Re: Using Postgresql as application server

On Tue, Aug 16, 2011 at 1:47 PM, Chris Travers <chris(dot)travers(at)gmail(dot)com> wrote:
> On Tue, Aug 16, 2011 at 11:08 AM, Merlin Moncure <mmoncure(at)gmail(dot)com> wrote:
>
>> why not?  if you are serving http, just put thin connection pooler in
>> your http server (node.js would be great for that).  if you are
>> serving libpq directly, you can pool with pgbouncer.
>>
> Who enforces security and how?

*) http wrapper (example node.js): check security in the wrapper.
presumably your application server would be keeping sessions state
independently of database session and would do verification on every
call.
*) stock pgbouncer: there is essentially no strong way of checking
security. what we ended up doing was modifying pgbouncer to keep track
of the client auth and building a query whitelist. very simple and
effective. we also added in support for listen/notify. imagine
interacting directly with remote agents inside the psql console and
being able to join client provided data to other tables in the
database :-). ad hoc sql obviously can't be allowed from an untrusted
source.

merlin