AAA stands for Authentication, Authorization and Accounting.
This protocol was defined by the Internet Engineering Task Force in RFC 6733 and is intended to provide
an Authentication, Authorization, and Accounting (AAA) framework for applications such as network
access or IP mobility in both local and roaming situations.
Short overview of AAA and the RADIUS protocol.
The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources.
AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user).
AAA is typically employed at network ingress points to control user's access to the network and resources.
The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count).
RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service.
AAA stands for Authentication, Authorization and Accounting.
This protocol was defined by the Internet Engineering Task Force in RFC 6733 and is intended to provide
an Authentication, Authorization, and Accounting (AAA) framework for applications such as network
access or IP mobility in both local and roaming situations.
Short overview of AAA and the RADIUS protocol.
The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources.
AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user).
AAA is typically employed at network ingress points to control user's access to the network and resources.
The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count).
RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service.
RadioJungle is the RADIUS server based on freeradius with a powerful web gui management interface. It is the right solution for WISP and public wifi hotspot area to manage authentication. More details on www.3ts.it
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a
family of related protocols handling remote authentication and related services for networked access
control through a centralized server. The original TACACS protocol, which dates back to 1984, was used
for communicating with an authentication server, common in older UNIX networks;
RADIUS is a protocol for carrying information related to authentication, authorization, and configuration
between a Network Access Server that desires to authenticate its links and a shared Authentication
Server.
RADIUS stands for Remote Authentication Dial In User Service.
RADIUS is an AAA protocol for applications such as Network Access or IP Mobility
It works in both situations, Local and Mobile.
It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.
It look in text file, LDAP Servers, Database for authentication.
Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow
nodes communicating over a non-secure network to prove their identity to one another in a secure
manner. Its designers aimed it primarily at a client–server model and it provides mutual
authentication—both the user and the server verify each other's identity. Kerberos protocol messages
are protected against eavesdropping and replay attacks.
More enterprises are recognizing the opportunity to extend the reach and cost-efficiency of their applications by delivering them as software-as-a-service (SaaS). However, the approach to deploying in the cloud and the choice of either cloud middleware software or a platform-as-a-service (PaaS) can significantly affect the success of a SaaS implementation.
WSO2 Stratos is a complete enterprise-ready cloud middleware platform designed to extend SOAs to the cloud, and it is the software that powers the WSO2 StratosLive PaaS. By providing WSO2 Carbon products as services over public, private, and hybrid cloud infrastructure, WSO2 Stratos offers an ideal platform for SaaS developers to create, manage and run enterprise-class applications and services with all the inherent benefits of a true cloud-native environment.In this session, we will be looking at the WSO2 Stratos cloud middleware platform and the benefits it offers in developing, testing, deploying and managing cloud-native applications.
If you think they are easy, you are (probably) doing them wrong. A presentation about issues with TLS and X.509 certificates for Tampere security people (TreSec, @TreSecCommunity) meetup on 21st of March 2018.
Stands for "Secure Sockets Layer." SSL is a secure protocol developed for sending information securely over the Internet. Many websites use SSL for secure areas of their sites, such as user account pages and online checkout. Usually, when you are asked to "log in" on a website, the resulting page is secured by SSL.
In this presentation, we will explore the RESTApi as the ClearPass API integrations and further developments are more focused to RESTApi than the other existing API services like xml-rpc, SOAP, etc.Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Security/Technical-Webinar-Getting-Started-with-the-ClearPass-REST-API/td-p/410214
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Cryptzone: The Software-Defined PerimeterCryptzone
How Visible Is Your Network? See how a Software-Defined Perimeter from Cryptzone helps secure your network by dynamically creating a 1:1 network connections between users and the data they access.
RadioJungle is the RADIUS server based on freeradius with a powerful web gui management interface. It is the right solution for WISP and public wifi hotspot area to manage authentication. More details on www.3ts.it
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a
family of related protocols handling remote authentication and related services for networked access
control through a centralized server. The original TACACS protocol, which dates back to 1984, was used
for communicating with an authentication server, common in older UNIX networks;
RADIUS is a protocol for carrying information related to authentication, authorization, and configuration
between a Network Access Server that desires to authenticate its links and a shared Authentication
Server.
RADIUS stands for Remote Authentication Dial In User Service.
RADIUS is an AAA protocol for applications such as Network Access or IP Mobility
It works in both situations, Local and Mobile.
It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.
It look in text file, LDAP Servers, Database for authentication.
Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow
nodes communicating over a non-secure network to prove their identity to one another in a secure
manner. Its designers aimed it primarily at a client–server model and it provides mutual
authentication—both the user and the server verify each other's identity. Kerberos protocol messages
are protected against eavesdropping and replay attacks.
More enterprises are recognizing the opportunity to extend the reach and cost-efficiency of their applications by delivering them as software-as-a-service (SaaS). However, the approach to deploying in the cloud and the choice of either cloud middleware software or a platform-as-a-service (PaaS) can significantly affect the success of a SaaS implementation.
WSO2 Stratos is a complete enterprise-ready cloud middleware platform designed to extend SOAs to the cloud, and it is the software that powers the WSO2 StratosLive PaaS. By providing WSO2 Carbon products as services over public, private, and hybrid cloud infrastructure, WSO2 Stratos offers an ideal platform for SaaS developers to create, manage and run enterprise-class applications and services with all the inherent benefits of a true cloud-native environment.In this session, we will be looking at the WSO2 Stratos cloud middleware platform and the benefits it offers in developing, testing, deploying and managing cloud-native applications.
If you think they are easy, you are (probably) doing them wrong. A presentation about issues with TLS and X.509 certificates for Tampere security people (TreSec, @TreSecCommunity) meetup on 21st of March 2018.
Stands for "Secure Sockets Layer." SSL is a secure protocol developed for sending information securely over the Internet. Many websites use SSL for secure areas of their sites, such as user account pages and online checkout. Usually, when you are asked to "log in" on a website, the resulting page is secured by SSL.
In this presentation, we will explore the RESTApi as the ClearPass API integrations and further developments are more focused to RESTApi than the other existing API services like xml-rpc, SOAP, etc.Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Security/Technical-Webinar-Getting-Started-with-the-ClearPass-REST-API/td-p/410214
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Cryptzone: The Software-Defined PerimeterCryptzone
How Visible Is Your Network? See how a Software-Defined Perimeter from Cryptzone helps secure your network by dynamically creating a 1:1 network connections between users and the data they access.
Authentication is among the most important concepts in security, but most people take a fatally simplistic approach to the matter. We will explore some of the concepts of authentication, including an idea for a more advanced view of authentication that violates common wisdom regarding a related topic.
Web Application Security 101 - 14 Data ValidationWebsecurify
In part 14 of Web Application Security 101 you will learn about SQL Injection, Cross-site Scripting, Local File Includes and other common types of data validation problems.
Authentication and Authorization in Asp.NetShivanand Arur
This presentation gives a little information about Why Security is important, then moving towards understanding about Authentication and Authorization and its various ways
1. Forms Authentication
2. Windows Authentication
3. Passport Authentication
Code your Own: Authentication Provider for Blackboard LearnDan Rinzel
Presentation from Blackboard Developers Conference 2012 on how to build your own Authentication plugin for Blackboard Learn 9.1 Service Pack 8 or later.
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
Identifying groups of attackers with similar tools or behaviors is useful for profiling and discovering the connections between them. This talk will explore how I collect JA3, a SSL/TLS client fingerprint, to profile attackers and internet-wide SSL/TLS scans. The talk will provide some interesting observations and the first identified attempt to evade SSL/TLS client fingerprinting!
IBM MQ V8 Security: Latest Features Deep-DiveMorag Hughson
More than ever, security issues are on the top of everyone's list of priorities. Find out about the approach taken by IBM MQ. This session will cover the security features in the latest release of IBM MQ.
With Apache Kafka 0.9, the community has introduced a number of features to make data streams secure. In this talk, we’ll explain the motivation for making these changes, discuss the design of Kafka security, and explain how to secure a Kafka cluster. We will cover common pitfalls in securing Kafka, and talk about ongoing security work.
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
How to evaluate, implement and maintain Kafka Message Broker in a high-throughput production environment. Taylor Swift's rectum probably smells like a Creamsicle.
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
NGINX is one of the most popular images on Docker Hub and has been at the forefront of the web since the early 2000's. In this talk we will discuss how and why NGINX's lightweight and powerful architecture makes it a very popular choice for securing containerized applications as a sidecar reverse proxy within containers. We will highlight important aspects of application security that NGINX can help with, such as TLS, HTTP, AuthN, AuthZ and traffic control.Additional Sponsor InformationDuring our session we will be Raffling off a swag pack to live attendees. We'll also be offering 30% off our swag store that can be shared via social. Details below:URL: swag-nginx.com
Code: DOCKERCON30
Value: 30% off
Scaletta del talk:
Introduzione: Chi è Profesia/WSO2
Cosa è un Identity server
Ruolo di Identity server in architettura
Panoramica feature Identity server
Configurazione social Google
Login con google e non con un esempio
Considerazioni finali
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
Learn how to secure a Pulsar cluster with Hashicorp Vault and deploy it on Kubernetes. Vault provides a secure way to generate tokens and store sensitive data and Pulsar has a pluggable architecture for authentication, authorization and secret management. This talk will walk through how to create custom plugins for Vault, integrate them with Pulsar and then deploy a Pulsar cluster on Kubernetes.
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Round table discussion of vector databases, unstructured data, ai, big data, real-time, robots and Milvus.
A lively discussion with NJ Gen AI Meetup Lead, Prasad and Procure.FYI's Co-Found
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeWalaa Eldin Moustafa
Dynamic policy enforcement is becoming an increasingly important topic in today’s world where data privacy and compliance is a top priority for companies, individuals, and regulators alike. In these slides, we discuss how LinkedIn implements a powerful dynamic policy enforcement engine, called ViewShift, and integrates it within its data lake. We show the query engine architecture and how catalog implementations can automatically route table resolutions to compliance-enforcing SQL views. Such views have a set of very interesting properties: (1) They are auto-generated from declarative data annotations. (2) They respect user-level consent and preferences (3) They are context-aware, encoding a different set of transformations for different use cases (4) They are portable; while the SQL logic is only implemented in one SQL dialect, it is accessible in all engines.
#SQL #Views #Privacy #Compliance #DataLake
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...sameer shah
"Join us for STATATHON, a dynamic 2-day event dedicated to exploring statistical knowledge and its real-world applications. From theory to practice, participants engage in intensive learning sessions, workshops, and challenges, fostering a deeper understanding of statistical methodologies and their significance in various fields."
Learn SQL from basic queries to Advance queriesmanishkhaire30
Dive into the world of data analysis with our comprehensive guide on mastering SQL! This presentation offers a practical approach to learning SQL, focusing on real-world applications and hands-on practice. Whether you're a beginner or looking to sharpen your skills, this guide provides the tools you need to extract, analyze, and interpret data effectively.
Key Highlights:
Foundations of SQL: Understand the basics of SQL, including data retrieval, filtering, and aggregation.
Advanced Queries: Learn to craft complex queries to uncover deep insights from your data.
Data Trends and Patterns: Discover how to identify and interpret trends and patterns in your datasets.
Practical Examples: Follow step-by-step examples to apply SQL techniques in real-world scenarios.
Actionable Insights: Gain the skills to derive actionable insights that drive informed decision-making.
Join us on this journey to enhance your data analysis capabilities and unlock the full potential of SQL. Perfect for data enthusiasts, analysts, and anyone eager to harness the power of data!
#DataAnalysis #SQL #LearningSQL #DataInsights #DataScience #Analytics
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Discussion on Vector Databases, Unstructured Data and AI
https://www.meetup.com/unstructured-data-meetup-new-york/
This meetup is for people working in unstructured data. Speakers will come present about related topics such as vector databases, LLMs, and managing data at scale. The intended audience of this group includes roles like machine learning engineers, data scientists, data engineers, software engineers, and PMs.This meetup was formerly Milvus Meetup, and is sponsored by Zilliz maintainers of Milvus.
The Building Blocks of QuestDB, a Time Series Databasejavier ramirez
Talk Delivered at Valencia Codes Meetup 2024-06.
Traditionally, databases have treated timestamps just as another data type. However, when performing real-time analytics, timestamps should be first class citizens and we need rich time semantics to get the most out of our data. We also need to deal with ever growing datasets while keeping performant, which is as fun as it sounds.
