The documentation should cover that pretty well. See in particular pg_hba.conf
. It's hard to make "simple" guides on security, because if you simplify in the wrong way you make it wrong.
Trivially so long as you have the ability to edit pg_hba.conf
and reload the server. Just add an pg_hba.conf
entry with trust
authentication, reload PostgreSQL (pg_ctl reload
, /etc/init.d/postgresql reload
, whatever), change the password, and put pg_hba.conf
back how it was.
Disabling hostbased and password login security in PostgreSQL can be done by setting trust
authentication in pg_hba.conf
. It's usually much saner to use peer
authentication for local
connections instead, but this only works on unix systems.
Users are just roles with the LOGIN
attribute. Roles are global across the server. Most GRANT
s of rights to users/roles are specific to particular databases or objects within databases. See the documentation for the GRANT
command.
"trick?". I think you'll want to post a new, more detailed and specific question on https://dba.stackexchange.com/ with the details, including exact commands run, exact error messages, etc.
I'm kind of surprised by your expectation that dropping then re-creating a user would retain their settings. This would create the opportunity for colossal security holes. The sysadmin joe
leaves, you drop their account. New data entry joe
starts, you create their account. Oops! The new Joe has all the rights of the completely different old Joe.
If you drop a table then re-create it, does it still have its contents? Why would users/roles be any different?
If you don't want to drop a user account, don't drop the user account. Disable it by REVOKE
ing CONNECT
rights on the database(s), changing their password, etc.
The error is harmless but to get rid of it, I think you need to break this restore into two commands, as in:
dropdb -U postgres mydb && \
pg_restore --create --dbname=postgres --username=postgres pg_backup.dump
The --clean
option in pg_restore doesn't look like much but actually raises non-trivial problems.
For versions up to 9.1
The combination of --create
and --clean
in pg_restore options used to be an error in older PG versions (up to 9.1). There is indeed some contradiction between (quoting the 9.1 manpage):
--clean
Clean (drop) database objects before recreating them
and
--create
Create the database before restoring into it.
Because what's the point of cleaning inside a brand-new database?
Starting from version 9.2
The combination is now accepted and the doc says this (quoting the 9.3 manpage):
--clean
Clean (drop) database objects before recreating them. (This might generate some harmless error messages, if any objects were not present in the destination database.)
--create
Create the database before restoring into it. If --clean is also specified, drop and recreate the target database before connecting to it.
Now having both together leads to this kind of sequence during your restore:
DROP DATABASE mydb;
...
CREATE DATABASE mydb WITH TEMPLATE = template0... [other options]
...
CREATE SCHEMA public;
...
CREATE TABLE...
There is no DROP
for each individual object, only a DROP DATABASE
at the beginning. If not using --create
this would be the opposite.
Anyway this sequence raises the error of public
schema already existing because creating mydb
from template0
has imported it already (which is normal, it's the point of a template database).
I'm not sure why this case is not handled automatically by pg_restore
. Maybe this would cause undesirable side-effects when an admin decides to customize template0
and/or change the purpose of public
, even if we're not supposed to do that.
Best Answer
Create a .pgpass file on the postgres server in the $HOME directory of the
postgres
Linux user. You can then store the password of that database user in that file.Then you can remove the
password
option from the user mapping, as Postgres (or more precisely: libpq) will pick up the password from the password file.Don't forget to set
password_required
to'false'
on the user mapping unless the user mapping is for a superuser (which is an altogether awful thing to do).