Search icon Close icon
Search icon
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Learn PostgreSQL

You're reading from  Learn PostgreSQL

Product type Book
Published in Oct 2020
Publisher Packt
ISBN-13 9781838985288
Pages 650 pages
Edition 1st Edition
Languages
Concepts
Authors (2):
Luca Ferrari Luca Ferrari
Profile icon Luca Ferrari
LinkedIn
Luca Ferrari has been passionate about computer science since the Commodore 64 era, and today holds a master's degree (with honors) and a Ph.D. from the University of Modena and Reggio Emilia. He has written several research papers, technical articles, and book chapters. In 2011, he was named an Adjunct Professor by Nipissing University. An avid Unix user, he is a strong advocate of open source, and in his free time, he collaborates with a few projects. He met PostgreSQL back in release 7.3; he was a founder and former president of the Italian PostgreSQL Community (ITPUG). He also talks regularly at technical conferences and events and delivers professional training.
See other products by Luca Ferrari
Enrico Pirozzi Enrico Pirozzi
Profile icon Enrico Pirozzi
LinkedIn
Enrico Pirozzi, EnterpriseDB certified on implementation management and tuning, with a master's in computer science, has been a PostgreSQL DBA since 2003. Based in Italy, he has been providing database advice to clients in industries such as manufacturing and web development for 10 years. He has been training others on PostgreSQL since 2008. Dedicated to open source technology since early in his career, he is a cofounder of the PostgreSQL Italian mailing list, PostgreSQL-it, and of the PostgreSQL Italian community site, PSQL
See other products by Enrico Pirozzi
View More author details

Table of Contents (27) Chapters

Preface Section 1: Getting Started
Introduction to PostgreSQL Getting to Know Your Cluster Managing Users and Connections Section 2: Interacting with the Database
Basic Statements Advanced Statements Window Functions Server-Side Programming Triggers and Rules Partitioning Section 3: Administering the Cluster
Users, Roles, and Database Security Transactions, MVCC, WALs, and Checkpoints Extending the Database - the Extension Ecosystem Indexes and Performance Optimization Logging and Auditing Backup and Restore Configuration and Monitoring Section 4: Replication
Physical Replication Logical Replication Section 5: The PostegreSQL Ecosystem
Useful Tools and Extensions Toward PostgreSQL 13 Other Books You May Enjoy
Users, Roles, and Database Security

PostgreSQL is a rock solid database, and it pays great attention to security, providing a very rich infrastructure to handle permissions, privileges, and security policies. This chapter builds on the basic concepts introduced in Chapter 3, Managing Users and Connections, revisiting the role concept and extending knowledge with a particular focus on security and privileges attached to roles (both users and groups). You will learn how to configure every aspect of a role to carefully manage security, from connection to accessing the data within a database.

However, PostgreSQL goes far beyond this and provides a strong mechanism known as Role Level Security, which allows a fine-grain definition of policies to mask out part of the data to certain users.

In this chapter, you will also learn about the Access Control List (ACL) and the way PostgreSQL...

Understanding roles

In Chapter 3, Managing Users and Connections, you have seen how to create new roles, a stereotype that can act both as a single user or a group of users. The CREATE ROLE statement was used to create the role, and you learned about the main properties a role can be associated with.

This section extends the concepts you have read about in Chapter 3, Managing Users and Connections, introducing more interesting and security-related properties of a role.

Just as a quick reminder, the synopsis for creating a new role is the following:

CREATE ROLE name [ [ WITH ] option [ ... ] ]

Here, an option can be indicated in a positive form, that is, associating the property with the role, or in a negative form with the NO prefix, which removes the property from the role. Some properties are not assigned to new roles by default, so you should take your time and consult the documentation of the CREATE ROLE statement in order to see what the default value is for every property. If you...

Access control lists

PostgreSQL stores permissions assigned to roles and objects as Access Control Lists (ACLs), and, when needed, it examines the ACLs for a specific role and a database object in order to understand whether the command or query can be performed. In this section, you will learn what ACLs are, how they are stored, and how to interpret them to understand what permissions an ACL provides.

An ACL is a representation of a group of permissions with the following structure:

grantee=flags/grantor

Here, we see the following:

  • grantee is the role name of the role to which the permissions are applied.
  • flags is the string representing the permissions.
  • grantor is the user who granted the permissions.

Whenever the granted and grantee results in the same name, the role is the owner of the database object.

The flags that can be used in an ACL are those reported in the following table. As you can see, not all the flags apply to all the objects: for example it does not make sense to have...

Granting and revoking permissions

As you have seen in Chapter 3, Managing Users and Connections, a role contains a collection of permissions that are provided by means of a GRANT statement and removed by means of a REVOKE statement. Permissions are stored internally as ACLs, as you have seen in the previous section.

This section revisits the GRANT and REVOKE statements to better help you understand how to use them, with respect to different database objects.

The GRANT statement has the following synopsis:

GRANT <permission, permission, ...> ON <database-object> TO <role>;

Here, you list all the permissions you want to associate with the target role for the specified database object. It is also possible to extend the GRANT statement with the WITH GRANT OPTION clause, which will cause the target role to be able to grant the same permissions it has received to another role.

