Movatterモバイル変換

[0]ホーム
URL:

Facebook
Postgres Pro
Facebook
Request a Demo
ldap2pg
Prev UpI.2. Third-Party Client ApplicationsHome Next

ldap2pg

ldap2pg — automate the creation, update, and removal ofPostgres Pro roles and users from an enterprise directory

Synopsis

ldap2pg [option...] [dbname]

Description#

Out of the box,Postgres Pro is able to check password of an existing role using the LDAP protocol.ldap2pg automates the creation, update and removal ofPostgres Pro roles, and users from an enterprise directory.

Managing roles is close to managing privileges as you expect roles to have proper default privileges.Postgres Pro can grant and revoke privileges too.

ldap2pg is provided withPostgres Pro Standard as a separate pre-built packageldap2pg (for the detailed installation instructions, seeChapter 16).

ldap2pg is reported to work withSamba DC,OpenLDAP,FreeIPA, Oracle Internet Directory and Microsoft Active Directory.

ldap2pgrequires a configuration file calledldap2pg.yaml.

Features#

  • Reads settings from an expressive YAML config file.

  • Creates, alters and dropsPostgres Pro roles from LDAP searches.

  • Creates static roles from YAML to complete LDAP entries.

  • Manages role parents (aliasgroups).

  • Grants or revokes privileges statically or from LDAP entries.

  • Dry run, check mode.

  • Logs LDAP searches asldapsearch(1) commands.

  • Logsevery SQL statements.

Requirements#

ldap2pg is released as a single binary with no dependencies.

At run time,ldap2pg requires an unprivileged role withCREATEDB andCREATEROLE options or a superuser access.

ldap2pg does not require to run on the same host as the synchronizedPostgres Pro Standard cluster.

With 2MiB of RAM and one vCPU,ldap2pg can synchronize several thousands of roles in seconds, depending onPostgres Pro Standard instance and LDAP directory response time.

Command-Line Reference#

ldap2pg tries to be friendly regarding configuration and consistent withpsql, OpenLDAP utils andThe Twelve-Factor App.ldap2pg reads its configuration from several sources, in the following order, first prevail:

  1. Command-line arguments.

  2. Environment variables.

  3. Configuration file.

  4. ldaprc,ldap.conf, etc.

The command-line usage is as follows:

ldap2pg [OPTIONS] [dbname]

Where options are as follows:

--check

Check mode: exits with 1 ifPostgres Pro instance is unsynchronized.

--color

Force color output.

-cstring
--configstring

Path to YAML configuration file. Use - for stdin.

--directorystring

Path to directory containing configuration files.

--help

Show help message and exit (default true).

--ldappassword-filestring

Path to LDAP password file.

--quietcount

Decrease log verbosity.

--real

Real mode. Apply changes toPostgres Pro instance.

-skip-privileges

Turn off privilege synchronization.

--verbosecount

Increase log verbosity.

--version

Show version and exit (default true).

Optional argumentdbname is alternatively the database name or a conninfo string or a URI. See psql(1) man page for more information.

By default,ldap2pg runs in dry mode.ldap2pg requires a configuration file to describe LDAP searches and mappings.

Arguments can be defined multiple times. On conflict, the last argument is used.

Environment Variables#

ldap2pg has no command-line interface switch to configurePostgres Pro connection. However,ldap2pg supportslibpqPG* environment variables.

Seepsql(1) for details onlibpq environment variables.

The same goes for LDAP,ldap2pg supports standardLDAP* environment variables and.ldaprc files. Seeldap.conf(5) man page for further details on how to configure.ldap2pg accepts two extra variables:LDAPPASSWORD andLDAPPASSWORD_FILE.

ldap2pg loads.env file in thelda2pg.yml's parent directory if exists.

Usetrue orfalse for boolean values in environment, e.g.LDAP2PG_SKIPPRIVILEGES=true.

Tip

TestPostgres Pro connection using psql(1) and LDAP using ldapwhoami(1) man pages,ldap2pg will be okay and it will be easier to debug the setup and the configuration later.

Logging Setup#

ldap2pg has several levels of logging:

  • ERROR: error details. When this happend,ldap2pg will crash.

  • WARNING:ldap2pg warns about choices you should be aware of.

  • CHANGE: only changes applied toPostgres Pro> cluster.

  • INFO (default): tells whatldap2pg is doing, especially before long task.

  • DEBUG: everything, including raw SQL queries and LDAP searches and introspection details.

The--quiet and--verbose command-line switches respectively decrease and increase verbosity.

You can select the highest level of verbosity withLDAP2PG_VERBOSITY environment variable. For example:

$ LDAP2PG_VERBOSITY=DEBUG ldap2pg12:23:45 INFO   Starting ldap2pg                                 version=v6.0-alpha5 runtime=go1.21.0 commit=<none>12:23:45 WARN   Running a prerelease! Use at your own risks!12:23:45 DEBUG  Searching configuration file in standard locations.12:23:45 DEBUG  Found configuration file.                        path=./ldap2pg.yml$

ldap2pg output varies whether it is running with a TTY or not. If standard error is a TTY, logging is colored and tweaked for human reading. Otherwise, logging format is pure logfmt, for machine processing. You can force human-readable output by using--color command-line interface switch.

ldap2pg.yml File Reference#

ldap2pg requires a YAML configuration file usually namedldap2pg.yml and put in working directory. Everything can be configured from the YAML file:Postgres Pro inspect queries, LDAP searches, privileges and synchronization map.

Warning

ldap2pgrequires a configuration file where the synchronization map is described.

Here are the contents of a testedldap2pg.yml, which can be used as a starting point:

###       L D A P 2 P G   S A M P L E   C O N F I G U R A T I O N### This is a starting point configuration file for ldap2pg.yml. Including static# roles, groups, privilege and LDAP search.## This configuration assumes the following principles:## - All LDAP users are grouped in `ldap_roles` group.# - Read privileges are granted to `readers` group.# - Write privileges are granted to `writers` group.# - DDL privileges are granted to `owners` group.# - We have one or more databases with public and maybe a schema.# - Grants are not specific to a schema. Once you're writer in a database, you#   are writer to all schemas in it.## The LDAP directory content is described in test/fixtures/openldap-data.ldif## Adapt to your needs!### File format version. Allows ldap2pg to check whether the file is supported.#version: 6##       1.   P O S T G R E S   I N S P E C T I O N##  Seethe section called “InspectingPostgres Pro Cluster”.#postgres:  roles_blacklist_query: [nominal, postgres, pg_*]  databases_query: [nominal]##       2.   P R I V I L E G E S   D E F I N I T I O N## Seethe section called “Managing Privileges”. Privileges wrapped# in double underscores are built-in privilege profiles. See#the section called “Built-in Privileges” for a documentation of# each of them.#privileges:  # Define `ro` privilege group with read-only grants  ro:  - __connect__  - __select_on_tables__  - __select_on_sequences__  - __usage_on_schemas__  - __usage_on_types__  # `rw` privilege group lists write-only grants  rw:  - __temporary__  - __all_on_tables__  - __all_on_sequences__  # `ddl` privilege group lists DDL only grants.  ddl:  - __create_on_schemas__##       3.   S Y N C H R O N I S A T I O N   M A P## This list contains rules to declare roles and grants. Each role or grant rule# can be templated with attributes from LDAP entries returned by a search# query.## Any role found in cluster and not generated by rules will be dropped. Any# grant found in cluster and not generated by rules will be revoked.#rules:- description: "Setup static roles and grants."  roles:  - names:    - readers    options: NOLOGIN  - name: writers    # Grant reading to writers    parent: readers    options: NOLOGIN  - name: owners    # Grant read/write to owners    parent: writers    options: NOLOGIN  grant:  - privilege: ro    role: readers    # Scope to a single schema    schemas: nominal  - privilege: rw    role: writers  - privilege: ddl    role: owners- description: "Search LDAP to create readers, writers and owners."  ldapsearch:    base: cn=users,dc=bridoulou,dc=fr    filter: "    (|      (cn=owners)      (cn=readers)      (cn=writers)    )    "  role:    name: '{member.cn}'    options: LOGIN    parent: "{cn}"

