Thread: BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity checklist

The following bug has been logged on the website:

Bug reference:      18350
Logged by:          Martin Nguyen
Email address:      martin.nguyen@oracle.com
PostgreSQL version: 13.7
Operating system:   RHEL
Description:

We have identified an issue where predefined roles are not modifiable,
however a Dept. of VA security checklist requires that no roles have
unlimited connections. The Predefined roles have unlimited connections, is
there a way to modify these?

PG Bug reporting form <noreply@postgresql.org> writes:
> We have identified an issue where predefined roles are not modifiable,
> however a Dept. of VA security checklist requires that no roles have
> unlimited connections. The Predefined roles have unlimited connections, is
> there a way to modify these?

Solution 1: explain to your compliance department that it's pointless
to worry about the connection limit for a role that can't log in.

Solution 2: do a manual UPDATE on pg_authid.  This would have to
be done over after any major-version upgrade, though.

            regards, tom lane

I think they mean the application connections from the UI to the backend, not backend SQL user login connection limits.

JAVA would be Hakari max_pool = 10 or something to that effect.

(I've been through this before), but you should check the requirement.

-----Original Message-----
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Friday, February 16, 2024 1:36 PM
To: martin.nguyen@oracle.com
Cc: pgsql-bugs@lists.postgresql.org
Subject: [EXTERNAL] Re: BUG #18350: Modifying predefined roles' unlimited connections for VA STIG cybersecurity
checklist

PG Bug reporting form <noreply@postgresql.org> writes:
> We have identified an issue where predefined roles are not modifiable,
> however a Dept. of VA security checklist requires that no roles have
> unlimited connections. The Predefined roles have unlimited
> connections, is there a way to modify these?

Solution 1: explain to your compliance department that it's pointless to worry about the connection limit for a role
thatcan't log in. 

Solution 2: do a manual UPDATE on pg_authid.  This would have to be done over after any major-version upgrade, though.

            regards, tom lane

On 2024-02-16 Fr 16:35, Tom Lane wrote:
> PG Bug reporting form <noreply@postgresql.org> writes:
>> We have identified an issue where predefined roles are not modifiable,
>> however a Dept. of VA security checklist requires that no roles have
>> unlimited connections. The Predefined roles have unlimited connections, is
>> there a way to modify these?
> Solution 1: explain to your compliance department that it's pointless
> to worry about the connection limit for a role that can't log in.
>
> Solution 2: do a manual UPDATE on pg_authid.  This would have to
> be done over after any major-version upgrade, though.
>
>             


Also note that this is not by any stretch of the imagination a bug.


cheers


andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com