From f300da4454782ca13749501a36860acf7023a788 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20V=C3=A1czi?= Date: Tue, 6 Mar 2018 10:07:39 +0100 Subject: [PATCH 1/2] Divide section about connection and privileges --- doc_source/Appendix.PostgreSQL.CommonDBATasks.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/doc_source/Appendix.PostgreSQL.CommonDBATasks.md b/doc_source/Appendix.PostgreSQL.CommonDBATasks.md index f1587016..1c3f30d6 100644 --- a/doc_source/Appendix.PostgreSQL.CommonDBATasks.md +++ b/doc_source/Appendix.PostgreSQL.CommonDBATasks.md @@ -32,6 +32,10 @@ GRANT ROLE ## Managing PostgreSQL Database Access +On a local instance, you can specify different access methods in the pg\_hba\.conf file\. However, changes to the pg\_hba\.conf file require operating system access, so you cannot edit the pg\_hba\.conf in Amazon RDS\. Therefore the only allowed authentication method is `md5`, meaning password authentication\. To avoid sending unencrypted passwords, cosider [setting up SSL](CHAP_PostgreSQL.md#PostgreSQL.Concepts.General.SSL) for your database connections\. + +## Setting PostgreSQL Database Privileges + By default, when PostgreSQL database objects are created, they receive "public" access privileges\. You can revoke all privileges to a database and then explicitly add privileges back as you need them\. As the master user, you can remove all privileges from a database using the following command format\. @@ -48,7 +52,8 @@ grant connect on database test to mytestuser; GRANT ``` -On a local instance, you can specify database privileges in the pg\_hba\.conf file\. However, when using PostgreSQL with Amazon RDS it is better to restrict privileges at the PostgreSQL level\. Changes to the pg\_hba\.conf file require a server restart so you cannot edit the pg\_hba\.conf in Amazon RDS, but privilege changes at the PostgreSQL level occur immediately\. +For more details, please consult the official PostgreSQL documentation on the [`GRANT`](https://www.postgresql.org/docs/current/static/sql-grant.html) command\. + ## Working with PostgreSQL Parameters @@ -954,4 +959,4 @@ If you want to enable `orafce` on a different database in the same instance, use ALTER SCHEMA oracle OWNER TO rds_superuser; ``` **Note** -If you want to see the list of owners for the oracle schema, use the `\dn` psql command\. \ No newline at end of file +If you want to see the list of owners for the oracle schema, use the `\dn` psql command\. From 0daedbfe9edc05da223fb365ba86b8176ff89bcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20V=C3=A1czi?= Date: Tue, 6 Mar 2018 10:09:58 +0100 Subject: [PATCH 2/2] Update TOC --- doc_source/Appendix.PostgreSQL.CommonDBATasks.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc_source/Appendix.PostgreSQL.CommonDBATasks.md b/doc_source/Appendix.PostgreSQL.CommonDBATasks.md index 1c3f30d6..2adb7bd3 100644 --- a/doc_source/Appendix.PostgreSQL.CommonDBATasks.md +++ b/doc_source/Appendix.PostgreSQL.CommonDBATasks.md @@ -7,6 +7,7 @@ For information about working with PostgreSQL log files on Amazon RDS, see [Post + [Creating Roles](#Appendix.PostgreSQL.CommonDBATasks.Roles) + [Managing PostgreSQL Database Access](#Appendix.PostgreSQL.CommonDBATasks.Access) ++ [Setting PostgreSQL Database Privileges](#Appendix.PostgreSQL.CommonDBATasks.Privileges) + [Working with PostgreSQL Parameters](#Appendix.PostgreSQL.CommonDBATasks.Parameters) + [Working with PostgreSQL Autovacuum on Amazon RDS](#Appendix.PostgreSQL.CommonDBATasks.Autovacuum) + [Audit Logging for a PostgreSQL DB Instance](#Appendix.PostgreSQL.CommonDBATasks.Auditing)