BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity checklist
The following bug has been logged on the website:
Bug reference: 18350
Logged by: Martin Nguyen
Email address: martin.nguyen@oracle.com
PostgreSQL version: 13.7
Operating system: RHEL
Description:
We have identified an issue where predefined roles are not modifiable,
however a Dept. of VA security checklist requires that no roles have
unlimited connections. The Predefined roles have unlimited connections, is
there a way to modify these?
On Fri, Feb 16, 2024 at 2:23 PM PG Bug reporting form <
noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 18350
Logged by: Martin Nguyen
Email address: martin.nguyen@oracle.com
PostgreSQL version: 13.7
Operating system: RHEL
Description:We have identified an issue where predefined roles are not modifiable,
however a Dept. of VA security checklist requires that no roles have
unlimited connections. The Predefined roles have unlimited connections, is
there a way to modify these?
Pre-defined roles do not have the login attribute so the number of
connections attribute is irrelevant.
Superusers are not so constrained.
David J.
PG Bug reporting form <noreply@postgresql.org> writes:
We have identified an issue where predefined roles are not modifiable,
however a Dept. of VA security checklist requires that no roles have
unlimited connections. The Predefined roles have unlimited connections, is
there a way to modify these?
Solution 1: explain to your compliance department that it's pointless
to worry about the connection limit for a role that can't log in.
Solution 2: do a manual UPDATE on pg_authid. This would have to
be done over after any major-version upgrade, though.
regards, tom lane
I think they mean the application connections from the UI to the backend, not backend SQL user login connection limits.
JAVA would be Hakari max_pool = 10 or something to that effect.
(I've been through this before), but you should check the requirement.
-----Original Message-----
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Friday, February 16, 2024 1:36 PM
To: martin.nguyen@oracle.com
Cc: pgsql-bugs@lists.postgresql.org
Subject: [EXTERNAL] Re: BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity checklist
PG Bug reporting form <noreply@postgresql.org> writes:
We have identified an issue where predefined roles are not modifiable,
however a Dept. of VA security checklist requires that no roles have
unlimited connections. The Predefined roles have unlimited
connections, is there a way to modify these?
Solution 1: explain to your compliance department that it's pointless to worry about the connection limit for a role that can't log in.
Solution 2: do a manual UPDATE on pg_authid. This would have to be done over after any major-version upgrade, though.
regards, tom lane
On 2024-02-16 Fr 16:35, Tom Lane wrote:
PG Bug reporting form <noreply@postgresql.org> writes:
We have identified an issue where predefined roles are not modifiable,
however a Dept. of VA security checklist requires that no roles have
unlimited connections. The Predefined roles have unlimited connections, is
there a way to modify these?Solution 1: explain to your compliance department that it's pointless
to worry about the connection limit for a role that can't log in.Solution 2: do a manual UPDATE on pg_authid. This would have to
be done over after any major-version upgrade, though.
Also note that this is not by any stretch of the imagination a bug.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com