HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Restrict Postgres superusers to local only connections

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
localpostgressuperusersrestrictonlyconnections

Problem

I have a database with several users: foo, bar, and super. I was looking at pg_hba.conf to lock down access.

I'd like to allow foo and bar to be able to connect from any IP with password authentication. Or locally with trust authentication.

I'd like to allow super to only be able to login locally with trust authentication. Never from a non-local address.

I started with this.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# Allow everything if you're on the same machine.
local   all             all                                     trust
host    all             all             127.0.0.1/32            trust


But, then I got stuck because I'm not sure how to say "all users, except super". I'm looking for something like this.

host    all             not_super       all                     md5


One approach I thought I could take is to list foo and bar explicitly. But, I'm wondering if there is another way.

host    all             foo             all                     md5
host    all             bar             all                     md5

Solution

Processing of pg_hba.conf stops at the first matching rule, so put your super user first - local only, trust - then rules for everybody else afterwards.

host  all  super  127.0.0.1/32  trust   # super user, local only - trust
host  all  super  0.0.0.0/0     reject  # super user, non-local - reject
host  all  all    0.0.0.0/0     md5     # All other users, anywhere - password


These address specifications are far too wide, in my opinion.

You should arrange define network subnets that your users must be within in order to connect to these databases.

Code Snippets

host  all  super  127.0.0.1/32  trust   # super user, local only - trust
host  all  super  0.0.0.0/0     reject  # super user, non-local - reject
host  all  all    0.0.0.0/0     md5     # All other users, anywhere - password

Context

StackExchange Database Administrators Q#252460, answer score: 3

Revisions (0)

No revisions yet.