Working with ACL

[alec-c4]

Hi, is it possible to disable or overwrite some rule in Postgresql ACL?

Let me explain. I've created puppet-file with following lines

class { 'postgresql::server':
    locale => 'ru_RU.UTF-8',
    version => '9.1',
    listen => ['localhost', ],
    port   => 5432,
    acl   => ['local all all md5', ],
}

but on attempt to connect locally to db i saw following

vagrant@app:/etc/puppet$ psql -U db_user -W
Password for user db_user: 
psql: FATAL:  Peer authentication failed for user "db_user"

Article (http://blog.deliciousrobots.com/2011/12/13/get-postgres-working-on-ubuntu-or-linux-mint/) given me a hint to use acl like in my config, but required line

local all all md5

was added after default line

local   all             all                                     ident

and this rule overrides my config lines, placed below this line.

I see following ways to solve this problem

• Use only defined in puppet-config configuration data (reset default config)
• Perform search for possible conflicting lines and comment it (too hard to do imho)
• Add puppet-config lines at top of the pg_hba file

Or maybe you have any other idea?

[akumria]

Hi Alexey,

So the issue here is that you are using a local Unix domain socket to connect to Postgresql. Certainly one way to do things, but I locally never develop things that way. One of my assumptions is that nothing will actually be running on the database host. If the DB host and Web host are on the same machine, things still work (they communicate via loopback).

Looking at that blog post:

psql -h localhost -d somedb -U someuser -W

Would be a working command.

I'd say the way to handle this would be a separate ACL list (probably 'pre-acl') that is output before the static ones.

I've got a bunch of change to merge first, so something in the next few days before I get a version out.

[akumria]

I've not formally released this yet, but I believe this should solve your configuration.