Securing Your Data in Postgres - percona.com · Event Triggers Auditing ... ssl_key_file =...
Transcript of Securing Your Data in Postgres - percona.com · Event Triggers Auditing ... ssl_key_file =...
Contents
Authentication
Encryption
Row-Level Security SSL / TLS
ACLs
Event Triggers
Auditing
Replication
# TYPE DATABASE USER ADDRESSMETHOD
# "local" is for Unix domain socket connections onlylocal all all trust# IPv4 local connections:host all all 127.0.0.1/32 md5# IPv6 local connections:host all all ::1/128 md5
#> SET password_encryption = 'scram';
SET
#> CREATE ROLE sales PASSWORD 'ReallyBadPassword';
CREATE ROLE
#> SELECT substring(rolpassword, 1, 14) FROM pg_authid WHERE
rolname = 'sales';
substring
----------------
scram-sha-256:
(1 row)
“list of permissions attached to an
object. An ACL specifies which users or system processes are
granted access to objects, as well as what operations are allowed on
given objects.
Grant
Revoke
rolename=xxxx -- privileges granted to a role
=xxxx -- privileges granted to PUBLIC
r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
* -- grant option for preceding privilege
/yyyy -- role that granted this privilege
Transactional DDLs
psql#> BEGIN;
BEGIN
psql#> GRANT SELECT ON test TO payal;
GRANT
psql#> ROLLBACK;
ROLLBACK
postgres@postgres:5432# \dp test
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+-------------------+-------------------+----------
public | test | table | | |
(1 row)
Column Level ACLs
postgres@postgres:5432# GRANT ON test TO rachel;GRANTpostgres@postgres:5432# \dp test
Access privilegesSchema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+-------------------+---------------------+----------public | test | table | | +|
| | | | | (1 row)
UPDATE(name)
name: rachel=w/postgres
Row Level Security
CREATE TABLE accounts (manager text, company text,
contact_email text);
ALTER TABLE accounts ENABLE ROW LEVEL SECURITY;
CREATE POLICY account_managers ON accounts
TO managers
USING (manager = current_user);
ssl = on # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on # (change requires restart)
#ssl_ecdh_curve = 'prime256v1' # (change requires restart)
ssl_cert_file = '/etc/ssl/postgres/starry.io.crt' # (change requires restart)
ssl_key_file = '/etc/ssl/postgres/starry.io.key' # (change requires restart)
ssl_ca_file = '' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
No SSL connections allowed
DISABLE
Allow SSL Connections if connections
without SSL fails
ALLOW
Allow non-SSL connection if SSL
connection fails
PREFER
Certificate verification required to
connect
REQUIRE
Verify server certificate
VERIFY-CA
Server HostName same as name in
certificate
VERIFY-FULL
Modes
Monitoring Roles (PG10 and onwards)
Pg_monitor
Pg_read_all_settings
Pg_read_all_stats
Pg_stat_scan_tables
At-Rest
pgcrypto
- AES-128, AES-192, or AES-256
- Performance impact
Backups
Volumes
instance-level - 3rd party patch!
https://www.postgresql.org/message-id/CA%2BCSw_tb3bk5i7if6inZFc3yyf%2B9HEVNTy51QFBoeUk7UE_V%[email protected]
Logical Replication
Create publication
CREATE privilege
Add tables
table owner
Add all tables
superuser
Create subscription
superuser
Subscriptions apply process
Upcoming Features in PG11
SCRAM-SHA-256-Plus
- Channel Binding SASL mechanism
- Mutual Authentication
- tls-unique
- tls-server-end-point
PG_TEST_EXTRA
- More authentication type tests
Large object ACL permissions
Desired Features
Data Redaction
Oracle TDE - key management
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
SHOW GRANTS