Serverone AppOne DB_Admin Admin_user True T,T,T,T 4 Serverone StarOne DB_Analysts Analyst True F,T,F,F 5
  • 10. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Server Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB ID Hostname Dbname ADGroup Dbrole Enabled CRUD 1 Serverone AppOne DB_Report Read_only True F,T,F,F 2 Serverone StarOne DB_Report Reporting True F,T,T,F 3 Serverone AppOne DB_Admin Admin_user True T,T,T,T 4 Serverone StarOne DB_Analysts Analyst True F,T,F,F 5 ${PSQL} ${DBMONITOR//HOST/localhost}/schemaname -qtAX --field-separator ' ' -c "SELECT distinct adgroup FROM mapping WHERE enabled = true and hostname='${hostname}'" | while read -a ADRow ; do for adname in $(ldapsearch -Z -LLL -h ldapservername -D gevans@ldapservername -w password -b dc=ad,dc=companyname,dc=aus '(&(objectClass=user)(memberOf=CN='"${ADRow[0]}"',OU=SQL,OU=Groups,OU=AU,DC=ad,DC=companyna me,DC=aus))' sAMAccountName | sed -e 's/sAMAccountName: ([a-zA-Z]*)/1/;tx;d;:x') do ${PSQL} ${PGMONITOR//HOST/$hostname}/ schemaname -qtAX --field-separator ' ' -c "CREATE ROLE ${adname} with LOGIN;“ ${PSQL} ${PGMONITOR//HOST/localhost}/ schemaname -qtAX --field-separator ' ' -c "SELECT distinct dbrole FROM mapping where enabled = true and hostname='${hostname}'" and adgroup = '${adname}' | while read -a DBRRow ; do ${PSQL} ${PGMONITOR//HOST/$hostname}/performance -qtAX --field-separator ' ' -c "GRANT ${DBRRow} TO ${adname};" done
  • 11. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Server Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB ID Hostname Dbname ADGroup Dbrole Enabled CRUD 1 Serverone AppOne DB_Report Read_only True F,T,F,F 2 Serverone StarOne DB_Report Reporting True F,T,T,F 3 Serverone AppOne DB_Admin Admin_user True T,T,T,T 4 Serverone StarOne DB_Analysts Analyst True F,T,F,F 5 ${PSQL} ${DBMONITOR//HOST/localhost}/schemaname -qtAX --field-separator ' ' -c "SELECT distinct adgroup FROM mapping WHERE enabled = true and hostname='${hostname}'" | while read -a ADRow ; do for adname in $(ldapsearch -Z -LLL -h ldapservername -D gevans@ldapservername -w password -b dc=ad,dc=companyname,dc=aus '(&(objectClass=user)(memberOf=CN='"${ADRow[0]}"',OU=SQL,OU=Groups,OU=AU,DC=ad,DC=ccompanyn ame,DC=aus))' sAMAccountName | sed -e 's/sAMAccountName: ([a-zA-Z]*)/1/;tx;d;:x') do ${PSQL} ${PGMONITOR//HOST/$hostname}/ schemaname -qtAX --field-separator ' ' -c "CREATE ROLE ${adname} with LOGIN;“ ${PSQL} ${PGMONITOR//HOST/localhost}/performance -qtAX --field-separator ' ' -c "SELECT distinct dbrole FROM mapping where enabled = true and hostname='${hostname}'" and adgroup = '${adname}' | while read -a DBRRow ; do ${PSQL} ${PGMONITOR//HOST/$hostname}/ schemaname -qtAX --field-separator ' ' -c "GRANT ${DBRRow} TO ${adname};" done
  • 12. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES postgres Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB
  • 13. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner
  • 14. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) DB_Report (NL) DB_Admin (NL) DB_Analysts (NL) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner Role inheritance
  • 15. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) DB_Report (NL) DB_Admin (NL) DB_Analysts (NL) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner Role inheritance
  • 16. Synchronisation Approach Database DB_Report DB_Admin DB_Analysts Andrew Smith Bob Brown Jenny Reid Andrew Smith Julie Benson Annette Huntly Paul Brown Andrew Smith Bob Brown Jenny Reid Members Groups ROLES Postgres (SU) appOneOwner (SU) StarOneOwner (SU) DB_Report (NL) DB_Admin (NL) DB_Analysts (NL) Andrew Smith Bob Brown Jenny Reid Julie Benson Annette Huntly Paul Brown AppOne DB StarOne DB Owner Owner Role inheritance