postgres: Grant access to my windows user - node.js

I am trying to setup a local database in a windows 10 computer, and grant access to my local windows-user. But when I try to access the database through my node-application I get the following error-message: error: password authentication failed for user "windowsuser" using the following db-url: postgres://localhost:5432/testdb
I am using the module "pg" to connect to the database, and everything works when I specify a username and password in the URL - but I want to connect using my windows credentials.
I have setup a superuser with the same name as my windowsuser:
CREATE ROLE windowsuser LOGIN
SUPERUSER INHERIT CREATEDB CREATEROLE NOREPLICATION;
And setup a database windowsuser as owner:
CREATE DATABASE testdb
WITH OWNER = windowsuser
ENCODING = 'UTF8'
TABLESPACE = pg_default
LC_COLLATE = ''
LC_CTYPE = ''
CONNECTION LIMIT = -1;
GRANT ALL ON DATABASE testdb TO windowsuser;
The windows user has no password, and I want to be able to just login with the current system user. Am I missing something essential here to get proper access?

I believe you cannot simply authenticate without a password. Have a look at the PostgreSQL doc here:
PostgreSQL: Documentation: 9.4: Authentication Methods
You will need to setup "Trust Authentication" instead of "Password Authentication".
19.3.2. Password Authentication
"PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the pg_authid system catalog. Passwords can be managed with the SQL commands CREATE USER and ALTER ROLE, e.g., CREATE USER foo WITH PASSWORD 'secret'. If no password has been set up for a user, the stored password is null and password authentication will always fail for that user."
Is there a specific reason why you are opting to use a Windows system account, as well as no password?

Related

Hide OracleDatabase credentials in Node.js

I'm connecting to an external Oracle Database with the example function that can be found here
const oracledb = require('oracledb');
const connection = await oracledb.getConnection(
{
user : "hr",
password : mypw, // mypw contains the hr schema password
connectString : "mydbmachine.example.com/orclpdb1"
}
);
So, as you can see, my credentials would be 'exposed' to everyone who can access the code (maybe github repository or something).
Is there any way of hiding my username and password or making them confidential, or I just shouldn't worry about it?
Note: I'm using the oracledb node module
You could use .env, and access to it with process.env.
check here: https://nodejs.org/dist/latest-v8.x/docs/api/process.html#process_process_env
Store your database secrets encrypted in Secrets Manager or Parameter Store and have your app read them at runtime. Be sure to update the IAM role that your app uses so that it has IAM permissions to retrieve the credentials.
Note: for certain databases, Secrets Manager supports auto-rotation of credentials.
Choices include:
prompt for the password at runtime
pass the password in an environment variable
use kerberos and then use 'external' authentication in node-oracledb. All this is configured and enabled in code layers below node-oracledb, see the Oracle Database Security Guide.
use an Oracle Wallet and then use 'external' authentication in node-oracledb.

New login and user cannot login to database right away but works after random periods of time - Azure SQL Server

Command - 1 (Running on 'Master')
*CREATE LOGIN [login_Name] WITH PASSWORD=N'XXXXXX'*
Command - 2 (Running on 'Database_name')
*ALTER USER [User_name] WITH LOGIN= [login_name]
EXEC sp_addrolemember N'db_owner', N'Database_Name'*
When I try logging to 'Database_Name' or try to make a connection to this database with the newly created Login_name and Password, I am getting the following error sometimes:
The server principal "XXX" is not able to access the database "XXX" under the current security context. Cannot open database "XXX" requested by the login. The login failed. Login failed for user 'XXX'.
I made sure that the altered user is not orphan user by matching it's SID with the Login's SID.
ISSUE: After resetting the password and user, the above error shows up sporadically. Sometimes I can make a connection in just a second after running the above commands. The other times it may take up to 15 minutes before I can connect to the database.

Cannot login as admin in production

I am having trouble logging in as admin when I switch to production. I get the following error:
BCryptPasswordEncoder - Encoded password does not look like BCrypt
I am guessing I would have to change the admin password directly in the database (table blc_admin_user), to an encrypted one? If so, what would it be?
Also I am hoping to use the same database created in development for production, I hope that is not an issue.
Note that I am using the default admin login (password: admin).
version 5.2.0-SNAPSHOT
Yes, you will need to encrypt the admin password with BCrypt and put that in the BLC_ADMIN_USER table. Here is the update script to do that:
UPDATE BLC_ADMIN_USER SET PASSWORD = '$2a$06$NtRCQoGXWEgBClwBO8b1AeBqIP1elvZNuZqR/57Yjfw4kV/M0vljG' WHERE LOGIN = 'admin';

Can't reset Chef user's key or password "missing update permission"

Running Chef 12.5
CentOS Linux release 7.2.1511 (Core)
I created a new Chef user with these commands:
chef-server-ctl user-create test firstname lastname email#fake.com 'Passw0rd1!'
chef-server-ctl org-user-add myorg test
Added the user to the "users" group
Now in the GUI if I try to reset the user's key or password I get this error:
My account is an admin.
How do I reset a this user's password and key?
OK so I can login as the user and reset its key. But why can't an admin do that? I thought Chef admins had access to Delete,Grant,Read,Update all Chef objects?
If a user has lost their password you can change it via command line on the server with an admin user.
chef-server-ctl password test
This will prompt you to enter and confirm a new password. Give this to your user and let them manage their own key and password.

How should logins and users be created on a geo-redundant database in Azure?

I need to create a login and user on a geo-replicated database. The user will be granted the role of 'db_datareader' on this database.
The attempted approach has been to use the SID (same identity) parameter, as follows:
-- 1. PRIMARY_DATABASE: Run on master database of Primary Database to create login
CREATE LOGIN [LOGINUSER] WITH password='XYZ'
GO
-- 2. Select details for created SQL login
SELECT [name], [sid]
FROM [sys].[sql_logins]
WHERE [type_desc] = 'SQL_Login'
AND [name] = 'LOGINUSER'
GO
-- 3. SECONDARY_DATABASE: Run on master database of Secondary Database to create login with associated SID
CREATE LOGIN [LOGINUSER]
WITH PASSWORD = 'XYZ',
SID = <SID from Step 2>
GO
While the login creation works fine on both databases, I was allowed access on the PRIMARY_DATABASE, and denied access on the SECONDARY_DATABASE with the following error:
The server principal "LOGINUSER" is not able to access the database "master" under the current security context.
Cannot open user default database. Login failed.
Login failed for user 'LOGINUSER'. (Microsoft SQL Server, Error: 916)
Is this the correct approach for setting up a login in geo-replicated databases?
How do I set up a user on these databases?
You should create logins on the other server too from the SID taken from the primary. Otherwise you can use contained users feature in SQL server / db so that users gets automatically replicated to the read only copy.
It appears you don have local access to master db. Have you tried accessing master via a different login? If not you may want to create a local user in master and connect using it.
You should use contained users instead. These users are contained within the database, are synced along geo replications and do not need an extra login from master table.
Create a contained user with password as db_owner:
USE mydatabase;
CREATE USER myuser WITH PASSWORD = 'secret';
EXEC sp_addrolemember 'db_owner', 'myuser'
more information: https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver15
I faced the same issue and the following worked for me. I have Azure SQL Server on which the Active geo-replication is enabled.
Ensure that your IP Address is added to the firewall of the existing and the new Server.
On the master database of the Primary server:
Create a login
CREATE LOGIN geo_user WITH PASSWORD = 'secure-password'
Create a corresponding user and assign it to the dbmanager role (you can assign an appropriate role as per your requirement)
CREATE USER geo_user FOR LOGIN geo_user
ALTER ROLE dbmanager ADD MEMBER geo_user
Note the SID of the new login:
SELECT sid FROM sys.sql_logins WHERE name = 'geo_user'
On the source database of the Primary server:
Create user for the same login:
CREATE USER geo_user FOR LOGIN geo_user
Add the user to the db_owner role:
ALTER ROLE db_owner add MEMBER geo_user
On the master of the Secondary server:
Create the same login as on the Primary server (using the same username, password and SID from step-4 ):
CREATE LOGIN geo_user with password = 'secure-password', sid=0x01060000000000640000000000000000A0D03563024DA846ADBCF33D31B6C026
Create a corresponding user and assign it to the dbmanager role:
CREATE USER geo_user FOR LOGIN geo_user
ALTER ROLE dbmanager ADD MEMBER geo_user
Now you should be able to login to the new Server using this user and query the database.

Resources