File Location#

ldap2pg searches for configuration file in the following order:

  1. ldap2pg.yml in current working directory.

  2. ~/.config/ldap2pg.yml.

  3. /etc/ldap2pg.yml.

  4. /etc/ldap2pg/ldap2pg.yml.

IfLDAP2PG_CONFIG or--config is set,ldap2pg skips searching the standard file locations. You can specify- to read configuration from standard input. This is helpful to feedldap2pg with dynamic configuration.

File Structure#

ldap2pg.yml is split in several sections:

  • postgres: setupPostgres Pro> connection and inspection queries.

  • ldap: configuration for LDAP client.

  • privileges: the definition of privilege profiles.

  • rules: the list of LDAP searches and associated mapping to roles and grants.

If you don't know how to begin, a simple tested and well commentedldap2pg.yml is a good starting point.

About YAML#

YAML is a super-set of JSON. A JSON document is a valid YAML document. YAML is a very permissive format where indentation is meaningful. Seethis YAML cheatsheet for some example.

Inldap2pg.yaml file, you will likely use wildcard for global pattern and curly brace for LDAP attribute injection. Take care of protecting these characters with quotes.

rules:  - role: {cn}  # It's an invalid YAML dict.  - role: "{cn}"  # It's a string with LDAP attribute injection

postgres Section#

Thepostgres section defines custom SQL queries forPostgres Pro inspection.

Thepostgres section contains several*_query parameters. These parameters can be either a string containing an SQL query or a YAML list to return a static list of values, skipping execution of a query onPostgres Pro cluster.

databases_query#

The SQL query to list databases names in the cluster. By default,ldap2pg searches databases it can connect to and it can reassign objects to its owner.ldap2pg loops databases to reassign objects before dropping a role.ldap2pg manages privilege on each database.

postgres:  databases_query: "SELECT datname FROM pg_catalog.pg_databases;"  # OR  databases_query: [mydb]

Note

Configuring a_query parameter with a YAML list skips querying the cluster for inspection and forcesldap2pg to use a static value.

fallback_owner#

Name of the role accepting ownership of database of dropped role.

Before dropping a role,ldap2pg reassigns objects and purges the access control list (ACL).ldap2pg starts by reassigning database owner by the targetted user. The new owner of the database is thefallback owner. Other objects are reassigned to each database owner.

managed_roles_query#

The SQL query to list the name of managed roles.

ldap2pg restricts role deletion and privilege edition to managed roles. Usually, this query returns children of a dedicated group likeldap_roles. By default,ldap2pg manages all roles it has access to.

public is a special built-in role inPostgres Pro. Ifmanaged_roles_query returnspublic role in the list,ldap2pg will manage privileges onpublic. By default,ldap2pg managespublic privileges.

The following example tellsldap2pg to managepublic role,ldap_roles and any members ofldap_roles:

postgres:  managed_roles_query: |    VALUES      ('public'),      ('ldap_roles')    UNION    SELECT DISTINCT role.rolname    FROM pg_roles AS role    JOIN pg_auth_members AS ms ON ms.member = role.oid    JOIN pg_roles AS parent      ON parent.rolname = 'ldap_roles' AND parent.oid = ms.roleid    ORDER BY 1;
roles_blacklist_query#

The SQL query returning name and global pattern to blacklist role from management.ldap2pg won't touch anything on these roles. Default value is[postgres, pg_*].ldap2pg blacklists self user.

postgres:  roles_blacklist_query:  - postgres  - "pg_*"  - "rds_*"

Warning

Beware that '*foo' is a YAML reference. You must quote patternbeginning with '*'.

schemas_query#

The SQL query returning the name of managed schemas in a database.ldap2pg executes this query on each databases returned bydatabases_query only ifldap2pg manages privileges.ldap2pg loops on objects in theses schemas when inspecting GRANTs in the cluster.

  postgres:    schemas_query: |      SELECT nspname FROM pg_catalog.pg_namespace

ldap Section#

Theldap section customizes LDAP client behaviour. Configure connection usingldap.conf andLDAP* environment variables.

known_rdns#

List of attributes known to be part of the distinguished name (DN).

ldap2pg skips sub-search for attributes in this list. e.g.,{member.cn} won't trigger a sub-search on all members ifcn is inknown_rdns. Default value is[n, l, st, o, ou, c, street, dc, uid]. Add a value to fasten synchronization. Remove a value if an attribute is not part of the DN.

ldap:  known_rdns: [cn, uid]

privileges Section#

Theprivileges top-level section definesPostgres Pro privileges. It is a mapping defining privilege profiles, referenced later in synchronisation map'sgrant rule. A privilege profile is a list of either references to a privilege type in aPostgres Pro ACL or other profiles. A privilege profile may include another profile, recursively. SeeManaging Privileges for details.

privileges:  reading:  - on: GLOBAL DEFAULT    type: SELECT    object: TABLES  writing:  - reading  - on: GLOBAL    type: SELECT    object: TABLES

A privilege profile whose name starts with_ is inactive unless included in an active profile.

object#

Defines the target object for object-grained ACL.

Actually useful only forGLOBAL DEFAULT andSCHEMA DEFAULT ACL where the object is the target object class likeTABLES,SEQUENCES, etc.grant rule defines target schema forSCHEMA DEFAULT.

privileges:  reading:  - type: SELECT    on: GLOBAL DEFAULT    object: TABLES
type#

Type of privilege as described inSection 5.8, e.g.,SELECT,REFERENCES,USAGE, etc.

The value can be either a single string or a list of strings. Plural formtypes is valid. When multiple types are defined, a new privilege is defined for each type, each with the same attributes such ason.

privileges:  reading:  - type: USAGE    on: SCHEMAS
on#

Target ACL of privilege type. e.g., TABLES, SEQUENCES, SCHEMAS, etc. Note the special casesALL TABLES,ALL SEQUENCES, etc. SeeManaging Privileges documentation for details.

privileges:  reading:  - type: SELECT    on: ALL TABLES

rules Section#

The top-levelrules section defines synchronisation rules. The section contains is a YAML list. This is the only mandatory parameter inldap2pg.yaml. Each item ofrules is called amapping. A mapping is a YAML dictionary with any ofrole orgrant subsection. A mapping can optionnaly have adescription field and aldapsearch section.

rules:- description: "Define DBA roles"  ldapsearch:    base: ...  roles:  - name: "{cn}"    options: LOGIN SUPERUSER

Theldapsearch subsection is optional. You can define roles and grants without querying a directory.

description#

A free string used for logging. This parameter does not accepts mustache parameter injection.

ldapsearch#

This directive defines LDAP search parameters. It is named after theldapsearch command-line interface utility shipped byOpenLDAP project. Its behaviour should be mostly the same.

Note

This documentation refers to LDAP query assearch while the word query is reserved for SQL query.

ldapsearch directives allow and require LDAP attributes injection inrole andgrant rules using curly braces. SeeQuerying Directory with LDAP for details.

base,scope andfilter

These parameters have the same meaning, definition and default as base, scope and filter arguments ofldapsearch command-line interface utility.

rules:- ldapsearch:    base: ou=people,dc=acme,dc=tld    scope: sub    filter: >      (&f         (member=*)         (cn=group_*)      )
joins

Customizes LDAP sub-search. Thejoins section is a dictionary with attribute name as key and LDAP search parameters as value. LDAP search parameters are the same as for top LDAP search. Actually, a single sub-search is supported.

rules:- ldapsearch:    joins:      member:        filter: ...        scope: ...  role:  - name: "{member.sAMAccountName}"

The search base of sub-search is the value of the referencing attribute, e.g., each value ofmember. You can't customize thebase attribute of sub-search. Likewise,ldap2pg infers attributes of sub-searches fromrole andgrant rules. You can have only a single sub-search per top-level search. You can't do second-level sub-search.

SeeQuerying Directory with LDAP for details.

Note

Executing a sub-search for each entry of a result set can be very heavy. You may optimize the query by using special LDAP search filter likememberOf. Refer to your LDAP directory administrator and documentation for details.

role#

Defines a rule to describe one or more roles wanted in the targetPostgres Pro cluster. This includes name, options, config, comment and membership. Plural formroles is valid. The value can be either a single role rule or a list of role rules.

rules:- role:    name: dba    options: SUPERUSER LOGIN- roles:  - name: group0    options: NOLOGIN  - name: group1    options: NOLOGIN
comment#

Defines the SQL comment of a role. Default value isManaged byldap2pg. Accepts LDAP attribute injection.

In case of LDAP attributes injection, you must take care of how many combinations will be generated. If the template generates a single comment,ldap2pg will copy the comment for each role generated by therole rule. If the template generates multiple comments,ldap2pg associates name and comment. If there is more or less comments generated than name generated,ldap2pg fails.

The following example defines a static comment shared by all generated roles:

rules:- roles:    names:    - alice    - bob    comment: "Static roles from YAML."

The following example generates a single comment from LDAP entry distinguished name, copied for all generated roles:

rules:- ldapsearch:    ...  role:    name: "{cn}"    comment: "Generated from LDAP entry {dn}."

The following example generate a unique comment for each roles generated:

rules:- ldapsearch:    ...  role:    name: "{member.cn}"    comment: "Generated from LDAP entry {member}."

Tip

If a role is defined multiple times, parents are merged. Other fields are kept as declared by the first definition of the role.

name#

Name of the role wanted in the cluster. The value can be either a single string or a list of strings. Plural formnames is valid. You can inject LDAP attributes in name using curly braces. When multiple names are defined, a new role is defined for each name, each with the same attributes such asoptions andparents.comment parameter has a special handling, seecomment.

rules:- roles:    name: "my-role-name"

When injecting LDAP attribute in name, each value of the LDAP attribute of each LDAP entry will define a new role. When multiple LDAP attributes are defined in the format, all combination of attributes are generated.

ldap2pg protects role name with double quotes in the targetPostgres Pro cluster. Capitalization is preserved, spaces are allowed (even if it's a really bad idea).

ldap2pg appliesroles_blacklist_query on this parameter.

options#

DefinesPostgres Pro role options. Can be an SQL-like string or a YAML dictionary. Valid options areBYPASSRLS,CONNECTION LIMIT,LOGIN,CREATEDB,CREATEROLE,INHERIT,REPLICATION andSUPERUSER. Available options vary following the version of the targetPostgres Pro cluster and the privilege ofldap2pg user.

- roles:  - name: my-dba    options: LOGIN SUPERUSER  - name: my-group    options:      LOGIN: no      INHERIT: yes
config#

DefinesPostgres Pro configuration parameters that will be set for the role. Must be a YAML dictionary. Available configuration parameters vary following the version of the targetPostgres Pro cluster. Some parameters require superuser privileges to be set.ldap2pg will fail if it does not have privilege to set a config parameter.

- roles:  - name: my-db-writer    config:      log_statement: mod      log_min_duration_sample: 100

Settingconfig tonull (the default) will disable the feature for the role. Ifconfig is a dict,ldap2pg will drop parameter set in cluster but not defined inldap2pg YAML. To reset all parameters, setconfig to an empty dict like below.

- roles:  - name: reset-my-configuration    config: {}

Note that LDAP attributes are not expanded in config values.

parent#

Name of a parent role. A list of names is accepted. The plural formparents is valid too. Parent role is granted withGRANT ROLE parent TO role;.parent parameter accepts LDAP attributes injection using curly braces.ldap2pg appliesroles_blacklist_query on this parameter. Parent reference can be local roles not managed byldap2pg.

rules:- role:    name: myrole    parent: myparent
before_create#

SQL snippet to execute before role creation.before_create accepts LDAP attributes injection using curly braces. You are responsible for escaping attribute with either.identifier() or.string().

rules:- ldapsearch: ...  role:    name: "{cn}"    before_create: "INSERT INTO log VALUES ({cn.string()})"
after_create#

SQL snippet to execute after role creation.after_create accepts LDAP attributes injection using curly braces. You are responsible for escaping attribute with either.identifier() or.string().

rules:- ldapsearch: ...  role:    name: "{sAMAccountName}"    after_create: "CREATE SCHEMA {sAMAccountName.identifier()} AUTHORIZATION {sAMAccountName.identifier()}"
grant#

Defines a grant of a privilege to a role with corresponding parameters. Can be a mapping or a list of mapping. Plural formgrants is valid too.

rules:- grant:    privilege: reader    databases: __all__    schema: public    role: myrole
database

Scope the grant to one or more databases. May be a list of names. Plural formdatabases is valid. Special value__all__ expands to all managed databases as returned bydatabases_query. Defaults to__all__. Grants found in other databases will be revoked. Accepts LDAP attributes injection using curly braces.

