Re: RFC: common database policy/infrastracture
In article <[🔎] b2cc26e404121607171549a740@mail.gmail.com>,
Olaf van der Spek <olafvdspek@gmail.com> wrote:
>On Thu, 16 Dec 2004 08:51:32 -0600, Steve Greenland
><steveg@moregruel.net> wrote:
>> On 16-Dec-04, 08:04 (CST), Olaf van der Spek <olafvdspek@gmail.com> wrote:
>> > Take for example a web application like a forum. It requires the
>> > password so it can connect to the database. It can't/won't ask the
>> > password from the user.
>>
>> But there is (or at least, should be) a specific user for that forum
>> application, with the minimum of rights needed for that application
>> (e.g. SELECT and UPDATE) in a single specific database. You're talking
>> about a DB *admin* password.
>
>Ah, k. It makes less/no sense to store that password.
>But I wonder, is there no way to use the 'power' of the root account
>to do such DB administration without password then?
With postgres - sure. You can use 'ident' authentication. It looks
up who is at the other end of the socket/connection using ident
for TCP or local credentials for Unix sockets. Based on that
you can allow all sorts of access (using pg_hba.conf and pg_ident.conf)
Mike.
Reply to: