Documentation

Babelfish security

Security is an important topic which has to be addressed in a professional manner. Therefore we want to give an overview of how security is handled and what can be done to make the database more robust and resistant against attack. To cover the topic, we need to address the following issues:

• Network security and authentication
• User management and roles

Let’s discuss each of those topics in more detail.

Handling SSL

When a client connects to port 1433, Babelfish compares the SSL setting sent during the client handshake to the Babelfish SSL parameter setting (tds_ssl_encrypt) and determines if a connection will be allowed. If a connection is allowed, encryption behavior is either enforced or not, depending on your parameter settings and the support for encryption offered by the client.

The table below shows how Babelfish behaves for each combination:

User management and roles

Babelfish creates a number of PostgreSQL roles:

• sysadmin
• master_db_owner
• master_dbo
• master_guest
• tempdb_db_owner
• tempdb_dbo
• tempdb_guest

Moreover, there will be a *dbname*_db_owner and a *dbname*_dbo for every database you create in Babelfish.

These roles implement the SQL Server ownership structure. They are created and maintained by Babelfish and should not be used by the application or the end user.

You can use CREATE LOGIN to create a new Babelfish login, which automatically is a user in all databases. Babelfish logins are implemented as PostgreSQL login roles of the same name.

Note that Babelfish does not support the statements CREATE USER and CREATE ROLE.