refdb-doc 1.0.2-3 / usr / share / doc / refdb / refdb-manual / ch05s03.html

This file is indexed.

/usr/share/doc/refdb/refdb-manual/ch05s03.html is in refdb-doc 1.0.2-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Add or remove a user</title><link rel="stylesheet" type="text/css" href="manual.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /><link rel="home" href="index.html" title="RefDB handbook" /><link rel="up" href="ch05.html" title="Chapter 5. refdbd administration" /><link rel="prev" href="ch05s02.html" title="Delete a database" /><link rel="next" href="ch05s04.html" title="Configure the application server" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Add or remove a user</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch05s02.html">Prev</a> </td><th width="60%" align="center">Chapter 5. refdbd administration</th><td width="20%" align="right"> <a accesskey="n" href="ch05s04.html">Next</a></td></tr></table><hr /></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="sect1-add-user"></a>Add or remove a user</h2></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="sect2-add-users-to-db"></a>Add users</h3></div></div></div><p>Adding a user means to allow a user, identified by a database user name and optionally by a password, to read and to modify a particular refdb database.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Both the database user name and the database password may be different from the login name and login password used to get access to the operating system. </p><p>Some database engines like SQLite do not support access control. There is no need to add or remove users with these database engines.</p></div><p>refdb uses the access control facilities of the database server. Therefore, the details of adding a user differ slightly between MySQL and PostgreSQL. In any case, refdb is designed to simplify user management as far as possible. This is mainly achieved by combining the information necessary to authenticate a user and the information necessary to grant access to specific database objects into a single command, the <a class="link" href="re06.html#app-a-command-adduser" title="adduser"><span class="command"><strong>adduser</strong></span></a> command of refdba. This command also silently takes care of the fact that users need access to an internal refdb database in addition to the specified reference database.</p><p>Database servers use the username, optionally a password, and the host a user tries to connect from to authenticate a user. From the database server's point of view, refdbd is the database client that actually connects to the server, not the refdb clients refdba, refdbc, and refdbib. Database servers usually distinguish between local connections (i.e. by users logged into the same computer) and remote connections (i.e. all connections via TCP/IP). If both refdbd and your database server run on the same computer, all connections will be local and the host-based access control is fairly simple, as both MySQL and PostgreSQL allow local connections by default. All you need to do is:</p><pre class="screen"><code class="prompt">refdba: </code>adduser -d foo jack -W newpass</pre><p>This will allow the new user "jack" to connect to the database server and to access the contents of the database "foo". "jack" has to identify himself by providing the password "newpass" when starting a refdb client.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If a user is already known to the database server, e.g. if he already has access to a different database, you don't have to specify the password again. If you <span class="emphasis"><em>do</em></span> provide a password, the password of that particular user will be changed to the new one.</p></div><p>Things get a tad more complicated if refdbd and your database server do not run on the same computer. As this is where MySQL and PostgreSQL differ, we'll look at these two cases separately.</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp66456768"></a>MySQL</h4></div></div></div><p>On many operating system distributions, MySQL is configured to accept only local connections. Either the mysqld process is started with the <code class="option">--skip-networking</code> option, or the <code class="filename">my.conf</code> configuration file contains the corresponding option <code class="option">skip-networking</code>. In order to allow remote connections, please remove these options from your system.</p><p>MySQL allows to alter the host-based component of access control through the SQL interface. The <span class="command"><strong>adduser</strong></span> command has an additional option <code class="option">-H</code> to specify the host or the network where refdbd runs:</p><pre class="screen"><code class="prompt">refdba: </code>adduser -d foo -H % jack -W newpass</pre><p>In this example, refdbd may run on any host. You can as well specify a subnet (-H 192.168.1.%) or one specific host (-H mono.mycomp.com).</p></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp66463376"></a>PostgreSQL</h4></div></div></div><p>By default, PostgreSQL will accept only local connections. To allow remote connections, the postmaster process must be started with the <code class="option">-i</code> option. Change your start scripts accordingly.</p><p>The host-based component of access control is not available through the SQL interface in this database server. The <code class="option">-H</code> option of the <span class="command"><strong>adduser</strong></span> command is therefore ignored. Instead the database administrator has to edit the configuration file <code class="filename">/home/pgsql/data/pg_hba.conf</code>. The following entries would:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Allow local access (i.e. refdbd and postmaster run on the same computer) to the databases refs and refdb. The latter is an internal refdb database that users must be able to access. Users must provide a password.</p></li><li class="listitem"><p>Allow access to the databases refs and refdb through refdbd instances that run somewhere in the network "192.168.1.0". Users must provide a password.</p></li></ul></div><pre class="programlisting">#   host  DBNAME  IP_ADDRESS  ADDRESS_MASK  AUTH_TYPE  [AUTH_ARGUMENT]
local refdb                            crypt
local refs                              crypt

host  refdb  192.168.1.0 255.255.255.0 crypt
host  refs    192.168.1.0 255.255.255.0 crypt
	</pre><p>The default <code class="filename">pg_hba.conf</code> file allows local access to all databases without password protection. This may not be what you want. The file contains a bunch of helpful comments, though. You may also want to peruse the PostgreSQL documentation for more information about host-based access control.</p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp66885616"></a>Remove users</h3></div></div></div><p>This is done with the <a class="link" href="re06.html#app-a-command-deleteuser" title="deleteuser">deleteuser</a> command. The access rights will be revoked for the specified username and database. No other access rights will be modified. The following command will revoke the access rights of user "jack" on the database "foo".</p><pre class="screen"><code class="prompt">refdba: </code>deleteuser -d foo jack</pre><p>Keep in mind that user "jack" still can access the refdb main database <code class="filename">refdb</code> and any other databases he was granted access to.</p><p>If you use MySQL as your database server and refdbd runs on a different box than mysqld, you also have to specify the host or network with the <code class="option">-H</code> option, just like when you added the user in the first place. See the <a class="link" href="ch05s03.html#sect2-add-users-to-db" title="Add users">Add users</a> section for the specifics.</p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch05s02.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ch05.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch05s04.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Delete a database </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Configure the application server</td></tr></table></div></body></html>

APT Browse - Built by Thomas Orozco.