Re: Blocking access by remote users for a specific time period

Wouldn't it be a lot easier to set the database logins for those user accounts to zero allowed connections, then
terminatetheir existing sessions, rather than mess with pg_hba.conf? 

You could schedule a cron job to run a query to make the change to the user, then later the same to undo the change.

Scot Kreienkamp

-----Original Message-----
From: pgsql-general-owner@postgresql.org [mailto:pgsql-general-owner@postgresql.org] On Behalf Of Steve Atkins
Sent: Sunday, December 14, 2014 1:02 PM
To: pgsql-general@postgresql.org
Subject: Re: [GENERAL] Blocking access by remote users for a specific time period


On Dec 13, 2014, at 10:38 PM, Michael Nolan <htfoot@gmail.com> wrote:

> Yeah, a cron job to swap pg_hba.conf files is the best solution I've come up with so far.  It's not one web app, it's
closerto two dozen of them, on multiple sites. 

If they use persistent connections you'll also have to kill existing connections after you've prevented new connections
viapg_hba.conf 

This ...

psql -q -c 'select application_name as "Client", procpid as "PID", pg_terminate_backend(procpid) as "Disconnected" from
pg_stat_activitywhere procpid <> pg_backend_pid()' database_name 

... will kill all connections to the server. You can use application_name, client_addr, datname or usename to be more
selectiveabout who lives and who dies. 

Cheers,
  Steve

> --
> Mike Nolan
>
> On Sat, Dec 13, 2014 at 11:10 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
> On 12/13/2014 08:13 PM, Michael Nolan wrote:
> I have several web apps that access our Postgresql database that I'd
> like to lock out of the database for about an hour during a weekly
> maintenance interval. (There are some internal users that do not get
> locked out, because they're running the maintenance tasks.)
>
> There are no time-of-day access limitation parameters in the
> pg_hba.conf file, are there any simple ways to do this?
>
> Use a cron job that at beginning of period swaps out the pg_hba.conf with one that denies access, reloads server and
thenat end of time period reverse procedure ? 
>
> --
> Mike Nolan
>
>
> --
> Adrian Klaver
> adrian.klaver@aklaver.com



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general



This message is intended only for the individual or entity to which it is addressed. It may contain privileged,
confidentialinformation which is exempt from disclosure under applicable laws. If you are not the intended recipient,
pleasenote that you are strictly prohibited from disseminating or distributing this information (other than to the
intendedrecipient) or copying this information. If you have received this communication in error, please notify us
immediatelyby e-mail or by telephone at the above number. Thank you.