Some New Security Features in PG9.0

Some New Security Features in PG9.0

1. New Grant and Revoke in PG9.0

In Previous version of PG (7.x,8.x), all the DBAs and Users used to miss the GRANT and REVOKE command which can be use to give permissions on all the tables inside the Schema. Now, they don;t have to.

From PG9.0, user can execute single GRANT and REVOKE command to give the permission on all the tables in a SCHEMA.
GRANT SELECT ON ALL TABLES in SCHEMA TEST to test_user;

Here is output of query which shows that above command has given SELECT privileges on all the tables in SCHEMA Test.
postgres=# select * from information_schema.table_privileges  where grantee ='test_user';;
 grantor  |  grantee  | table_catalog | table_schema | table_name | privilege_type | is_grantable | with_hierarchy 
----------+-----------+---------------+--------------+------------+----------------+--------------+----------------
 postgres | test_user | postgres      | test         | test       | SELECT         | NO           | NO
 postgres | test_user | postgres      | test         | test2      | SELECT         | NO           | NO
Similarly user can execute single Revoke command to revoke a privilege from all the tables in Schema:
REVOKE SELECT ON ALL TABLES in SCHEMA test from test_user;
2. Assign Default privileges to a Role.

In PG9.0, managing role privileges is now more easy.
PG9.0 now supports ALTER DEFAULT PRIVILGES as given below:
postgres=# alter default privileges for role newrole GRANT SELECT ON TABLES to public;
ALTER DEFAULT PRIVILEGES

3. Now, user can put a check for verifying the strength of Password given by user. Module passwordcheck by default comes with the PG9.0.

To enable this module user has to add following in postgresql.conf
file and has to restart the PG instance:
shared_preload_libraries = '$libdir/passwordcheck'

Working example is given below:
postgres=# alter user test_user password 'test_user';
ERROR:  password must not contain user name
postgres=# alter user test_user password 'test123';
ERROR:  password is too short
postgres=# alter user test_user password 'test45678';
ALTER ROLE

This feature is also having some limitation. It does not work properly if somebody pass the encrypted password. This feature is not recommended if some security feature is already implemented i.e if pre-encrypted passwords are already passing to DB.

Comments

Post a Comment

Popular posts from this blog

Does UPDATE Change ROWID in Oracle?

Yesterday, there was a discussion which was going on OTN (Oracle Forum). I was also part of that discussion. Discussion was about the "Does UPDATE statement change rowid in Oracle?" As per my comment of "UPDATE does not change rowid", one of the user has pointed me that UPDATE statement sometime changes the rowid in Oracle and given me following example. SQL> ed Wrote file afiedt.buf 1 create table moving_rowid ( 2 col1 number primary key, 3 col2 number, 4 col3 number, 5 col4 varchar2(10) 6 ) 7* organization index SQL> / Table created. SQL> insert into moving_rowid values( 1, 2, 3, 'foo' ); 1 row created. SQL> insert into moving_rowid values( 2, 3, 4, 'bar' ); 1 row created. SQL> select rowid, col1, col2, col3, col4 2 from moving_rowid; ROWID COL1 COL2 COL3 COL4 ---------------- ---------- ---------- ---------- ---------- *BAEADxsCwQL+ 1 2
Read more

PostgreSQL Database Link to Oracle Database on Linux

I have seen question, like "How to make Database Link from PostgreSQL to Oracle?", always floats in PostgreSQL Community Forum. So, I thought to do some research on it and write a Blog. Cybertec (One of The PostgreSQL Database Company) has released a PostgreSQL Module ODBC Link, using which user can make Database link to any other database, including Oracle, MS SQL Server, PostgreSQL etc, which have ODBC compliant Data source. Lets see how you can make ODBC Connection from PostgreSQL to any ODBC compliant data source and fetch data. Installation of this module is very simple. Following are the steps which user can follow: 1. Install the unixODBC driver on your linux machine. user can use following useful link for Downloading and Installing the unixODBC Driver: http://www.unixodbc.org/ 2. Download ODBC-Link from following location: http://www.cybertec.at/download/odbc_link/ODBC-Link-1.0.4.tar.gz 3. Untar the downloaded file as given below: tar -zxvf ODBC-Link-1.0.4.
Read more

Fix of "ORA-29275: partial multibyte character"

This happened to me when I was trying to migrate the Oracle Database to Advanced Server & PostgreSQL. This kind of error comes if Data in Oracle have some junk/invisible Characters which conversion is unknown. select * from junk_character; 'ORA-29275: partial multibyte character' Oracle Descritption for this error is given below: ORA-29275: partial multibyte character Cause: The requested read operation could not complete because a partial multibyte character was found at the end of the input. Action: Ensure that the complete multibyte character is sent from the remote server and retry the operation. Or read the partial multibyte character as RAW. Which doesn't give much information. To find the the column and rows which have those junk/invisible character user can try following trick. a. Select the data column wise as given below: select col1 from tablename; select col2 from tablename; If you are sure about the columns which has those junk charac
Read more