Search Postgresql Archives

Re: DB Authentication Design

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






On Sun, Jan 12, 2014 at 6:30 AM, François Beausoleil <francois@xxxxxxxxxxx> wrote:
Hi all,

I'm thinking that all apps that connect to the database should have their own user. For example, the web application process is one user, then a report builder process should have another user, and a different process that imports data should have his own too, and so on. Would you generally agree with that?

I'm thinking that by having different users, PGbouncer can create different pools, and better allow me to control concurrency.


It really depends on what you are doing, what your security model is, what your concurrency constraints are, etc.  What you are describing is a fairly typical approach and it sacrifices some real security possibilities for connection pooling possibilities.  The fundamental question is whether the security of your application's user should be tied to the database connection. 

The other option is to have a different user for each user, and assign permissions to the user instead of to the application.  You can use roles to manage groups for each application.

For the latter (per-user permissions), your advantages are:

1.  You can push security responsibility back to the database which is probably better tested than your code will ever be.

2.  You can re-use access across applications, allowing for common security enforcement.

3.  You don't have to trust your applications from your database.

4.  It significantly mitigates the impact of sql injection attacks because top-level attacks don't bypass permission barriers (this is not necessarily true with any functions running as security definer though).

The above are why we use the per-user approach in LedgerSMB.

For per-application approaches, the pros are different:

1.  Since security is not tied to the database connection, you can pool a connection over several users (which is what you are talking about).

2.   You can still have some mitigation of sql injection even if you can't have the same degree, by assigning rights per application instead of per user.

3.  In a web application environment, you have a lot more freedom over authentication in every hop.   If you go with per-user permissions, for web apps you are talking about, effectively, HTTP basic with MD5 or other password auth between the web and db servers, or Kerberos auth on every link, or some more complex scenarios where auth is handled by a different connection and/or role.  But if you go with per-application permissions, you can use HTTP digest or other through between the browser and the server, and anything you want between the web and db servers.  This is because you have less of a need to re-use credentials in that setup.

For the kind of work *I* do, the per-user approach works better, but without knowing a lot about your project I can't offer real recommendations.
--
Best Wishes,
Chris Travers

Efficito:  Hosted Accounting and ERP.  Robust and Flexible.  No vendor lock-in.
http://www.efficito.com/learn_more.shtml

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux