On 02/16/2018 07:37 AM, Pierre-Yves Chibon wrote: > On Fri, Feb 16, 2018 at 04:12:15PM +0100, Aurelien Bompard wrote: >> In the normal vm case, I have a couple questions: ...snip... >> Do we still require two DB users, one with CRUD permissions and one with >> full permissions? I haven't seen it used outside the hyperkitty playbook. >> If so, I'll need a password for the admin user too, and I'm interested in >> the way you give the privileges on the tables to the non-admin user. For >> HyperKitty I use a rather clumsy handwritten script, but there may be a >> better way. > > I know that I started using two users at one point but I ended up going back to > a single one for most use-case as managing the permissions was clumsy indeed. > Updating the database schema required adjusting the permissions on table, on > indexes and forgetting one, getting a permission denied error and adjusting > again :s > Are you sure you want two users? > > I can create an user (hubs_db_user) and a database (hubs_db) and give the user > full access to the db if that works for you. Well, the idea was that we have a admin user that can change schema and drop things and the like and the 'normal' user that the app runs with that cannot do those things. That way if the application is compromised, they can only do things the normal user could do, not dropping entire tables or the like. I agree it's hard to setup perms just right for this. This would definitely be something it would be nice to have detailed docs on and I don't think we have any currently. kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