It is no wonder time-series databases are now more popular than ever before. Join me in this session to learn about the internal architecture and building blocks of QuestDB, an open source time-series database designed for speed. We will also review a history of some of the changes we have gone over the past two years to deal with late and unordered data, non-blocking writes, read-replicas, or faster batch ingestion.
Analysis insight about a Flyball dog competition team's performanceroli9797
Insight of my analysis about a Flyball dog competition team's last year performance. Find more: https://github.com/rolandnagy-ds/flyball_race_analysis/tree/main
The Three Musketeers (Authentication, Authorization, Accounting)
1. Introduction
Authentication
Authorization
Accounting
End
The Three Musketeers
(Authentication, Authorization, & Accounting)
Sarah Conway
credativ USA
info@credativ.com
September 18, 2014
Sarah Conway Postgres Open
2. Introduction
Authentication
Authorization
Accounting
End
Agenda
AAA Model
Agenda
Introduction
AAA Model
Authentication
postgresql.conf
User Accounts
Authentication Methods
SSL
Authorization
pg hba.conf
Access Privileges
Auditing
Inspecting Privileges
Logging
Sarah Conway Postgres Open
3. Introduction
Authentication
Authorization
Accounting
End
Agenda
AAA Model
AAA Model
AAA Model - Framework that can identify users, authorize
what they can access, and create audit trails
Authentication - Server veri
4. es the user is who they claim to be
Authorization - Determines what authenticated user can access
and modify
Accounting - Records what user accesses, what actions are
performed, and date/time of access
Sarah Conway Postgres Open
5. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
postgresql.conf overview
Located by default on Debian in
/etc/postgresql/version/main/
or whatever directory $PGDATA is for you
Locate in postgres session as superuser
SHOW data directory;
SHOW con
7. le;
Comment = #
www.postgresql.org/docs/9.3/static/
config-setting.html
Sarah Conway Postgres Open
8. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
postgresql.conf Security and Authentication
#authentication_timeout = 1min
ssl = true
#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'
#ssl_renegotiation_limit = 512MB
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
#ssl_ca_file = ''
#ssl_crl_file = ''
#password_encryption = on
#db_user_namespace = off
Sarah Conway Postgres Open
9. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
postgresql.conf Security and Authentication
# Kerberos and GSSAPI
#krb_server_keyfile = ''
#krb_srvname = 'postgres'
#krb_caseins_users = off
Sarah Conway Postgres Open
10. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
pg settings
Alternate way to view postgres server settings
Primarily same options as are available in postgresql.conf
Context column
internal - All internal server values, cannot be changed directly
postmaster - If changed, requires restart
sighup - If changed, requires reload
superuser - Can only be changed by superusers in a session
user - Can be changed by any user in a session
www.postgresql.org/docs/9.3/static/
view-pg-settings.html
Sarah Conway Postgres Open
11. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
pg settings
test=# select * from pg_settings where name in ('authentication_timeout');
-[ RECORD 1 ]----------------------------------------------------------------
name | authentication_timeout
setting | 60
unit | s
category | Connections and Authentication / Security and Authentication
short_desc | Sets the maximum allowed time to complete client authentication.
extra_desc |
context | sighup
vartype | integer
source | default
min_val | 1
max_val | 600
enumvals |
boot_val | 60
reset_val | 60
sourcefile |
sourceline |
Sarah Conway Postgres Open
12. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
pg settings
test=# select name, setting, context, source from pg_settings where name in
('authentication_timeout');
name | setting | context | source
------------------------+---------+---------+---------
authentication_timeout | 60 | sighup | default
(1 row)
test =# x
Expanded display now on.
test=# select name, setting, context, source from pg_settings where name in
('authentication_timeout');
-[ RECORD 1 ]-------------------
name | authentication_timeout
setting | 60
context | sighup
source | default
Sarah Conway Postgres Open
13. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
CREATE ROLE with LOGIN
Same as CREATE USER
Creates username/password pair
Authentication-based parameters
username, password, password expiration/encryption settings
Create user with password valid until October 10th, 2014:
CREATE ROLE sauron LOGIN PASSWORD 'nazgul' VALID UNTIL '2014-10-01';
Drop user:
DROP ROLE sauron;
Sarah Conway Postgres Open
16. le that controls client
authentication/authorization
Located by default on Debian in
/etc/postgresql/version/main/ or wherever $PGDATA is
Ask postgres in superuser session 'SHOW hba
18. es connection type, client IP address range, database
name, user name, and authentication method used for
matching connections
www.postgresql.org/docs/9.3/static/
auth-pg-hba-conf.html
Sarah Conway Postgres Open
20. es authentication method for use when
match is found
trust - Allows full access to user; can login as any existing user
reject - Rejects all access to speci
21. c connections/hosts
md5 - Requires user to provide password
Password is md5-salted-and-hashed by client
password - Requires user to provide password
Password stored/sent in clear-text
gss - Uses GSSAPI
TCP/IP connections only
sspi - Uses SSPI
Windows OS only
krb5 - Uses Kerberos V5
TCP/IP connections only
Sarah Conway Postgres Open
22. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
auth-method parameters, cont.
