PostgreSQL User Privilege Requirements

MetaDefender Core will need to create and use dedicated PostgreSQL users for database setup, upgrade and its own operations. Those users requires certain privileges configured on PostgreSQL server, otherwise expecting failures to occur while installing and operating MetaDefender Core.

MetaDefender Core requires 2 types of PostgreSQL users:

PostgreSQL User Privilege Requirements

Main PostgreSQL User

Internal PostgreSQL User

Privileges Setting Up Guidelines

Before MetaDefender Core Installation

Prepare Main PostgreSQL User

You can create a new main PostgreSQL user, or use your existing one, for example:

create role mdcore with SUPERUSER CREATEDB CREATEROLE LOGIN password 'mdcorepassword';

Configure PostgreSQL .conf

Configure your pg_hba.conf to allow the access on main PostgreSQL user.

• Just in case you use the customized internal PostgreSQL user Customize Internal PostgreSQL User, then you should also configure the access for this user as well.
• For example:

host    all             mdcore              0.0.0.0/0                       md5

host    all             mdcore              ::/0                            md5

​

host    all             yourinternaluser    0.0.0.0/0                       md5

host    all             yourinternaluser    ::/0                            md5

Restart PostgreSQL server service to take effect.

After MetaDefender Core Installation

Configure PostgreSQL .conf (for auto generated internal PostgreSQL user)

Just in case you are letting MetaDefender Core to auto create and use internal PostgreSQL user (usr_xxxxxxx), then configure your pg_hba.conf to allow the access on this auto generated internal PostgreSQL user.

Note: To find out the exact username of the default generated user usr_xxxxxxx: https://www.postgresqltutorial.com/postgresql-administration/postgresql-list-users/

host    all             usr_<>              0.0.0.0/0                       md5

host    all             usr_<>              ::/0                            md5

__

Restart PostgreSQL server service to take effect.

Revoke some privileges from the main PostgreSQL user (If needed)

If you need to revoke some privileges from the main PostgreSQL user for any security reason, you can do that for these privileges: SUPERUSER, CREATEDB, CREATEROLE

Please read carefully these notes to make sure you can revoke privileges:

• Without SUPERUSER privilege, MetaDefender Core could not drop the internal user usr_xxxxxxxautomatically. You should use a custom internal PostgreSQL user instead Customize Internal PostgreSQL User. MetaDefender Core also could not create PostgreSQL extensions in case the database needed to be recreated.
• Without CREATEDB, MetaDefender Core could not create a new one in case the old database was dropped.
• Without CREATEROLE, MetaDefender Core could not generate a new one in case you let the internal PostgreSQL user usr_xxxxxxx is automatically generated by MetaDefender Core.

Steps to revoke SUPERUSER privilege on the main PostgreSQL user:

1) Install MetaDefender Core and set it up successfully.

2) Use another SUPERUSER and log in to the correct MetaDefender Core database.

metadefender_core for the shared deployment model.

metadefender_core_xxxxxx for standalone deployment model.

3) Then grant access to these 2 schemas pg_catalog and information_schema to the main PostgreSQL user.

GRANT USAGE ON SCHEMA pg_catalog TO mdcore;

GRANT ALL ON ALL TABLES IN SCHEMA pg_catalog TO mdcore;

GRANT USAGE ON SCHEMA information_schema TO mdcore;

GRANT ALL ON ALL TABLES IN SCHEMA information_schema TO mdcore;

4) Revoke the SUPERUSER privilege from the main PostgreSQL user.

5) Restart MetaDefender Core service.

alter user mdcore NOSUPERUSER CREATEDB CREATEROLE LOGIN;

Steps to revoke other privileges on the main PostgreSQL user:

1) Install MetaDefender Core and set it up successfully.

2) Revoke the CREATEDB CREATEROLE privilege from the main PostgreSQL user.

alter user mdcore NOSUPERUSER CREATEDB CREATEROLE LOGIN;

3) Restart MetaDefender Core service.