The REVOKE statement has a similar synopsis:

REVOKE <permission, permission, ..> ON <database...

Row-level security

In the previous part of the chapter, you have seen the permission mechanism by which PostgreSQL allows roles (both users and groups) to access different objects within the database and data contained in the objects. In particular, with regard to tables, you have learned how to restrict access to just a specific column list within the tabular data.

PostgreSQL provides another interesting mechanism to restrict access to tabular data: row-level security. The idea is that row-level security can decide which tuples the role can gain access to, either in read or write mode. Therefore, if the column-based permissions provides a way of limiting the vertical shape of the tabular data, the RLS provides a way to restrict the horizontal shape of the data itself.

When is it appropriate to use RLS? Imagine you have a table that contains data related to users, and you don't want your users to be able to tamper with other users' data. In such a case, restricting the access...

Role password encryption

The passwords associated with roles are always stored in an encrypted form, even if the role is created without the ENCRYPTED PASSWORD property. PostgreSQL determines the algorithm to use in order to encrypt the password via the password_encryption option in the postgresql.conf configuration file. By default, the value of the option is set to md5, which means that the password is computed as MD5 hashes. The only other option available since PostgreSQL 10 is scram-sha-256, which will make the encryption much more robust.

You can quickly check the configuration from the operating system command line:

$ sudo -u postgres grep password_encryption $PGDATA/postgresql.conf
password_encryption = scram-sha-256    # md5 or scram-sha-256

Alternatively, you can inspect the pg_settings system catalog:

forumdb=# SELECT name, setting, enumvals 
         FROM pg_settings 
         WHERE name = 'password_encryption';
        name         |    setting    |      enumvals
--...

SSL connections

The Secure Socket Layer (SSL) allows PostgreSQL to accept encrypted network connections, which means every single piece of data in every packet is encrypted and therefore protected against network spoofing, as long as you handle your keys and certificates appropriately.

In order to enable the SSL extension, you first need to configure the server, then accept incoming SSL connections, and finally instrument the clients to connect in SSL mode.

Configuring the cluster for SSL

In order to let SSL do the encryption, the server must have private and public certificates. Creating and managing certificates is beyond the scope of this book, and is a complex topic. If you or your organization already have certificates, the only thing you have to do is to import the certificate and key files into your PostgreSQL server.

Assuming your certificate and key files are named server.crt and server.key, respectively, you have to configure the following parameters in the postgresql.conf configuration...

Summary

In this chapter, we learned that PostgreSQL provides a very rich infrastructure for managing permissions associated with roles. Internally, PostgreSQL handles permissions on different database objects by means of ACLs, and every ACL contains information about the set of permissions, the users to whom permissions are granted, and the user who granted such permissions. In terms of tabular data, it is even possible to define column-based permissions and row-level permissions to exclude users from having access to a particular subset of data.

Permissions are granted by nested roles in a dynamically-inherited way or on-demand, leaving you the option to fine-tune how a role should exploit privileges.

With regard to security, we saw that PostgreSQL allows two different algorithms for password encryption, with SCRAM-SHA-256 being the most modern and robust. Lastly, when opportunely configured, the server can handle network connections via SSL, thereby encrypting all network traffic and...

References

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 27
Next Chapter arrow right
You have been reading a chapter from
Learn PostgreSQL
Published in: Oct 2020 Publisher: Packt ISBN-13: 9781838985288
© 2020 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (2)

Left arrow icon
Profile icon Luca Ferrari
LinkedIn
Luca Ferrari has been passionate about computer science since the Commodore 64 era, and today holds a master's degree (with honors) and a Ph.D. from the University of Modena and Reggio Emilia. He has written several research papers, technical articles, and book chapters. In 2011, he was named an Adjunct Professor by Nipissing University. An avid Unix user, he is a strong advocate of open source, and in his free time, he collaborates with a few projects. He met PostgreSQL back in release 7.3; he was a founder and former president of the Italian PostgreSQL Community (ITPUG). He also talks regularly at technical conferences and events and delivers professional training.
Read more
See other products by Luca Ferrari
Profile icon Enrico Pirozzi
LinkedIn
Enrico Pirozzi, EnterpriseDB certified on implementation management and tuning, with a master's in computer science, has been a PostgreSQL DBA since 2003. Based in Italy, he has been providing database advice to clients in industries such as manufacturing and web development for 10 years. He has been training others on PostgreSQL since 2008. Dedicated to open source technology since early in his career, he is a cofounder of the PostgreSQL Italian mailing list, PostgreSQL-it, and of the PostgreSQL Italian community site, PSQL
See other products by Enrico Pirozzi
Right arrow icon

