a_adli/colouring-montreal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Limit database user capabilities per app

Browse Source
This commit is contained in:
Tom Russell 2018-08-08 09:05:58 +01:00
parent 9ab762e8e7
commit 3d6eb29a93
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
migrations/README.md
View File

@ -11,3 +11,54 @@ $ psql "host={hostname} user={username} port=5432 sslmode=require dbname=postgre
> \q
$ psql "host={hostname} user={username} port=5432 sslmode=require dbname=colouringlondon" < 001.create-core.up.sql
```
Create app users
```sql
-- role for server-side of front end (HTTP POST)
CREATE ROLE frontend WITH LOGIN;
-- create/update, authenticate and authorise users
GRANT SELECT, UPDATE, INSERT ON TABLE users TO frontend;
-- read/write building data
GRANT SELECT, UPDATE, INSERT ON TABLE buildings TO frontend;
-- read geometry data
GRANT SELECT ON TABLE geometries TO frontend;
-- read/append to logs
GRANT SELECT, INSERT ON TABLE log to frontend;
-- use id sequences
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to frontend;
-- use postgis/pgcrypto functions
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO frontend;
-- role for /api routes (may be AJAX from web client, or 3rd-party client with key)
CREATE ROLE apiserver WITH LOGIN;
-- need to authenticate and authorize users
GRANT SELECT ON TABLE users TO apiserver;
-- read/write building data
GRANT SELECT, UPDATE, INSERT ON TABLE buildings TO apiserver;
-- read geometry data
GRANT SELECT ON TABLE geometries TO apiserver;
-- read/append to logs
GRANT SELECT, INSERT ON TABLE log to apiserver;
-- use id sequences
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to apiserver;
-- use postgis/pgcrypto functions
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO apiserver;
-- role for /tiles routes
CREATE ROLE tileserver WITH LOGIN;
-- read building and geometry data
GRANT SELECT ON TABLE geometries, buildings TO tileserver;
-- use id sequences
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to tileserver;
-- use postgis functions
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO tileserver;
```
Set or update passwords
```bash
psql -c "ALTER USER frontend WITH PASSWORD 'longsecurerandompassword1';"
psql -c "ALTER USER apiserver WITH PASSWORD 'longsecurerandompassword2';"
psql -c "ALTER USER tileserver WITH PASSWORD 'longsecurerandompassword3';"
```