On Tue, Mar 25, 2014 at 7:51 AM, Stuart Bishop <[email protected]> wrote:
> The simple fix is to add a usernames or extra_usernames parameter on > the relation, similar to database, allowing the client to specify a > list of extra usernames that should be allowed to connect from the > client to this relation's database. This works, and has the benefit of using randomly generated passwords. But I need these to be shared among different services, like mysql's shared-db relation. > > There are security issues with this approach. A malicious client can > specify a database and user with permissions, gaining access to > another service's data. If service_a and service_b are related to the > same PostgreSQL service, then if service_a is compromised then all of > service_b's data is also accessible. This is the same as with mysql's shared-db relation, right? The same risk exists there, as all services have access to each other's credentials. > For your particular use case of patching the database, we could use > the db-admin relation. This already connects as a superuser to any > database, and we could open that up to connecting to any database as > any user without lowering security further. The patch would be like: "GRANT DELETE ON TABLE person TO landscape". That "landscape" is hardcoded, so that user has to exist and be the user the services use. So your first paragraph above solves this already, right? We give a list of users to postgresql via the relation, and "landscape" is in that list. -- Juju mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
