On 02/22/2011 03:10 PM, Maurits van Rees wrote:
> Hi,
> Normally RelStorage creates the database tables for you and the user you
> have specified is the owner of those tables.  For security reasons a
> client does not want this, but wants a different user to own the tables
> and instead only grant some permissions to the relstorage user.  I guess
> theoretically there could be a bug in the relstorage code that could
> lead to more problems when the relstorage user has full rights to those
> tables.  I am not losing any sleep over fears like that though. :-)
> But putting aside a potentially distracting discussion about whether
> this extra security is needed: which permissions does relstorage really
> need?  Select, update, insert and delete are obvious.  I have seen that
> packing also needs the truncate permission.  Everything seems to work
> with this combination.
> But for that extra bit peace of mind: am I overlooking a permission?

Well, this is why transactions are really nice.  If you overlooked 
anything, it is very likely that some transaction will be aborted 
normally and you'll get a nice traceback that narrows the problem 
quickly.  So I think you'll be fine. :-)

For more information about ZODB, see the ZODB Wiki:

ZODB-Dev mailing list  -  ZODB-Dev@zope.org

Reply via email to