ident - Contacts ident server on client, checks if client
username matches database user name
TCP/IP connections only
peer - Checks for match between client username and
database user name
Local connections only
ldap - Uses LDAP server
radius - Uses RADIUS server
cert - Uses SSL client certi
23. cates
pam - Uses Pluggable Authentication Modules (PAM) service
auth-options - Fields of the form name=value specify options
for selected authentication method
Sarah Conway Postgres Open
24. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
SSL - Overview
Normally used as a standard security technology for
encrypting network connections
Also used for authenticating users with certi
26. cate issued by CA who authenticates user using a
cryptographic public key
Veri
27. er cannot impersonate user
Separates user from authentication method; not vulnerable to
phishing
Two-factor authentication recommended
www.postgresql.org/docs/9.3/static/ssl-tcp.html
Sarah Conway Postgres Open
28. Introduction
Authentication
Authorization
Accounting
End
postgresql.conf
User Accounts
Authentication Methods
SSL
SSL
Requires setting 'ssl' to 'on' in postgresql.conf
Requires installation of SSL certi
30. cate and private key must exist
Named server.crt and server.key by default
Located in server's data directory
Can rename or relocate by modifying ssl cert
49. es existence of the business, domain ownership, and
user's authority
Generate a cert signing request
Submit CSR to the CA using their process, pay
Wait for them to sign
Download signed cert, install CA chain/signed cert with
previously generated private key
Domain Validated certi
55. cates
openssl req -new -text -out server.req
openssl req -x509 -in server.req -text -key server.key -out server.crt
cp server.crt root.crt
#use text editor (vim, vi, etc) to edit pg_hba.conf
#add following lines
hostssl all www-data 0.0.0.0/0
hostssl all postgres 0.0.0.0/0
#use text editor (vim, vi, etc) to edit postgresql.conf
ssl = on
#restart postgres
restart service postgresql
Sarah Conway Postgres Open
56. Introduction
Authentication
Authorization
Accounting
End
pg hba.conf
Access Privileges
pg hba.conf
Default Debian pg hba.conf:
# Database administrative login by UNIX sockets
local all postgres peer
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 peer
# IPv6 local connections:
host all all ::1/128 peer
Sarah Conway Postgres Open
57. Introduction
Authentication
Authorization
Accounting
End
pg hba.conf
Access Privileges
pg hba.conf
#Example pg_hba entries:
#Single host allowed
host all all 192.168.1.10/32 trust
#Single host rejection
host all all 192.168.1.10/32 reject
#Single host connection to single database
host foo all 192.168.1.10/32 md5
#Small network connection
host all all 192.168.1.0/28 trust
#Larger network connection
host foo all 192.168.1.0/24 trust
Sarah Conway Postgres Open
58. Introduction
Authentication
Authorization
Accounting
End
pg hba.conf
Access Privileges
CREATE ROLE with NOLOGIN
Same as CREATE GROUP
Creates group with particular privileges that users can be
assigned to
Authorization-based parameters (also applies to CREATE
ROLE with LOGIN)
replication, createdb, createrole, superuser
Create user that is a superuser:
CREATE ROLE saruman LOGIN SUPERUSER;
Create administrative group and assign saruman to it:
CREATE ROLE admin NOLOGIN SUPERUSER;
GRANT admin TO saruman;
ALTER ROLE saruman INHERIT;
c - saruman
set role admin;
Sarah Conway Postgres Open
60. ne/remove access privileges to database objects
Can grant privileges on tables, columns, views, databases,
sequences, domains, foreign data wrappers, foreign servers,
functions, procedural languages, large objects, schemas,
tablespaces, types
Schema level privileges disabled by default
Grant/revoke role membership
www.postgresql.org/docs/9.3/static/sql-grant.html
www.tutorialspoint.com/postgresql/postgresql_
