Skip to main content

How to Backup postgres globals without sysadmin permission in RDS

For those of my Friends who are on postgres RDS and require to backup the globas for a rds instance you would soon find it can't perform a backup with pg_dumpall --globals-only.  The default user that gets created along with the RDS postgres instance does not have adequate permission to get through the backup processes. Bellow is the message that you would receive.
pg_dumpall.exe : pg_dumpall: query failed: ERROR:  permission denied for relation pg_authid
At line:1 char:1

+ & 'C:\setup_msi\postgres\bin\pg_dumpall.exe'  -h XXXXXX.cXXXX...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (pg_dumpall: que...ation pg_authid:String) [], RemoteException
   + FullyQualifiedErrorId : NativeCommandError

pg_dumpall: query was: SELECT oid, rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolconnlimit, rolpassword, rolvaliduntil, rolreplication, rolbypassrls,
pg_catalog.shobj_description(oid, 'pg_authid') as rolcomment, rolname = current_user AS is_current_user FROM pg_authid WHERE rolname !~ '^pg_' ORDER BY 2

The default user created with the instance is not a real sysadmin(even a user with rds_admin)  and i actually admire why AWS didn't treat the rds_admin user like a typical sysadmin. The pg_authid view has the user credentials exposed and thats a potential security risk, as a result good AWS folks have taken a conscious decision to disallow the user with rds_admin to get to the mentioned view. That said, the rds_admin user can read the pg_roles view which is similar to pg_authid but with out the credentials exposed.

I was hoping to write a method to override the default behaviour when i stumbled on the --no-role-password option in postgresv10. What this means is that the pg_dumpall can be executed with --globals-only and the credentials will not make it to the backup file. This will introduce a different challenge to get the restored database to be functional , but i have left that for a different day to fight.

ie. pg_dumpall -h <> -U <> -l <> --no-role-password --globals-only -s -f

Fyi : For those folks who are postgres fluent, you would find that i may not use the common terms relating to postgres as i am a working in progress fella.









Comments

  1. RDS BackupMarch 28, 2018 at 11:49 PM

    RDS backup is very important and this blog explain very well. RDS automates common administrative tasks such as performing backups and patching the software that powers your database. Thanks for sharing useful info.

    ReplyDelete
  2. AnonymousAugust 24, 2022 at 5:38 AM

    Thanks you so much

    ReplyDelete

Post a Comment

Popular posts from this blog

Create a dacpac To Compare Schema Differences

It's been some time since i added anything to the blog and a lot has happened in the last few months. I have run into many number of challenging stuff at Xero and spread my self to learn new things. As a start i want to share a situation where I used a dacpac to compare the differences of a database schema's. - This involves of creating the two dacpacs for the different databases - Comparing the two dacpacs and generating a report to know the exact differences - Generate a script that would have all the changes How to generate a dacbpac The easiest way to create a dacpac for a database is through management studio ( right click on the databae --> task --> Extract data-tier-application). This will work under most cases but will error out when the database has difffrent settings. ie. if CDC is enabled To work around this blocker, you need to use command line to send the extra parameters. Bellow is the command used to generate the dacpac. "%ProgramFiles...
10 comments
Read more

High Watermarks For Incremental Models in dbt

The last few months it’s all been dbt. Dbt is a transform and load tool which is provided by fishtown analytics. For those that have created incremental models in dbt would have found the simplicity and easiness of how it drives the workload. Depending on the target datastore, the incremental model workload implementation changes. But all that said, the question is, should the incremental model use high-watermark as part of the implementation. How incremental models work behind the scenes is the best place to start this investigation. And when it’s not obvious, the next best place is to investigate the log after an test incremental model execution and find the implementation. Following are the internal steps followed for a datastore that does not support the merge statements. This was observed in the dbt log. - As the first step, It will copy all the data to a temp table generated from the incremental execution. - It will then delete all the data from the base table th...
4 comments
Read more

The maximum number of working threads (100) are already running

The problem                 This afternoon, out of the blue, the development folks called over wanting to know why the DB server was not responding, sure enough the databases were not accessible from application and from MMS. I knew there weren’t any maintenance happening and so I logged in to the server remotely and found that the sql services were still running as usual and the services had not restarted. To my surprise, in 10-15 mins everyone was able connect to the server again.  My first thoughts were,  it would have been an issue with the network and due to the glitch the servers weren’t accessible during the  time period. Environment details : -           The sql server were on a hyper v with a single CPU and 1024 memory -           There was 80 + transaction replications setup and further 20-30 sql ser...
Post a Comment
Read more