Other recommended products

Related to this chapter
Left arrow icon
PostgreSQL 11 Server Side Programming Quick Start Guide
PostgreSQL 11 Server Side Programming Quick Start Guide
PostgreSQL is a rock-solid, scalable, and safe, enterprise-level relational database. With a broad range of features and stability it is ever increasing in popularity. The book shows you how to take advantages of PostgreSQL 11 features for Server-Side-Programming. Server-Side-Programming enables strong data encapsulation and coherence.
Nov 2018 8 hours 40 minutes
PostgreSQL 13 Cookbook
PostgreSQL 13 Cookbook
PostgreSQL has become the most advanced open source database on the market. This book adopts a step-by-step approach to meet almost every requirement you can think of while deploying PostgreSQL in production environments. You will not only learn how to design and manage your database but also discover how to administer and secure the database.
Feb 2021 11 hours 28 minutes
PostgreSQL High Performance Cookbook
PostgreSQL High Performance Cookbook
This book will guide you to enhance your database’s performance and give you insights into measuring and optimizing a PostgreSQL database to achieve better performance. You will be a able to perform various essential database tasks such as bench marking the database and optimizing the server’s memory usage. This book will also help you to explore various memory optimization techniques offered by PostgreSQL.
Mar 2017 12 hours 0 minutes
Learning PostgreSQL 10
Learning PostgreSQL 10
This book will familiarize you with the latest new features released in PostgreSQL 10, and get you up and running with building efficient PostgreSQL database solutions from scratch. You will get a complete overview of SQL, client and server side programming in PostgreSQL, as well as some important administration tasks.
Dec 2017 16 hours 16 minutes
Learning PostgreSQL 11
Learning PostgreSQL 11
This book will get you up and running with building efficient relational database solutions right from scratch with the newest features of PostgreSQL 11. You will learn the end-to-end working of relational databases and how to work with database structures. You will also be able to write essential SQL statements, perform data manipulation and do more, with the help of this book.
Jan 2019 18 hours 32 minutes
Mastering PostgreSQL 13
Mastering PostgreSQL 13
Updated to include the new features introduced in PostgreSQL 13, this book shows you how to build better PostgreSQL applications and administer your PostgreSQL database efficiently. You’ll master the advanced features of PostgreSQL and develop the skills you need to build secure and highly available database solutions.
Nov 2020 15 hours 52 minutes
Mastering PostgreSQL 12
Mastering PostgreSQL 12
This book includes the newly introduced features in PostgreSQL 12, and shows you how to build better PostgreSQL applications, and administer your database efficiently. You will master the advanced features of PostgreSQL and acquire the necessary skills to build secured and fault-tolerant database solutions.
Nov 2019 15 hours 40 minutes
Mastering PostgreSQL 11
Mastering PostgreSQL 11
This book includes the newly introduced features in PostgreSQL 11, and shows you how to build better PostgreSQL applications, and administer your PostgreSQL database efficiently. You will master the advanced features of PostgreSQL and acquire the necessary skills to build efficient database solutions.
Oct 2018 14 hours 52 minutes
Mastering PostgreSQL 10
Mastering PostgreSQL 10
PostgreSQL is an open source database used for handling large datasets (big data) and as a JSON document database. This book highlights the newly introduced features in PostgreSQL 10, and shows you how you can build better PostgreSQL applications, and administer your PostgreSQL database more efficiently.
Jan 2018 14 hours 16 minutes
PostgreSQL 10 High Performance
PostgreSQL 10 High Performance
PostgreSQL is increasingly utilized in all kind of applications, starting from desktop to web and mobile applications. In this book, you will find the best ways to design, monitor and maintain your PostgreSQL solution, with suggestions and tips for high performance, troubleshooting and high availability.
Apr 2018 16 hours 56 minutes
Mastering PostgreSQL 9.6
Mastering PostgreSQL 9.6
PostgreSQL is an open source database management tool used for handling large datasets (big data) and as a JSON document database. It also has applications in the software and web domains. This book will enable you to build better PostgreSQL applications and administer databases more efficiently.
May 2017 13 hours 52 minutes
PostgreSQL Administration Cookbook
PostgreSQL Administration Cookbook
PostgreSQL is a powerful, open source, object-relational database system, fast becoming one of the world's most popular server databases with an enviable reputation for performance and stability and an enormous range of advanced features. This is a practical guide aimed at giving sysadmins and database administrators the necessary toolkit to be able to set up, run, and extend powerful databases with PostgreSQL.
Apr 2017 18 hours 32 minutes
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Et al.
Et al.
Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.
Aug 2023 7 hours 40 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Mastering Tableau 2023
Mastering Tableau 2023
This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.
Aug 2023 22 hours 48 minutes
Building AI Applications with ChatGPT APIs
Building AI Applications with ChatGPT APIs
This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.
Sep 2023 8 hours 36 minutes
Building AI Applications with ChatGPT APIs
Building AI Applications with ChatGPT APIs
This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.
Sep 2023 8 hours 36 minutes
Data Engineering with AWS
Data Engineering with AWS
Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.
Oct 2023 21 hours 12 minutes
Modern Data Architecture on AWS
Modern Data Architecture on AWS
Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.
Aug 2023 14 hours 0 minutes
Practical Guide to Applied Conformal Prediction in Python
Practical Guide to Applied Conformal Prediction in Python
Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.
Dec 2023 8 hours 0 minutes
TinyML Cookbook
TinyML Cookbook
With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.
Nov 2023 22 hours 8 minutes
Right arrow icon