This parameter is ignored for instance-wide privileges (e.g., onLANGUAGE).

privilege

Name of a privilege, within the privileges defined inprivileges YAML section. May be a list of names. Plural formprivileges is valid. Required, there is not default value. Accepts LDAP attribute injection using curly braces.

role

Name of the target role of the grant (granted role orgrantee). Must be listed bymanaged_roles_query. May be a list of names. Plural formroles is valid. Accepts LDAP attribute injection using curly braces.ldap2pg appliesroles_blacklist_query on this parameter.

schema

Name of a schema whithin the schemas returned byschemas_query. Special value__all__ meansall managed schemas in the databases. May be a list of names. Plural formschemas is valid. Accepts LDAP attribute injection using curly braces.

This parameter is ignored for privileges onDATABASE and other instance-wide or database-wide privileges.

owner

Name of role to configure default privileges for. Special value__auto__ fallbacks to managed roles havingCREATE privilege on the target schema. May be a list of names. Plural formowners is valid. Accepts LDAP attribute injection using curly braces.

acls Section#

DefinesPostgres Pro ACLs. An ACL is set of queries to list GRANTs in the cluster and to manage them by granting or revoking item in the list. ACL is scoped to instance or database. References ACL in privileges profiles. Writinga custom ACL is tricky, ensure you understand bothPostgreSQL andldap2pg before.

acls

Theacls top level section is a mapping defining ACLs. All fields are mandatory.

acls:  PROCEDURE:    scope: database    inspect: |      WITH ...    grant: GRANT ...    revoke: REVOKE ...
scope#

Scope of the ACL. Can beinstance ordatabase.

inspect#

SQL query to list GRANTs in the cluster. The signature of the query depends on the scope. Seecustom ACLs for details.

grant#

SQL query to grant a privilege. The query accepts templating using angle brackets. Some parameters are injected as keyword, i.e., as raw SQL. Other parameters are quoted as identifiers.

Available parameters:

  • <acl> name of the ACL. Raw SQL.

  • <database> name of database to grant on. Quoted identifier.

  • <grantee> name of role to grant on. Quoted identifier.

  • <object> name of object to grant on. Quoted identifier.

  • <owner> name of role to grant to. Quoted identifier.

  • <privilege> type of privilege. Raw SQL.

  • <schema> name of schema to grant on. Quoted identifier.

revoke#

SQL query to revoke a privilege. Likegrant, the query accepts templating using angle brackets. Accepts same parameters as grant. Having different paramenter between GRANT and REVOKE leads to unexpected behaviour.

InspectingPostgres Pro Cluster#

ldap2pg follows the explicit create/implicit drop and explicit grant/implicit revoke pattern. Thus properly inspecting cluster for what you want to drop/revoke is very crucial to succeed in synchronization.

ldap2pg inspects databases, schemas, roles, owners and grants with SQL queries. You can customize all these queries in thepostgres YAML section with parameters ending with_query. Seethe section called “postgres Section” for details.

What Databases to Synchronize?#

databases_query returns the flat list of databases to manage. Thedatabases_query must return the default database as defined inPGDATABASE. When dropping roles,ldap2pg loops the databases list to reassign objects and clean GRANTs of the role to be dropped. This databases list also narrows the scope of GRANTs inspection.ldap2pg will revoke GRANTs only on these databases. Seethe section called “postgres Section” for details.

postgres:  databases_query: |    SELECT datname    FROM pg_catalog.pg_database    WHERE datallowconn IS TRUE;

Synchronize a Subset of Roles#

By default,ldap2pg manages all roles fromPostgres Pro, it has powers on, minus the default blacklist. If you wantldap2pg to synchronsize only a subset of roles, you need to customize inspection query inpostgres:managed_roles_query. The following query excludes superusers from synchronization.

postgres:  managed_roles_query: |    SELECT 'public'    UNION    SELECT rolname    FROM pg_catalog.pg_roles    WHERE rolsuper IS FALSE    ORDER BY 1;

ldap2pg will only drop, revoke, grant on roles returned by this query.

A common case for this query is to return only members of a group likeldap_roles. This way,ldap2pg is scoped to a subset of roles in the cluster.

Thepublic role does not exist in the system catalog. Thus if you wantldap2pg to managepublic privileges, you must include explicitlypublic in the set of managed roles. This is the default. Of course, even ifpublic is managed,ldap2pg won't drop or alter it if it's not in the directory.

A safety net to completely ignore some roles isroles_blacklist_query.

postgres:  roles_blacklist_query: [postgres, pg_*]  # This is the default.

Note

A pattern starting with a '*'must be quoted. Else you'll end up with a YAML error likefound undefined alias.

Inspecting Schemas#

For schema-wide privileges,ldap2pg needs to know managed schemas for each database. This is the purpose ofschemas_query.

Configuring Owners Default Privileges#

To configure default privileges, use thedefault keyword when referencing a privilege:

privileges:  reading:  - default: global    type: SELECT    on: TABLES

Then grant it usinggrant rule:

rules:- grant:  - privilege: reading    role: readers    schema: public    owner: ownerrole

You can use__auto__ as owner. For each schema,ldap2pg will configure every managed role havingCREATE privilege on schema.

rules:- grant:  - privilege: reading    role: readers    schema: public    owner __auto__

ldap2pg configures default privileges last, after all effective privileges. ThusCREATE on schema is granted beforeldap2pg inspects creators on schemas.

Static Queries#

You can replace all queries with astatic list in YAML. This list will be used as if returned byPostgres Pro. That's very handy to freeze a value like databases or schemas.

postgres:  databases_query: [postgres]  schemas_query: [public]

Managing Roles#

ldap2pg synchronizesPostgres Pro roles in three steps:

  1. Looprules and generate wanted roles list fromrole rules.

  2. InspectPostgres Pro for existing roles, their options and their membership.

  3. Compare the two roles sets and apply to thePostgres Pro cluster usingCREATE,DROP andALTER.

Eachrole entry inrules is a rule to generate zero or more roles with the corresponding parameters. Arole rule is like a template.role rules allow you to deduplicate membership and options by setting a list of names.

You can mix static rules and dynamic rules in the same file.

Running Unprivileged#

ldap2pg is designed to run unprivileged. Synchronization user needsCREATEROLE option to manage other unprivileged roles.CREATEDB options allow synchronization user to manage database owners.

ldap2pg user must havecreaterole_self_grant set toinherit,set to properly handle groups.

CREATE ROLEldap2pg LOGIN CREATEDB CREATEROLE;ALTER ROLEldap2pg SET createrole_self_grant TO 'inherit,set;

Running unprivileged beforePostgreSQL 16 is actually flawed. You'd better just runldap2pg with superuser privileges, you won't feel falsly secured.

