0

我使用来自 docker hub 和 postgres 12 的最新 apache guacamole 作为数据库,我想使用 postgres 创建一个登录用户,但它不起作用。

这是从文档创建用户的方法:

-- Generate salt
SET @salt = UNHEX(SHA2(UUID(), 256));

-- Create user and hash password with salt
INSERT INTO guacamole_user (username, password_salt, password_hash)
     VALUES ('myuser', @salt, UNHEX(SHA2(CONCAT('mypassword', HEX(@salt)), 256)));

但是这里的第一个命令给了我一个错误:

guacamole_db=# SET @salt = UNHEX(SHA2(UUID(), 256));
ERROR:  syntax error at or near "@"
LINE 1: SET @salt = UNHEX(SHA2(UUID(), 256));
            ^

从文档中,这就是他们在 postgres 中创建默认用户的方式:“guacadmin”

INSERT INTO guacamole_entity (name, type) VALUES ('guacadmin', 'USER');
INSERT INTO guacamole_user (entity_id, password_hash, password_salt, password_date)
SELECT
    entity_id,
    decode('CA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960', 'hex'),  -- 'guacadmin'
    decode('FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264', 'hex'),
    CURRENT_TIMESTAMP
FROM guacamole_entity WHERE name = 'guacadmin' AND guacamole_entity.type = 'USER';

-- Grant admin permission to read/update/administer self
INSERT INTO guacamole_user_permission (entity_id, affected_user_id, permission)
SELECT guacamole_entity.entity_id, guacamole_user.user_id, permission::guacamole_object_permission_type
FROM (
    VALUES
        ('guacadmin', 'guacadmin', 'READ'),
        ('guacadmin', 'guacadmin', 'UPDATE'),
        ('guacadmin', 'guacadmin', 'ADMINISTER')
) permissions (username, affected_username, permission)
JOIN guacamole_entity          ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER'
JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER'
JOIN guacamole_user            ON guacamole_user.entity_id = affected.entity_id;

我如何翻译这个来创建新用户,密码为“123456”的“test”并且只有READ premmision?

这是相关表的样子:

鳄梨酱实体:

 entity_id |   name    | type
-----------+-----------+------
         1 | guacadmin | USER

guacamole_user:

 user_id | entity_id |                           password_hash                            |                           password_salt                            |        pass
word_date         | disabled | expired | access_window_start | access_window_end | valid_from | valid_until | timezone | full_name | email_address | organization | organiza
tional_role
---------+-----------+--------------------------------------------------------------------+--------------------------------------------------------------------+------------
------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------
------------
       1 |         1 | \xca458a7d494e3be824f5e1e175a1556c0f8eef2c2d7df3633bec4a29c4411960 | \xfe24adc5e11e2b25288d1704abe67a79e342ecc26064ce69c5b3177795a82264 | 2020-01-13
09:10:56.73947+00 | f        | f       |                     |                   |            |             |          |           |               |              |

guacamole_user_permission :

 entity_id | affected_user_id | permission
-----------+------------------+------------
         1 |                1 | READ
         1 |                1 | UPDATE
         1 |                1 | ADMINISTER
4

3 回答 3

1

我最终在 python 中使用 POST 请求创建了一个用户:第一部分是我们需要为我们想要发送到 guacamole api 的所有请求获取一个令牌:

导入请求

url = "http://guacamoleipornginx/api"
headers ={
    'Accept': 'application/json',
    'Content-Type': 'application/x-www-form-urlencoded'}
res = requests.post(url + "/tokens", headers=headers, data={'username': 'guacadmin', 'password': 'guacadmin'})
authToken = res.json()['authToken']

使用该令牌,我们可以发送创建用户的请求:用您的值填写 USERNAME 和 USERPASSWORD。

headers ={
        'Accept': 'application/json',
        'Content-Type': 'application/json;charset=UTF-8'}

uri = "session/data/postgresql/users?token=" + authToken
data = {
        "username": $USERNAME,
        "password": $USERPASSWORD,
        "attributes":{"disabled":"","expired":"","access-window-start":"","access-window-end":"","valid-from":"","valid-until":"","timezone":None}}
res = requests.post(url + "/" + uri, headers=headers, json=data)

这里的最后一部分是授予您在上面创建的用户查看连接的权限,如果不需要,您不必使用它。对于此请求,我们将需要您创建的连接的连接 ID。我的鳄梨酱是我在这里得到的 docker guacamole: https ://github.com/boschkundendienst/guacamole-docker-compose

它使用 nginx + gouacamole 和 postgreSql,所以在 postgrs 中你可以看到guacamole_connection. 然后您可以将连接权限添加到创建的用户:

uri = "session/data/postgresql/users/" + $USERNAME+ "/permissions?token=" + authToken
ID = 52 # here is the connection id of some connection created in guoacamole psql db.
data = [
            {"op":"add",
            "path": '/connectionPermissions/' + str(ID),
            "value":"READ"}]
res = requests.patch(url + "/" + uri, headers=headers, json=data)

您也可以使用此方法添加与鳄梨酱的连接。您只需打开 F12 并查看它在创建连接时发送的值并使用上述相同的方法使用它。

生病添加另一个很酷的东西 - 这是你可以看到活动连接的方式:

url = "http://guacamoleipornginx/api"
uri = "/session/data/postgresql/activeConnections?token=" + authToken
res = requests.get(url + "/" + uri)

我希望这有助于我在获取所有这些信息时遇到了很多麻烦。

于 2020-02-20T09:22:28.273 回答
0

正如 minokolic 提到的那样,您所指的示例是为 MySql 制作的,并且没有真正需要与 MySql 做同样的事情。下面是我为了在 PostgreSQL 中从 Python 创建一个新用户所做的:

CREATE_USER = (
    "INSERT INTO guacamole_user "
    "(entity_id, password_hash, password_date) "
    "VALUES (%(entity_id)s, decode(%(pwd)s, 'hex'), CURRENT_TIMESTAMP)"
)

使用那个 TSQL 查询,注意我们使用了decode函数,并且我们也删除了盐,如果你想使用盐,你也应该decode在那个列中使用。

然后,散列您的用户密码:

hashed_pwd = hashlib.sha256(
    user_password.encode('utf-8')
).hexdigest()

旁注:如果你想使用盐,这应该在哈希之前连接到密码。

然后,只需执行光标,创建用户:

cursor.execute(
    CREATE_USER, {'entity_id': entity_id, 'pwd': hashed_pwd},
)

这应该足够了。

于 2020-08-26T16:28:57.787 回答
0

The example you are referring to is made for MySql. The function for the generation of the password uses MySql specific functions, so you have to find appropriate replacements in PostgreSQL.

A quick search found the following potential replacements:

UNHEX - MySQL's HEX() and UNHEX() equivalent in Postgres?

SHA2 - probably some functions from pgcrypto module, https://www.postgresql.org/docs/8.3/pgcrypto.html

UUID - probably uuid_generate_v1() or uuid_generate_v4()

于 2020-01-26T19:07:07.957 回答