privileges.htm
Sarah Conway Postgres Open
61. Introduction
Authentication
Authorization
Accounting
End
pg hba.conf
Access Privileges
GRANT - Example
Grant all privileges on schema mordor to group role admin:
CREATE SCHEMA mordor;
CREATE TABLE mordor.ring(id int);
GRANT ALL PRIVILEGES ON SCHEMA mordor TO admin;
Sarah Conway Postgres Open
62. Introduction
Authentication
Authorization
Accounting
End
pg hba.conf
Access Privileges
REVOKE - Example
REVOKE ALL PRIVILEGES ON SCHEMA PUBLIC FROM saruman;
REVOKE ALL ON FUNCTION foo() FROM GROUP PUBLIC;
REVOKE ALL PRIVILEGES ON SCHEMA PUBLIC FROM PUBLIC;
Sarah Conway Postgres Open
64. ne your own default privileges
DROP OWNED BY to drop default privilege entry for role
Required to drop role with changed default settings
Grant SELECT to public for all tables created under schema
mordor:
ALTER DEFAULT PRIVILEGES IN SCHEMA mordor
GRANT SELECT ON TABLES TO PUBLIC;
Sarah Conway Postgres Open
65. Introduction
Authentication
Authorization
Accounting
End
Inspecting Privileges
Logging
Access Privilege Inquiry Functions
pg has role
has any column privilege
has database privilege
has column privilege
has schema privilege
etc. for function, foreign data wrapper, sequence, table,
tablespace
If user argument omitted, current user is assumed
www.postgresql.org/docs/9.3/static/
functions-info.html
Sarah Conway Postgres Open
66. Introduction
Authentication
Authorization
Accounting
End
Inspecting Privileges
Logging
Access Privilege Inquiry Functions
test=#SELECT has_table_privilege('frodo','mordor.ring','select');
has_table_privilege
---------------------
t
(1 row)
Sarah Conway Postgres Open
67. Introduction
Authentication
Authorization
Accounting
End
Inspecting Privileges
Logging
psql
ndp - Obtains information about current privileges for existing
database objects
nddp - Obtains information about default privilege
assignments
ndu - Obtains information about the list of existing roles
All are only available in psql
www.postgresql.org/docs/9.3/static/app-psql.html
Sarah Conway Postgres Open
69. lename
Locate logs
log connections, log pid, log statement, log duration,
log timestamp
Logs respective items
debug print parse, debug print rewritten, debug print plan
Enables various debugging output to be sent to server log
debug pretty print
Sends debugging output in an longer, indented, more readable
format
hostname lookup
Shows hostname in logs
Sarah Conway Postgres Open
71. les, with abilty to import into table
Ecient way to view important logs at once
Displays concise list of information with options to add or
remove speci
78. les are ready for import
Set log truncate on rotation to avoid mixing old data with
new
Sarah Conway Postgres Open
79. Introduction
Authentication
Authorization
Accounting
End
Inspecting Privileges
Logging
Event Triggers
Newly introduced in 9.3, still being expanded
Capable of capturing DDL events
Global to a speci
80. ed database
Can be written in any procedural language with event trigger
support
Sarah Conway Postgres Open
81. Introduction
Authentication
Authorization
Accounting
End
Inspecting Privileges
Logging
pgaudit
https://github.com/2ndQuadrant/pgaudit
Based on event triggers
Collects audit events and logs in CSV log format
Supports DDL, DML, and utility commands
Sarah Conway Postgres Open
82. Introduction
Authentication
Authorization
Accounting
End
Inspecting Privileges
Logging
audit-trigger
https://github.com/2ndQuadrant/audit-trigger
Attached to a single table
Captures DML events only
Script generates an audit trigger for each table in database
Easily modi
84. Introduction
Authentication
Authorization
Accounting
End
Inspecting Privileges
Logging
pgbadger
https://github.com/dalibo/pgbadger
Add-on that analyzes logs and compiles results into csvlog,
syslog, or stderr
Built to be quick
Written in Perl
Mostly performance reports
Sarah Conway Postgres Open