Ignoring Roles#

ldap2pg totally ignores roles matching one of the global pattern defined inroles_blacklist_query:

    postgres:      # This is the default value.      roles_blacklist_query: [postgres, pg_*]

The role blacklist is also applied to grants.ldap2pg will never applygrant orrevoke on a role matching one of the blacklist patterns.

ldap2pg blacklists its running user.

Membership#

ldap2pg manages parents of roles.ldap2pg appliesroles_blacklist_query to parents. However,ldap2pg grants unmanaged parents. This way, you can create a group manually and manage its members usingldap2pg.

Querying Directory with LDAP#

ldap2pg reads LDAP searches inrules steps in theldapsearch entry.

A LDAP search isnot mandatory.ldap2pg can create roles defined statically from YAML. Each LDAP search is executed once and only once. There is neither loop nor deduplication of LDAP searches.

Tip

ldap2pg logs LDAP searches asldapsearch commands. Enable verbose messages to see them.

You can debug a failing search by copy-pasting the command in your shell and update parameters. Once you are okay, translate back the right parameters in the YAML.

Configuring Directory Access#

ldap2pg reads directory configuration fromldaprc file andLDAP* environment variables. Known LDAP options are:

  • BASE

  • BINDDN

  • PASSWORD

  • REFERRALS

  • SASL_AUTHCID

  • SASL_AUTHZID

  • SASL_MECH

  • TIMEOUT

  • TLS_REQCERT

  • NETWORK_TIMEOUT

  • URI

See ldap.conf(5) man page for the meaning and format of each options.

Injecting LDAP Attributes#

Several parameters accept LDAP attribute injection using curly braces. To do this, wrap attribute name with curly braces like{cn} or{sAMAccountName}.ldap2pg expands to each value of the attribute for each entries of the search.

If the parameter has multiple LDAP attributes,ldap2pg expands to all combinations of attributes for each entries.

Given the following LDAP entries:

dn: uid=dimitri,cn=Users,dc=bridoulou,dc=frobjectClass: inetOrgPersonuid: dimitrisn: Dimitricn: dimitrimail: dimitri@bridoulou.frcompany: externaldn: cn=domitille,cn=Users,dc=bridoulou,dc=frobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: domitillesn: Domitillecompany: acmecompany: external

The format{company}_{cn} with the above LDAP entries generates the following strings:

  • acme_domitille

  • external_domitille

  • external_dimitri

The pseudo attributedn is always available and references the distinguished name (DN) of the original LDAP entry.

Accessing RDN and Sub-Search#

If an attribute type is DN, you can refer to a relative distinguished name (RDN) with a dot, like this:<attribute>.<rdn>. If an RDN has multiple values, only the first value is returned. There is no way to access other values.

For example, if a LDAP entry hasmember attribute with valuecn=toto,cn=Users,dc=bridoulou,dc=fr, the{member.cn} format will generatetoto. The{member.dc} format will generateldap. There is no way to accessacme andfr.

Known RDN arecn,l,st,o,ou,c,street,dc, anduid. Other attributes trigger a sub-search. The format{member.sAMAccountName} will issue a sub-search for allmember value as LDAP search base narrowed tosAMAccountName attribute.

LDAP Attribute Case#

When injecting a LDAP attribute with curly braces, you can control the case of the value using.lower() or.upper() methods.

- ldapsearch: ...  role: "{cn.lower()}"

Managing Privileges#

Managing privileges is tricky.ldap2pg tries to make this simpler and safer.

Basics#

The base design ofldap2pg is as follows. Instead of revoke-everything-regrant design,ldap2pg uses inspect-modify design. The process is the same as for roles synchronization, including the three following steps:

  1. Looprules and generate wanted grants set.

  2. InspectPostgres Pro cluster for granted privileges.

  3. Compare the two sets of grants and update thePostgres Pro cluster usinggrant,revoke.

ldap2pg represents privileges with these core objects:

  • Privilege: An action on an object. e.g.,CONNECT ON DATABASE.

  • grant: a privilege granted to a role on an object.

  • ACL: a list of grants.

  • profile: a list of privileges.

  • rule: a template to generate wanted grants.

ldap2pg.yml holds profiles and grant rule.ldap2pg synchronizes ACL one at a time, database by database.ldap2pg synchronizes default privileges last.

By default,ldap2pg does not manage any privileges. To enable privilege management, you must define at least one active profile inprivileges section. The simplest way is to reusebuilt-in privilege profiles shipped withldap2pg in an active custom profile.

Defining a Privilege Profile#

A privilege profile is a list of references to either a privilege type on an ACL or another profile.ldap2pg ships several predefined ACL likeDATABASE,LANGUAGE, etc. A privilege type isUSAGE,CONNECT and so on, as described inSection 5.8. Seeprivileges YAML section documentation for details on privilege profile format.

ldap2pg loads referenced ACL by inspectingPostgres Pro cluster with carefully crafted queries.ldap2pg inspects only ACL referenced in at least one profile. Inspected grants are supposed to revocation unless explicitly wanted by agrant rule.

Warning

If it's not granted, revoke it!

Once an ACL is inspected,ldap2pgrevokes all grants found inPostgres Pro instance and not required by agrant rule inrules.

Extended Intance Inspection#

When managing privileges,ldap2pg has deeper inspection ofPostgres Pro instance.ldap2pg inspects schemas after roles synchronization and before synchronizing privileges.ldap2pg inspects objects owner after privileges synchronization and before synchronizing default privileges. An object owner is a role havingCREATE privilege on the schema.

Granting Privilege Profile#

Inspecting millions of privileges may consume a lot of resources onPostgres Pro instance. Revoking privileges is known to be slow inPostgres Pro. The best practice is to grant privileges to a group role and let user inherit privileges. Withldap2pg, you can define static groups in YAML and inherit them when creating roles from directory.

Usegrant rule to grant a privilege profile to one or more roles. When granting privileges, you must define the grantee. You may scope the grant to one or more databases, one or more schemas. If the privilege profile includes default privileges, you may define the owners on which to configure default privileges.

By default, a grant applies to all managed databases as returned bydatabases_query, to all schemas of each database as returned byschemas_query.

Example#

The following example defines three privileges profile. Therules defines three groups and grant the corresponding privilege profile:

privileges:  reading:  - __connect__  - __usage_on_schemas__  - __select_on_tables__  writing:  - reading  # include reading privileges  - __insert_on_tables__  - __update_on_tables__  owning:  - writing  - __create_on_schemas__  - __truncate_on_tables__rules:- role:  - names:    - readers    - writers    - owners    options: NOLOGIN- grant:  - privilege: reading    role: readers  - privilege: writing    role: writers  - privilege: owning    role: owners

Another way of including reading profile in writing is to writers group to inherit readers group.

Managing Public Privileges#

Postgres Pro has a pseudo-role calledpublic. It's a wildcard role meaningevery users. All roles inPostgres Pro implicitly inherits from thispublic role. Granting a privilege topublic role grants to every roles now and in the future.

Postgres Pro also has thepublic schema. Thepublic schema is a real schema available in all databases.

Postgres Pro has some built-in privileges forpublic role. Especially for thepublic schema. For example,public hasCONNECT on all databases by default. This means that you only rely onpg_hba.conf to configure access to databases, which requires administrative access to the cluster and apg_reload_conf() call.

By default,ldap2pg includespublic role in managed roles. Predefined ACL knows how to inspect built-in privileges granted topublic. If you want to preservepublic role, rewritemanaged_roles_query to not includepublic.

Managing Default Privileges#

If you grantSELECT privileges on all tables in a schema to a role, this won't apply to new tables created afterward. Instead of reexecutingldap2pg after the creation of every objects,Postgres Pro provides a way to define default privileges for future objects.

Postgres Pro attaches default privileges to the creator role. When the role creates an object,Postgres Pro applies the corresponding default privileges to the new object. e.g.,ALTER DEFAULT PRIVILEGES FOR ROLE bob GRANT SELECT ON TABLES TO alice; ensures every new table bob creates will be selectable by alice:

Ifldap2pg creates and drops creator roles, you wantldap2pg to properly configure default privileges on these roles. If you wonder whether to manage privileges withldap2pg, you should at least manage default privileges along creator.

ldap2pg inspects the creators fromPostgres Pro, per schemas, not LDAP directory. A creator is a role withLOGIN option andCREATE privilege on a schema. You can manually set the target owner of a grant to any managed roles.

ldap2pg does not configure privileges on__all__ schemas. You are supposed to useGLOBAL DEFAULT ACL instead. If you want to grant/revoke default privilege per schema, you must referenceSCHEMA DEFAULT ACL.

The following example configures default privileges for alice to allow bob to SELECT on future tables created by alice.

privileges:  reading:  - type: SELECT    on: SCHEMA DEFAULT    object: TABLES  owning:  - type: CREATE    on: SCHEMASrules:- roles:    names:    - alice    - bob    options: LOGIN- grant:    privilege: owning    role: alice- grant:    privilege: reading    role: bob

Postgres Pro has hard-wired global default privileges. If a role does not have global default privileges configured,Postgres Pro assumes some defaults. By default,Postgres Pro just grants privileges on owner. You can see them once you modify the default privileges.Postgres Pro will copy the hard-wired values along with your granted privileges.

If you don't explicitly re-grant these privileges inldap2pg.yml,ldap2pg will revoke these hard-wired privileges. Actually, an owner of table don't need to be granted SELECT on its own tables. Thus, the hard-wired defaults are useless. You can letldap2pg purge these useless defaults.

Built-in Privileges#

ldap2pg provides some built-in ACLs and predefined privilege profiles for recurrent usage. There isno warranty on these privileges. You have to check privileges configuration on your databases just like you should do with your own code.

Using Predefined Privilege Profiles#

A privilege profile is a list of references to a privilege type in an ACL. Inldap2pg, an ACL is a set of queries to inspect, grant revoke privilege on a class of objects. The inspect query expandsaclitemPostgres Pro type to list all grants from system catalog. Privilege profile can include another profile.

Built-in privilege profile starts and ends with__.ldap2pgdisables privilege profile starting with_. Thus you have to include built-in privileges profile in another profile to enable them. If two profiles reference the same privilege,ldap2pg will inspect it once.

privileges:  ro:  - __connect__  - __usage_on_schemas__  - __select_on_tables__  rw:  - ro  - __insert__  ddl:  - rw  - __all_on_schemas__rules:- grant:    privilege: ddl    database: mydb    role: admins

Built-in profile's name follows the loose convention below:

  • ..._on_all_tables__ referencesALL TABLES IN SCHEMA ACL. Likewise for sequences and functions.

  • __default_...__ references both global and schema-wide default privileges.

  • __..._on_tables__ groups__..._on_all_tables__ and__default_..._on_tables__.

  • Group starting with__all_on_...__ isequivalent toALL PRIVILEGES in SQL. However, each privilege will be granted individually.

  • A privilege specific to one object type does not have_on_<type> suffix. E.g.,__delete_on_tables__ is an alias of__delete__.

This page does not document the SQL standard and the meaning of each SQL privileges. You will find information on SQL privileges inGRANT documentation andALTER DEFAULT PRIVILEGES documentation.

ACL Reference#

Here is the list of built-in ACLs.

For effective privileges:

DATABASE

Privilege on database likeCONNECT,CREATE, etc.

SCHEMA

ManageUSAGE andCREATE on schema.

LANGUAGE

ManageUSAGE on procedural languages.

ALL FUNCTIONS IN SCHEMA

ManageEXECUTE on all functions per schema.

ALL SEQUENCES IN SCHEMA

Like above but for sequences.

ALL TABLES IN SCHEMA

Like above but for tables and views.

GLOBAL DEFAULT

Manage default privileges on database.

SCHEMA DEFAULT

Manage default privileges per schema.

ALL ... IN SCHEMA ACL inspects whether a privilege is granted to only a subset of objects. This is apartial grant. A partial grant is either revoked if unwanted or re-granted if expected.

You can reference these ACLs usingprivileges: on parameter in YAML. Like this:

privileges:  myprofile:  - type: SELECT    on: ALL TABLES IN SCHEMA

Default privileges reference a privilege type and a class of objects.ldap2pg inspects default privileges for the following object classes:

  • SEQUENCES

  • FUNCTIONS

  • TABLES

You must reference object class in privilege profile usingobject parameter in YAML.

You cannot configure custom ACL (yet).

Profiles Reference#

Profile__all_on_functions__#

__execute_on_functions__

Profile__all_on_schemas__#
Profile__all_on_sequences__#
Profile__all_on_tables__#
Profile__delete_on_tables__#
Profile__execute_on_functions__#
Profile__insert_on_tables__#
Profile__references_on_tables__#
Profile__select_on_sequences__#
Profile__select_on_tables__#
Profile__trigger_on_tables__#
Profile__truncate_on_tables__#
Profile__update_on_sequences__#
Profile__update_on_tables__#
Profile__usage_on_sequences__#

Privileges Reference#

Here is the list of predefined privileges:

Name Manages
__connect__CONNECT ON DATABASE
__create_on_schemas__CREATE ON SCHEMA
__delete_on_all_tables__DELETE ON ALL TABLES IN SCHEMA
__execute_on_all_functions__EXECUTE ON ALL FUNCTIONS IN SCHEMA
__insert_on_all_tables__INSERT ON ALL TABLES IN SCHEMA
__references_on_all_tables__REFERENCES ON ALL TABLES IN SCHEMA
__select_on_all_sequences__SELECT ON ALL SEQUENCES IN SCHEMA
__select_on_all_tables__SELECT ON ALL TABLES IN SCHEMA
TEMPORARY ON DATABASE
__trigger_on_all_tables__TRIGGER ON ALL TABLES IN SCHEMA
__truncate_on_all_tables__TRUNCATE ON ALL TABLES IN SCHEMA
__update_on_all_sequences__UPDATE ON ALL SEQUENCES IN SCHEMA
__update_on_all_tables__UPDATE ON ALL TABLES IN SCHEMA
__usage_on_all_sequences__USAGE ON ALL SEQUENCES IN SCHEMA
__usage_on_schemas__USAGE ON SCHEMA

Default Privileges Reference#

Here is the list of predefined default privileges. Default privilege profile references both global and schema defaults.

