[英]Non-superuser cannot connect if the server does not request a password while using dblink
I want to do some cross database references in my application.我想在我的应用程序中做一些跨数据库引用。 Briefly, i have two databases called meta and op.
简而言之,我有两个名为 meta 和 op 的数据库。 I want to do some select query from meta to a table in op database like below but getting the below error.
我想从 meta 到 op 数据库中的表进行一些选择查询,如下所示,但出现以下错误。 I tried with password and without password.
我尝试使用密码和不使用密码。 by the way
caixa
user is a non-super user and my target server ( op
db server is having MD5 authentication mode.)顺便说一句,
caixa
用户是非超级用户,我的目标服务器( op
db 服务器具有 MD5 身份验证模式。)
meta=> select * from dblink('dbname=op password=caixa','SELECT op_col from op_table') AS t(op_col varchar);
ERROR: password is required
错误:需要密码
DETAIL: Non-superuser cannot connect if the server does not request a password.
详细信息:如果服务器不请求密码,则非超级用户无法连接。
HINT: Target server's authentication method must be changed.
提示:必须更改目标服务器的身份验证方法。
What the HINT in the above error message suggests?上述错误消息中的 HINT 暗示了什么? do i need to change the server's auth mode?
我需要更改服务器的身份验证模式吗? Without changing the server's auth mode (MD5) can't i run the above query?
在不更改服务器的身份验证模式 (MD5) 的情况下,我不能运行上述查询吗?
From documentation :从文档:
Only superusers may use dblink_connect to create non-password-authenticated connections.
只有超级用户可以使用 dblink_connect 创建非密码认证的连接。 If non-superusers need this capability, use dblink_connect_u instead.
如果非超级用户需要此功能,请改用dblink_connect_u 。
and和
dblink_connect_u() is identical to dblink_connect(), except that it will allow non-superusers to connect using any authentication method.
dblink_connect_u() 与 dblink_connect() 相同,只是它允许非超级用户使用任何身份验证方法进行连接。
That means your dblink
call is using dblink_connect
implicitly.这意味着您的
dblink
调用正在隐式使用dblink_connect
。 Use dblink_connect_u
instead or change your auth method to eg md5.请改用
dblink_connect_u
或将您的身份验证方法更改为例如 md5。
Note that you also need grant execute privilege to caixa
role, for example by:请注意,您还需要向
caixa
角色授予执行权限,例如:
GRANT EXECUTE ON FUNCTION dblink_connect_u(text) TO caixa;
GRANT EXECUTE ON FUNCTION dblink_connect_u(text, text) TO caixa;
Working example (after GRANT
):工作示例(在
GRANT
之后):
meta=> SELECT dblink_connect_u('conn1', 'dbname=op');
meta=> SELECT * FROM dblink('conn1','SELECT op_col from op_table')
AS t(op_col varchar);
op_col
--------
aaa
bbb
ccc
(3 rows)
meta=> SELECT dblink_disconnect('conn1');
EDIT:编辑:
Sorry for slightly misleading answer.抱歉,回答有点误导。 Of course you don't need
dblink_connect_u
for md5 authenticated connection.当然,md5 认证连接不需要
dblink_connect_u
。 There is one possibility I see.我看到了一种可能性。 PostgreSQL has two different connection types: host and local .
PostgreSQL 有两种不同的连接类型:主机和本地。
Running:跑步:
psql -h localhost..
incorporates host connection, but包含主机连接,但
dblink_connect('mycon','dbname=vchitta_op user=caixa password=caixa');
uses local type, so if you have non-password method for local connection (for example ident method or trust), then it returns使用本地类型,因此如果您有本地连接的非密码方法(例如 ident 方法或 trust),则返回
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
Check查看
dblink_connect('mycon','hostaddr=127.0.0.1 dbname=vchitta_op user=caixa password=caixa')
for host connection.用于主机连接。 For clarity if possible please post your
pg_hba.conf
.为了清楚起见,请发布您的
pg_hba.conf
。
I also checked what about CONNECT
privilege on vchitta_op
DB, but error message is different:我还检查了
vchitta_op
DB 上的CONNECT
权限,但错误消息不同:
REVOKE CONNECT ON DATABASE vchitta_op FROM PUBLIC;
REVOKE CONNECT ON DATABASE vchitta_op FROM caixa;
SELECT dblink_connect('mycon','dbname=vchitta_op user=caixa password=caixa');
ERROR: could not establish connection
DETAIL: FATAL: permission denied for database "vchitta_op"
DETAIL: User does not have CONNECT privilege.
