Hi! Thanks to Gunnar for bringing this to my attention. Uwe Steinmann [2005-06-15 15:31 +0200]: > I got another question concerning postgresql and best practice on > how create a database user for a web applications. > What I got is a php+postgresql web application. What I like > to do is creating a database and a database user with exclusive > rights for the database. > The default authentication method for users accessing postgresql > is 'ident, sameuser'. That default really makes sense for "local" connections through the Unix socket, which does not need an ident server, but just checks the peer credentials. However, I see that nowadays the "ident" default does not really make sense for "host" connections, i. e. through the TCP port. As soon as the new 8.0 version makes its way through NEW, I'll upload new versions of 7.4 and 8.0 to change the default to "password". However, that is unrelated to the requirements of web applications, since they require a special entry anyway and cannot rely on fallback defaults. A web application will most probably access the database through TCP and not through the local socket, so there should be a line like host yourwebappdb yourwebappuser 127.0.0.1 255.255.255.255 password depending on whether you want to allow remote access by default, the IP mask has to be changed, of course. Also you might prefer md5 authentication. > If I understand that propperly, then I need a unix user named like > the database. Actually, I don't want to create a system user. What > is the best way to go? Modify pg_ident.conf or pg_hba.conf? > Something else? Using the ident system for web apps opens a can of worms and should be avoided IMHO. The proper place is really pg_hba.conf. An idea already came up earlier on d-devel. What about a new tool in postgresql-common that adds or removes a specific web application entry to the authentication system? It could look like pg_add_app --cluster 8.0/main --auth password --ip 127.0.0.1/32 yourwebappdb yourwebappuser pg_remove_app --cluster 8.0/main yourwebappdb yourwebappuser The last two parameters are mandatory, the others could get reasonable defaults and were optional. Of course we should discuss that interface a little bit further, but what do you think about the general idea? In any case we should avoid package specific scripts to alter pg_hba.conf. Thanks, Martin Please keep me in CC, I'm not subscribed. -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature