Dimitri Maziuk <dmaziuk@bmrb.wisc.edu> writes:
> On 08/22/2018 11:38 AM, Ravi Krishna wrote:
>>
>> In fact DBAs don't even need to get involved when a new user needs DB access. Sysadmin had to just add that user in
agroup and we are done.
>
> How is that different from giving your grants to a database role and
> just telling the new user the name and password of that role to connect as?
I hope your not suggesting that multiple users use the same login
credentials to access the database? This would totally destroy the
important security principals of attribution and repudiation.
I have not looked at PAM for PG, but that is certainly something worth
checking out. I have used it in other contexts and it is very
powerful. Depending on the implementation, theoretically, it should be
possible to have PAM provide the information to determine what database
roles to give to a login. What you will probably need is some additional
component to act as the 'meta-directory' so that you can have consistent
usernames, uid/gid across servers/systems (i.e. ldap/ad)
Something else to look at is openLDAP. Again, not yet looked at it in
the PG context, but have used it successfully to manage access to other
systems (including databases in other RDMS) before. Currently, we use
openLDAP and PAM to manage access on Linux servers. One of the things on
my 'todo' list is to look at it in a PG context, just haven't got there
yet.
Avoid any solution which requires a 'generic' account with shared
passwords. Apart from the security implications, you will almost
certainly run into problems with auditors and many regulatory
standards.
--
Tim Cross