Name Manages
__default_delete_on_tables__DELETE ON TABLES
__default_execute_on_functions__EXECUTE ON FUNCTIONS
__default_insert_on_tables__INSERT ON TABLES
__default_references_on_tables__REFERENCES ON TABLES
__default_select_on_sequences__SELECT ON SEQUENCES
__default_select_on_tables__SELECT ON TABLES
__default_trigger_on_tables__TRIGGER ON TABLES
__default_truncate_on_tables__TRUNCATE ON TABLES
__default_update_on_sequences__UPDATE ON SEQUENCES
__default_update_on_tables__UPDATE ON TABLES
__default_usage_on_sequences__USAGE ON SEQUENCES

Usage Recipes#

In this section, you'll find some recipes for various use cases ofldap2pg.

Configurepg_hba.conf with LDAP#

ldap2pg doesNOT configurePostgres Pro for you. You should carefully readSection 19.10 for this point. HavingPostgres Pro properly configuredbefore writingldap2pg.yaml is a good start. Here is the steps to setupPostgres Pro with LDAP in the best order:

  1. Write the LDAP search and test it withldapsearch(1). This way, you can also check how you connect to your LDAP directory.

  2. InPostgres Pro cluster,manually create a single role having its password in LDAP directory.

  3. Editpg_hba.conf followingSection 19.10 until you can effectively login with the single role and the password from LDAP.

Once you have LDAP authentication configured inPostgres Pro cluster, you can move to automate role creation from the LDAP directory usingldap2pg:

  1. Write a simpleldap2pg.yaml with only one LDAP search just to setupldap2pg connection parameters forPostgres Pro and LDAP connection.ldap2pg always runs in dry mode by default, so you can safely loopldap2pg execution until you get it right.

  2. Then, completeldap2pg.yaml to fit your needs followingthe section called “Command-Line Reference”. Runldap2pg for real and check thatldap2pg maintain your single test role, and that you can still connect to the cluster with it.

  3. Finally, you must decide when and how you want to trigger synchronization: a regular cron tab/anAnsible task/manually/ other. Ensureldap2pg execution is frequent, on purpose and notified.

Search LDAP Directory#

The first step is to search your LDAP server withldapsearch(1), the command-line interface tool fromOpenLDAP. Like this:

$ ldapsearch -H ldaps://ldap.ldap2pg.docker -U testsasl -WEnter LDAP Password:SASL/DIGEST-MD5 authentication startedSASL username: testsaslSASL SSF: 128SASL data security layer installed.# extended LDIF## LDAPv3...# search resultsearch: 4result: 0 Success# numResponses: 16# numEntries: 15$

Now save the settings inldaprc:

LDAPURI ldaps://ldap.ldap2pg.dockerLDAPSASL_AUTHCID testsasl

And in environment:LDAPPASSWORD=secret

Next, update yourldapsearch to properly match role entries in LDAP server:

$ ldapsearch -H ldaps://ldap.ldap2pg.docker -U testsasl -W -b cn=dba,ou=groups,dc=ldap,dc=ldap2pg,dc=docker '' member...# dba, groups, ldap.ldap2pg.dockerdn: cn=dba,ou=groups,dc=ldap,dc=ldap2pg,dc=dockermember: cn=Alan,ou=people,dc=ldap,dc=ldap2pg,dc=dockermember: cn=albert,ou=people,dc=ldap,dc=ldap2pg,dc=dockermember: cn=ALICE,ou=people,dc=ldap,dc=ldap2pg,dc=docker# search resultsearch: 4result: 0 Success...$

Now translate the query inldap2pg.yaml and associate a role mapping to produce roles from each values of each entries returned by the LDAP search:

- ldapsearch:    base: cn=dba,ou=groups,dc=ldap,dc=ldap2pg,dc=docker  role:    name: '{member.cn}'    options: LOGIN SUPERUSER

Test it:

$ ldap2pg...Querying LDAP cn=dba,ou=groups,dc=ldap,dc=ldap2pg,dc=docker...Would create alan.Would create albert.Would update options of alice....Comparison complete.$

Read further on how to control role creation from LDAP entry inConfiguration. Once you're satisfied with the comparison output, go real with--real.

Using LDAP High-Availability#

ldap2pg supports LDAP high availability out of the box just like anyOpenLDAP client. Use a space-separated list of URIs to tell all servers.

$ LDAPURI="ldaps://ldap1 ldaps://ldap2" ldap2pg

See ldap.conf(5) for further details.

Running as Non-Superuser#

SincePostgres Pro> provides aCREATEROLE role option, you can manage roles without superuser privileges. Security-wise, it's a good idea to manage roles without superuser privileges.

Warning

Up toPostgres Pro 15, havingCREATEROLE is roughly equivalent to being superuser. This becauseCREATEROLE user can grant themselves almost every privileges. Thusldap2pg supports running unprivileged againstPostgres Pro 16 and later only.

ldap2pg supports this case. However, you must be careful about the limitations. Let's call the non-superuser role creating other rolescreator.

  • You can't manage some roles options likeSUPERUSER,BYPASSRLS andREPLICATION. Thus you won't be able to detect spurious superusers.

  • Ensurecreator can revoke all grants of managed users.

Removing All Roles#

If ever you want to clean all roles in aPostgres Pro cluster,ldap2pg could be helpful. You must explicitly define emptyrules.

$ echo '{version: 6, rules: []}' | ldap2pg --config -...Empty synchronization map. All roles will be dropped!...

In this example, default blacklist applies.ldap2pg never drops its connection role.

ldap2pg asDocker Container#

We assume that you are already familiar withDocker and willing to save the setup time.

To run the container simply use the command:

$ docker run --rm dalibo/ldap2pg --help

TheDocker image ofldap2pg uses the same configuration options as explained in theCommand-Line Interface andldap2pg.yml sections. You can mount theldap2pg.yml configuration file.