There's a workaround that did the trick for me.有一种解决方法对我有用。 Non-superusers can execute functions with privileges of a superuser if "SECURITY DEFINER" option is set.
如果设置了“SECURITY DEFINER”选项,非超级用户可以使用超级用户的权限执行功能。 ( http://www.postgresql.org/docs/9.1/static/sql-createfunction.html )
( http://www.postgresql.org/docs/9.1/static/sql-createfunction.html )
That means you can create a function (with superuser owner and SECURITY DEFINER option) that does cross-database manipulation (using dblink() without password) and execute it under non-superuser这意味着您可以创建一个 function(具有超级用户所有者和 SECURITY DEFINER 选项)进行跨数据库操作(使用dblink()没有密码)并在非超级用户下执行它
I have a similar but a different issue.我有一个类似但不同的问题。 I have two servers with identical postgres.conf and pg_hba.conf.
我有两台具有相同 postgres.conf 和 pg_hba.conf 的服务器。 However one on version 9.2.3 and one on 9.2.4
但是,一个在 9.2.3 版本上,一个在 9.2.4 上
pg_hba.conf has pg_hba.conf 有
local all dblinkuser trust
then I connect to database using any ordinary user然后我使用任何普通用户连接到数据库
theater_map=# select dblink_connect('dbname=TheaterDB user=dblinkuser password=dbl123');
dblink_connect
----------------
OK
(1 row)
my pg_hba.conf has the same entry as above我的 pg_hba.conf 具有与上面相同的条目
theater_map=> select dblink_connect('dbname=TheaterDB user=dblinkuser password=dbl123');
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
NOW I change my pg_hba.conf on 9.2.4 as below现在我在 9.2.4 上更改我的 pg_hba.conf 如下
local all dblinkuser md5
and restart postgres并重新启动 postgres
theater_map=> select dblink_connect('dbname=TheaterDB user=dblinkuser password=dbl123');
dblink_connect
----------------
OK
(1 row)
I Checked the change log between versions 9.2.3 and 9.2.4 but could not find any details.我检查了版本 9.2.3 和 9.2.4 之间的更改日志,但找不到任何详细信息。
note: changing auth method from trust to md5 on 9.2.3 does not make any difference and still works.注意:在 9.2.3 上将身份验证方法从 trust 更改为 md5 没有任何区别,并且仍然有效。
I found this question googling for same error message, though I use fdw extension rather than db_link.尽管我使用 fdw 扩展而不是 db_link,但我发现这个问题在谷歌上搜索相同的错误消息。 Following steps helped to fix my problem:
以下步骤有助于解决我的问题:
alter user myuser with password 'mypassword'
alter user myuser with password 'mypassword'
trust
and set it to md5
- vim /var/lib/postgresql/data_/pg_hba.conf
trust
并将其设置为md5
- vim /var/lib/postgresql/data_/pg_hba.conf
pg_hba.conf
- SELECT pg_reload_conf();
pg_hba.conf
- SELECT pg_reload_conf();
from psql (log out and log in to verify password is required)CREATE USER MAPPING FOR CURRENT_USER SERVER myserver OPTIONS (user 'myuser', password 'mypassword');
CREATE USER MAPPING FOR CURRENT_USER SERVER myserver OPTIONS (user 'myuser', password 'mypassword');
PostgreSQL 11.10 PostgreSQL 11.10
SELECT ext.column1 from
dblink('hostaddr=192.192.192.192 dbname=yourDbname user=yourUsername password=yourpass',
'select a."column1" from "Table1" a where a."column2"=2')
as ext(column1 text)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.