Re: Restricting database permissions
On Mon, Sep 7, 2009 at 10:09 AM, Thomas Guettlerwrote: > > I can speak only for postgres. > > We create the database with a special admin-account and > the owner if the db is the admin-account. Then we grant > insert, update, delete permissions to the django-db-user. > > We have a modified manage.py which let syncdb run with > the admin-account (interactive password prompt). > > Sounds fantastic! Might you be interested in posting your work? ~ Jason -- let's end our suffering, and let go of the debts we hold over the heads of others. let's rejoin our brethren in the garden of eden, once again living in paradise. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Restricting database permissions
Hi Thomas, Thank you for your suggestion. The modified manage.py sounds like a very good place for me to start. Best regards, Sean On Mon, 2009-09-07 at 16:09 +0200, Thomas Guettler wrote: > I can speak only for postgres. > > We create the database with a special admin-account and > the owner if the db is the admin-account. Then we grant > insert, update, delete permissions to the django-db-user. > > We have a modified manage.py which let syncdb run with > the admin-account (interactive password prompt). > > It is possible, it is more secure, but makes some trouble. > > sean schrieb: > > Hi All, > > > > I am currently working on a front end to pam-mysql and nss-mysql to > > allow the creation of linux user accounts through the web. > > > > I need to separate out permissions so that Django can read some columns > > and not others, for instance it should have no access to the password > > column. > > > > I need another mysql user with it's mysql password stored in a file > > owned by root with permissions 700 to do the actual data modification - > > so this part will need to be separate from the Django app, but called > > from it via a passwordless sudo entry or something. > > > > As Django can only connect to mysql with one user, what is the best way > > to restrict it's permissions to the ones I want it to be able to read? > > Can this be done at a configuration file level so that upon running > > syncb, the permissions are in place? > > > > Any pointers greatly appreciated. > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Restricting database permissions
I can speak only for postgres. We create the database with a special admin-account and the owner if the db is the admin-account. Then we grant insert, update, delete permissions to the django-db-user. We have a modified manage.py which let syncdb run with the admin-account (interactive password prompt). It is possible, it is more secure, but makes some trouble. sean schrieb: > Hi All, > > I am currently working on a front end to pam-mysql and nss-mysql to > allow the creation of linux user accounts through the web. > > I need to separate out permissions so that Django can read some columns > and not others, for instance it should have no access to the password > column. > > I need another mysql user with it's mysql password stored in a file > owned by root with permissions 700 to do the actual data modification - > so this part will need to be separate from the Django app, but called > from it via a passwordless sudo entry or something. > > As Django can only connect to mysql with one user, what is the best way > to restrict it's permissions to the ones I want it to be able to read? > Can this be done at a configuration file level so that upon running > syncb, the permissions are in place? > > Any pointers greatly appreciated. -- Thomas Guettler, http://www.thomas-guettler.de/ E-Mail: guettli (*) thomas-guettler + de --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Restricting database permissions
Hi All, I am currently working on a front end to pam-mysql and nss-mysql to allow the creation of linux user accounts through the web. I need to separate out permissions so that Django can read some columns and not others, for instance it should have no access to the password column. I need another mysql user with it's mysql password stored in a file owned by root with permissions 700 to do the actual data modification - so this part will need to be separate from the Django app, but called from it via a passwordless sudo entry or something. As Django can only connect to mysql with one user, what is the best way to restrict it's permissions to the ones I want it to be able to read? Can this be done at a configuration file level so that upon running syncb, the permissions are in place? Any pointers greatly appreciated. Regards, Sean --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
On 08-Aug-07, at 10:13 PM, James Bennett wrote: >> constructing the SQL. With Django, it is building the SQL for me. > > Your best bet is to thoroughly read the documentation on the ORM; once > your tables are created (it can create them for you, but you don't > have to let it do that -- instead you can have it print the SQL out to > a file for you to execute yourself), the ORM only ever does SELECT, > INSERT and UPDATE, and it's fairly obvious which ORM methods perform > which queries. in fact, even at the data level, you could, outside django do inserts, updates and deletes and allow the django user to use only selects that view the data. In which case the django user would have only readonly access to the database. So your choices are: 1. django user gets create, drop rights on tables and indexes. select, insert, update and delete. Alter table rights dont arise until some form of schema evolution makes it's way into trunk as django currently cannot manipulate individual columns in tables 2. do the db structure manually outside django and give django rights only over the data - select, insert, update, delete 3. do even data manipulation outside allow django user readonly rights. There are rigid frameworks around which mandate that *all* actions *must* be done through the framework, otherwise everything gets borked. Django is much more flexible here. So, for example, django doesnt do check contraints - but that doesnt mean that a django app cannot have check constraints. All it means that you have to set these up in the database manually and maybe write some stuff in the views to catch the db errors. (check constraints are a GSoc project, so maybe django will have them soon) -- regards kg http://lawgon.livejournal.com http://nrcfosshelpline.in/web/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
