[英]How do I connect to a local postgres database without password from a script within Apache
I have a Python script that should load some data into postgres when a POST request is sent to Apache Webserver. 我有一个Python脚本,当POST请求发送到Apache Web服务器时,应该将一些数据加载到postgres中。 In the script a system user (dbuser) is used to connect to the database (which works fine with psql).
在脚本中,系统用户(dbuser)用于连接到数据库(与psql一起正常工作)。 The script however cannot connect when it is executed within Apache, returning the following error:
但是,该脚本在Apache中执行时无法连接,返回以下错误:
Peer authentication failed for user dbuser
Is there a way to allow the script to connect without providing it the user password? 有没有办法允许脚本在不提供用户密码的情况下进行连接?
The solution I've found uses ident authentication with user maps. 我找到的解决方案将身份验证与用户映射一起使用。
The first thing to notice is that, although an username is provided in the script, when connecting via Apache, that user is used for peer authentication (which fails, requiring a password). 首先要注意的是,尽管脚本中提供了用户名,但通过Apache连接时,该用户仍用于对等身份验证(失败,需要密码)。 However, the system user requesting access to postgresql is the one running Apache (namely www-data), thus enabling us to configure an user map, allowing is to authenticate to the server as another system user (thus leveraging ident authentication).
但是,请求访问postgresql的系统用户是运行Apache的系统用户(即www-data),因此使我们能够配置用户映射,从而允许将服务器身份验证为另一个系统用户(从而利用ident身份验证)。 Here follows the configuration files content:
以下是配置文件的内容:
In pg_ident.conf we configure the user map: 在pg_ident.conf中,我们配置用户映射:
# MAPNAME SYSTEM-USERNAME PG-USERNAME
web www-data dbuser
web dbuser dbuser
In pg_hba.conf we add the map as an option to the local peer authentication: 在pg_hba.conf中,我们将映射作为选项添加到本地对等身份验证中:
# "local" is for Unix domain socket connections only
# TYPE DATABASE USER ADDRESS METHOD
local all all peer map=web
After reloading the server, the script can access the database as if it was executed directly the the user "dbuser", without the need for a password. 重新加载服务器后,该脚本可以访问数据库,就好像该数据库是直接由用户“ dbuser”执行的一样,而无需输入密码。
Try running the below command, it will enable apache to connect to database: 尝试运行以下命令,它将使apache连接到数据库:
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_network_connect_db 1
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.