[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PostgreSQL-Problem and Problem on Alioth

Hi Andreas!

Andreas Tille [2005-01-25  9:43 +0100]:
> On Mon, Jan 24, 2005 at 10:27:10PM +0100, Andreas Tille wrote:
> >some applications do need a changed pg_hba.conf to work as expected.
> this raises something i'm wondering... what is the best generalized
> method for setting up an application with a username/database in
> postgresql?
> in the latest code, i'm doing the following:
> (as postgres)
> createuser $dbc_dbuser
> createdb $dbc_dbname -O $dbc_dbuser
> what's not clear is how the application then gets into the
> database as $dbc_dbuser.  assuming it runs as www-data (or some
> system user if not a web app), should www-data be added to a map in
> pg_ident.conf to connect as $dbc_dbuser?  or something in pg_hba.conf?
> also, what about authorization methods other than ident?

There are two common ways to achieve that:

- Connect as "www-data". For this you need an appropriate PostgreSQL
  user ("createuser www-data" as user postgres). Then you either make
  www-data the owner of the database ("createdb -O www-data mydb") or
  you set the owner to some application-specific PostgreSQL user and
  only GRANT the necessary permissions to www-data (usually you need
  table creation etc. only for package installation and can restrict
  www-data permissions to SELECT/UPDATE).

  This solution has the advantage that you don't need to modify
  pg_hba.conf (since you can use "ident sameuser" authentication).

  The current PostgreSQL default installation does not create the
  www-data user by default. If somebody convinces me that this would
  be a good idea, then I wouldn't object to creating the user in the
  PostgreSQL postinst, though. But instead I would rather just ship a
  wrapper script that just ensures that www-data exists, and if not,
  creates it.

- Connect as $dbc_dbuser and use "password" authentication. ident
  makes not much sense since the database user has not necessarily
  a system user counterpart (if it has, then this would of course
  work). But if it hasn't, you need a pg_hba.conf entry.

I'm open to suggestions about making modifications to pg_hba.conf
unnecessary in the common case. (I still need some time to read this
thread about the common database infrastructure *sigh*).


Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: