Remote read only access to database for Postgres customers

Remote read only access to database for Postgres customers


Frequently customers want to connect some reporting / dashboard application like PowerBI or Tableau with our Postgres database server.

By default, the bundled Postgres is configured to only listen to the local machine. We can configure to allow access from remote machine if required. 

Also, we need to create a user with read only permission to the servicedesk database alone.

ONLY this user should be able to access the Postgres server from remote machines -- with a password prompt. SDP's default PG user 'sdpadmin' or PG super user 'postgres' have higher privileges in the Postgres server. These users should NOT be allowed access to Postgres server from remote machies.

Please find below, the steps of how this can be accomplished.


STEP 1 : Create a Postgres DB user 'sdpreadonly' with read only access to the 'servicedesk' database

For SDP 10.5 and above series, STEP 1 can be done using the createPostgresUser.bat in ServiceDesk\bin directory.

a. Stop the ServiceDesk Plus application.
b. Open windows command prompt
c. Change directory to ServiceDesk\bin and invoke the createPostgresUser.bat script

C:\Program Files\ManageEngine\ServiceDesk\bin>createPostgresUser.bat -sU postgres -sp <super-user-password> -U <new-username> -p <new-password> -r readonly

For the options -sU and -sp, the Postgres super user username and password are to be provided. Default super user name is 'postgres'.

The option -r readonly will make the newly created user a read only user. 


For SDP 9.4 and 10.0 series build, please follow the instructions mentioned below for STEP 1

a. Stop the ServiceDesk Plus application.
b. Open windows command prompt
c. Change directory to ServiceDesk\bin and execute startDB.bat. Wait for the success message.

C:\Program Files\ManageEngine\ServiceDesk\bin>startDB.bat
"C:\Program Files\ManageEngine\ServiceDesk\bin\\.."
Database server successfully started...

d. Change directory to ServiceDesk\pgsql\bin

C:\Program Files\ManageEngine\ServiceDesk\bin>cd ..\pgsql\bin

e. Execute the below command to connect to Postgres query console using PG super user (postgres). Enter the password when prompted

C:\Program Files\ManageEngine\ServiceDesk\pgsql\bin>psql.exe -U postgres -p 65432 -h 127.0.0.1 -d servicedesk
Password for user postgres:
psql (10.5)
WARNING: Console code page (437) differs from Windows code page (1252)
         8-bit characters might not work correctly. See psql reference
         page "Notes for Windows users" for details.
Type "help" for help.

servicedesk=#

f. Create a user with password and grant read only access to servicedesk database with following commands

servicedesk=# create user sdpreadonly;
CREATE ROLE

servicedesk=# ALTER USER sdpreadonly with password '<your-password-here>';
ALTER ROLE

servicedesk=# GRANT CONNECT ON DATABASE servicedesk TO sdpreadonly;
GRANT

servicedesk=# GRANT USAGE ON SCHEMA public TO sdpreadonly;
GRANT

servicedesk=# GRANT SELECT ON ALL TABLES IN SCHEMA public TO sdpreadonly;
GRANT

servicedesk=# ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO sdpreadonly;
ALTER DEFAULT PRIVILEGES

g. Exit from Postgres query console by entering '\q'

servicedesk=# \q





STEP 2
 : In ServiceDesk/pgsql/ext_conf/postgres_ext.conf, add below line to end of file
In 9.4 series and 10.0 series builds this file can be found in ServiceDesk/pgsql/data/postgres_ext.conf

listen_addresses = '*'

Default value for max_connections in postgres_ext.conf is 50. Of this 40 can be used by SDP application (configured in ServiceDesk/conf/database_params.conf).
Since we are allowing third party application connections, this can be increased to 60.

NOTE : The queries from the third party application will take up resources on the production database. Badly written queries may impact the application performance.




STEP 3 : In ServiceDesk/pgsql/data/pg_hba.conf, add entries for allowing access.

This can be done in two ways.

1. To allow access from any IP address, add the following line in the end of the file.

host    servicedesk     sdpreadonly         0.0.0.0/0               md5


(OR)

2. To allow access from particular IP addresses alone, add one entry for each IP address in the format mentioned below at the end of the file.

host    servicedesk     sdpreadonly         <ip-address-1>/32               md5
host    servicedesk     sdpreadonly         <ip-address-2>/32               md5

Note : Using (2) is more secure but requires the client machines (machines on which third party tool runs) to have static IP address.


Save and close both the files.


Once this is done, start the ServiceDesk Plus application (which will start the Postgres database).

Now user will be able to connect from remote machine or third party applications using the host (server machine ip address), port (default 65432), username (sdpreadonly), password (<your-password>)

NOTE : Although the login is restricted with username and password, the communication over the connection is NOT encrypted. This means, any user monitoring the network traffic will be able to see the query statements and query response data.

To make this secure, please use SSL encryption for Postgres server.

Refer the Postgres docs for instructions on how this can be done.
https://www.postgresql.org/docs/10/ssl-tcp.html

          • Related Articles

          • Enabling Read Committed Snapshot Isolation in MS SQL server

            In MS SQL environments enabling 'Read committed Snapshot isolation (RCSI)' is the first step in handling application performance and crash issues. What is RCSI? Since databases handle multiple transactions in parallel, there has to be a mechanism to ...
          • How to connect to the ServiceDesk database?

            Open command prompt on the server and change the directory to MangeEngine\ServiceDesk\bin, invoke the batch file 'changeDBServer.bat' For MSSQL database  Connect to the query analyzer of the SQL server and execute the queries. For PostgreSQL database ...
          • Failed to start the database

            For the error "Failed to start the database", Check what database being used and, execute changeDBServer.bat. For Pgsql,  Start PGSQL from the command link, execute StartDB.bat 65432 under C:\Manageengine\ServiceDesk\bin 65432 is the default port ...
          • How to connect to the AssetExplorer database?

            To find the database connected to your installation, open Command Prompt with elevated permission, navigate to [AE-Home]\bin directory and invoke the batch file 'changeDBServer.bat'. [AE-Home] is Drive:\ManageEngine\AssetExplorer\ directory. ...
          • List of mail fetching issues and solutions

            Scenario 1 : Mail fetching issue due to Invalid or No PKIX certificate .   Log traces for Mail Fetching  issues Exception when connecting to store.|javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path building failed: ...