Re: User privileges in web database applications

From: snacktime <snacktime(at)gmail(dot)com>
To: "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org>
Subject: Re: User privileges in web database applications
Date: 2006-06-30 18:27:48
Message-ID: 1f060c4c0606301127k4f024311t2ea153399a09b2eb@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Both connection pooling and using the superuser with SET SESSION
AUTHORIZATION both have their uses. You might have an application
that processes some type of transaction and inserts data into a users
schema or table, but where there are no user credentials available.
Then you might have a web interface for users to access that data
where user credentials are available. We have this type of setup and
we use a superuser with SET SESSION AUTHORIZATION for the incoming
transactions. But we also have extensive security requirements that
demand we do things most people don't do. Full security/code audits
every quarter, peer review and full testing for any new code,
hardware encryption for sensitive data and keys stored on tokens,
client certificate authentication for all web access, restrictive
firewall, etc..

Bottom line is that I'm paranoid about using SET SESSION
AUTHORIZATION, but it does have it's uses and can be used safely.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Frank Finner 2006-06-30 18:28:23 Re: PostgreSQL and OpenVZ
Previous Message David Fetter 2006-06-30 18:01:19 Re: Notes on converting from MySQL 5.0.x to PostgreSQL