On Aug 8, 9:49 am, Stephen Bunn <[EMAIL PROTECTED]> wrote: > I know it obviously needs to be able to execute SELECT, UPDATE, and > INSERT statements, but what about ALTER? SHOW? does it need to create > views? create indexes? what about locking tables and creating temporary > tables? The true minimum permissions for your DB are not dependent entirely on Django -- what you plan to do with the particular application you build using Django is just as important. Obviously, when you run syncdb to create tables from ORM, you are going to need to give the django user CREATE permission. Don't know if there are cases where it would use ALTER. Once the tables are created, you can revoke the user's CREATE, ALTER, and DROP perms. All tables are going to need SELECT; so far as I know, none of them are going to need SHOW. Most tables will need INSERT, but not necessarily all -- suppose you have a table that is populated by a different app, and all Django does is consume the data. You may or may not need DELETE for any given table, again depending on how you plan to use it. As with any serious security issue, there is no quick easy right answer. The safe bet is always assume your setup is insecure, unless you have solid reason to believe otherwise. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
On 8/8/07, Stephen Bunn <[EMAIL PROTECTED]> wrote: > Understandable. But for somebody new to an ORM type model (like me) > things might not be so clear. If I am writing a PHP or Perl > application, I know exactly what permission it needs because I am > constructing the SQL. With Django, it is building the SQL for me. Your best bet is to thoroughly read the documentation on the ORM; once your tables are created (it can create them for you, but you don't have to let it do that -- instead you can have it print the SQL out to a file for you to execute yourself), the ORM only ever does SELECT, INSERT and UPDATE, and it's fairly obvious which ORM methods perform which queries. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
Steve, SB> Perhaps I am wrong, or just going about this the wrong way, but I have SB> been looking the Django documentation and asking around in #django and SB> nobody can (or do not want to) give me a straight answer and the minimum SB> database permissions Django needs to operate. So I am assuming that SB> everybody is just giving Django free rein over the database, which I SB> think is a bad idea. SB> Is there any documentation anywhere that describes setting up correct SB> database permissions for use with Django. It should strongly depend on the queries you're doing with django. You may inspect them with manage.py sql manage.py sqlall and similar commands together with simply looking into your db queries log or django.db.connection.queries in DEBUG mode. -- Andrey V Khavryuchenko Django NewGate - http://www.kds.com.ua/djiggit/ Development - http://www.kds.com.ua Call akhavr1975 on www.gizmoproject.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
Kenneth Gonsalves wrote: > > > you have to divide the tasks into those that you want to do through > django and those that you want to do outside django - django needs > permissions to do the first set. I dont think one can be clearer than > that. > Understandable. But for somebody new to an ORM type model (like me) things might not be so clear. If I am writing a PHP or Perl application, I know exactly what permission it needs because I am constructing the SQL. With Django, it is building the SQL for me. Of course I could sit down and look at the source code and figure it out, but for somebody that is simply going through the tutorial to figure out if Django is for me, it would be nice to know what the minimal set of permissions are to get through the tutorial with it working. for my purposes I am just going to willy nilly give Django all permissions so I can test it out, but I still think it should be documented somewhere. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
You need certain permissions to setup the superuser account, although I don't know which, only Select,Update and Insert are not enough for setup the superuser account. On 8/8/07, Kenneth Gonsalves <[EMAIL PROTECTED]> wrote: > > > > On 08-Aug-07, at 7:19 PM, Stephen Bunn wrote: > > > therein lies the problem. What is 'everything' that Django > > requires to > > be done? > > > > I know it obviously needs to be able to execute SELECT, UPDATE, and > > INSERT statements, but what about ALTER? SHOW? does it need to create > > views? create indexes? what about locking tables and creating > > temporary > > tables? > > you have to divide the tasks into those that you want to do through > django and those that you want to do outside django - django needs > permissions to do the first set. I dont think one can be clearer than > that. > > -- > > regards > kg > http://lawgon.livejournal.com > http://nrcfosshelpline.in/web/ > > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
On 08-Aug-07, at 7:19 PM, Stephen Bunn wrote: > therein lies the problem. What is 'everything' that Django > requires to > be done? > > I know it obviously needs to be able to execute SELECT, UPDATE, and > INSERT statements, but what about ALTER? SHOW? does it need to create > views? create indexes? what about locking tables and creating > temporary > tables? you have to divide the tasks into those that you want to do through django and those that you want to do outside django - django needs permissions to do the first set. I dont think one can be clearer than that. -- regards kg http://lawgon.livejournal.com http://nrcfosshelpline.in/web/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
Kenneth Gonsalves wrote: > > On 08-Aug-07, at 6:51 PM, Stephen Bunn wrote: > > use whatever permissions you are happy with. As long as the user > under which django accesses the database, can do everything django > requires to be done, it's fine. I dont think this is any different > from any other cgi application accessing a database. > therein lies the problem. What is 'everything' that Django requires to be done? I know it obviously needs to be able to execute SELECT, UPDATE, and INSERT statements, but what about ALTER? SHOW? does it need to create views? create indexes? what about locking tables and creating temporary tables? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: database permissions
On 08-Aug-07, at 6:51 PM, Stephen Bunn wrote: > Is there any documentation anywhere that describes setting up correct > database permissions for use with Django. use whatever permissions you are happy with. As long as the user under which django accesses the database, can do everything django requires to be done, it's fine. I dont think this is any different from any other cgi application accessing a database. -- regards kg http://lawgon.livejournal.com http://nrcfosshelpline.in/web/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
database permissions
Perhaps I am wrong, or just going about this the wrong way, but I have been looking the Django documentation and asking around in #django and nobody can (or do not want to) give me a straight answer and the minimum database permissions Django needs to operate. So I am assuming that everybody is just giving Django free rein over the database, which I think is a bad idea. Is there any documentation anywhere that describes setting up correct database permissions for use with Django. Thanks. Steve --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---