$ docker run --rm -v ${PWD}/ldap2pg.yml:/workspace/ldap2pg.yml dalibo/ldap2pg

You can also export some environmnent variables with the-e option:

$ docker run --rm -v ${PWD}/ldap2pg.yml:/workspace/ldap2pg.yml -e PGDSN=postgres://postgres@localhost:5432/ -e LDAPURI=ldaps://localhost -e LDAPBINDDN=cn=you,dc=entreprise,dc=fr -e LDAPPASSWORD=pasglop dalibo/ldap2pg

Make sure your container can resolve the hostname you are pointing to. If you use some internal name resolution, be sure to add the-dns= option to your command pointing to your internal DNS server. You can also find more informationhere.

Custom ACL#

ldap2pg comes with built-in ACLs for common objects likeDATABASE,SCHEMA,TABLE,FUNCTION, etc.Postgres Pro has a lot of other objects likeFOREIGN DATA WRAPPER,FOREIGN SERVER,FOREIGN TABLE,TYPE, etc. You may also want to manage custom ACL or something else. Writing a custom ACL should help you get the job done.

Note

Writing a custom ACL is quite advanced. You should be familiar withPostgres Pro ACLs andldap2pg configuration. Ensure you have readManaging Privileges andldap2pg.yml File Reference sections, have a good understanding ofPostgres Pro ACL documentation and have successfully synchronized privileges withldap2pg.

Define custom ACL in YAML configuration file.

Use Case#

Say you have a customenum typemyenum in your database.

CREATE TYPE public.myenum AS ENUM ('toto', 'titi', 'tata');

We want to manage privileges on this object, eventually other types, with a custom ACL.

Naming#

Name your ACL after the keyword inGRANT orREVOKE statement. FromGRANT USAGE ON TYPE mytype TO myrole, name your ACLTYPE.

acls:  TYPE:    ...

Scope#

Postgres Pro defines user types per schema. Since we'll hardcode the schema, we will scope our ACL to database.

acls:  TYPE:    scope: database

Grant and Revoke#

WritingGRANT andREVOKE statements is the easiest part. Seegrant for details on query format. We'll use theobject field of grant to store the name of the type. Public schema is hardcoded, as explained above.

acls:  TYPE:    scope: database    grant: GRANT <privilege> ON TYPE public.<object> TO <grantee>;    revoke: REVOKE <privilege> ON TYPE public.<object> FROM <grantee>;

Inspect#

The inspect query is the most difficult part. You need to masteraclitem,aclexplode andacldefaultPostgres Pro system built-ins. The signature of the inspect query depends on the scope of the ACL.

Forinstance scope:

  • type: a string describing privilege type as SQL keyword.

  • object: a string describing object name as SQL identifier.

  • grantee: a string describing role name as SQL identifier.

Fordatabase scope:

  • type: a string describing privilege type as SQL keyword.

  • object: a string describing object name as SQL identifier.

  • grantee: a string describing role name as SQL identifier.

  • partial: a boolean indicating if the grant is partial.

partial tellsldap2pg to re-grantALL ... IN SCHEMA privileges. Since our ACL is handling one object at a time,partial will always befalse.

ldap2pg sends a single parameter to inspect query: the effective list of privilege types managed by the configuration. This list is an array of text.ldap2pg expects query to filter other privileges out of the list.

ForTYPE ACL, we will inspect privileges onpg_type system catalog.

acls:  TYPE:    scope: database    grant: GRANT <privilege> ON <acl> public.<object> TO <grantee>;    revoke: REVOKE <privilege> ON <acl> public.<object> FROM <grantee>;    inspect: |      WITH grants AS (        SELECT typname,               (aclexplode(COALESCE(typacl, acldefault('T', typowner)))).privilege_type AS priv,               (aclexplode(COALESCE(typacl, acldefault('T', typowner)))).grantee::regrole::text AS grantee          FROM pg_catalog.pg_type        WHERE typnamespace::regnamespace = 'public'::regnamespace          AND typtype <> 'b'  -- exclude base type.      )      SELECT grants.priv AS "privilege",            grants.typname AS "object",            CASE grants.grantee WHEN '-' THEN 'public' ELSE grants.grantee END AS grantee,            FALSE AS partial        FROM grants      WHERE "priv" = ANY ($1)      ORDER BY 2, 3, 1      ;

As you see, it's not an easy query. This query works onPostgres Pro 17.

Usage#

You can now use your custom ACL in a profile. Reference object in profile, not in grant rule.

privileges:  custom:  - type: USAGE    on: TYPE    object: myenumrules:- roles:    names:    - alice  grant:    privilege: custom    role: alice

You must reference all types manually in the profile. Executingldap2pg should produce changes in your database:

$ ldap2pg...16:52:02 CHANGE Would Revoke privileges.                         grant="USAGE ON TYPE myenum TO public" database=db016:52:02 CHANGE Would Grant privileges.                          grant="USAGE ON TYPE myenum TO alice" database=db016:52:02 INFO   Comparison complete.                             searches=0 roles=1 queries=5 grants=116:52:02 INFO   Use --real option to apply changes.16:52:02 INFO   Done.                                            elapsed=44.345229ms mempeak=1.6MiB ldap=0s inspect=28.992071ms sync=0s

That's it.

Debugging#

If you encounter problem, isolate the issue. Reduce the configuration to your custom ACL. Synchronize a single role, grant to it. Avoid LDAP searches, use only static rules. Synchronize a single database. Enable debug messages with--verbose option.

ldap2pg works database per database then ACL per ACL. The messages for each ACL are as follow:

First line about your ACL hasacl=TYPE record attribute.

    17:13:35 DEBUG  Inspecting grants.                               acl=TYPE scope=database database=db0

Then you have messages for inspection: query and arguments. For each grant returned, aFound grant. message appears.

17:13:35 DEBUG  Executing SQL query:WITH grants AS (...WHERE "priv" = ANY ($1)ORDER BY 2, 3, 1; arg=[USAGE]17:13:35 DEBUG  Found grant in Postgres instance.                grant="USAGE ON TYPE myenum TO public" database=db0

Then,ldap2pg expands grants generated by rule. For each grant generated, aWants grant. message is printed.

17:13:35 DEBUG  Wants grant.                                     grant="USAGE ON TYPE myenum TO alice" database=db0

Finally,ldap2pg prints changes it would apply.

17:13:35 CHANGE Would Revoke privileges.                         grant="USAGE ON TYPE myenum TO public" database=db017:13:35 DEBUG  Would Execute SQL query:REVOKE USAGE ON TYPE public."myenum" FROM "public";17:13:35 CHANGE Would Grant privileges.                          grant="USAGE ON TYPE myenum TO alice" database=db017:13:35 DEBUG  Would Execute SQL query:GRANT USAGE ON TYPE public."myenum" TO "alice";

At the end,ldap2pg prints a conclusion message, even if no changes are required.

17:13:35 DEBUG  Privileges synchronized.                         acl=TYPE database=db0
Prev Up Next
I.2. Third-Party Client Applications Home pgbadger
epubpdf
Go to Postgres Pro Standard 17
By continuing to browse this website, you agree to the use of cookies. Go toPrivacy Policy.
[8]ページ先頭
©2009-2025 Movatter.jp