Re: RFC: common database policy/infrastracture
In article <[🔎] firstname.lastname@example.org>,
Olaf van der Spek <email@example.com> wrote:
>On Thu, 16 Dec 2004 08:51:32 -0600, Steve Greenland
>> On 16-Dec-04, 08:04 (CST), Olaf van der Spek <firstname.lastname@example.org> wrote:
>> > Take for example a web application like a forum. It requires the
>> > password so it can connect to the database. It can't/won't ask the
>> > password from the user.
>> But there is (or at least, should be) a specific user for that forum
>> application, with the minimum of rights needed for that application
>> (e.g. SELECT and UPDATE) in a single specific database. You're talking
>> about a DB *admin* password.
>Ah, k. It makes less/no sense to store that password.
>But I wonder, is there no way to use the 'power' of the root account
>to do such DB administration without password then?
With postgres - sure. You can use 'ident' authentication. It looks
up who is at the other end of the socket/connection using ident
for TCP or local credentials for Unix sockets. Based on that
you can allow all sorts of access (using pg_hba.conf and pg_ident.conf)