Hi Andreas! Andreas Tille [2005-01-25 9:43 +0100]: > On Mon, Jan 24, 2005 at 10:27:10PM +0100, Andreas Tille wrote: > >some applications do need a changed pg_hba.conf to work as expected. > > this raises something i'm wondering... what is the best generalized > method for setting up an application with a username/database in > postgresql? > > in the latest code, i'm doing the following: > > (as postgres) > createuser $dbc_dbuser > createdb $dbc_dbname -O $dbc_dbuser > > what's not clear is how the application then gets into the > database as $dbc_dbuser. assuming it runs as www-data (or some > system user if not a web app), should www-data be added to a map in > pg_ident.conf to connect as $dbc_dbuser? or something in pg_hba.conf? > also, what about authorization methods other than ident?
There are two common ways to achieve that:
- Connect as "www-data". For this you need an appropriate PostgreSQL
user ("createuser www-data" as user postgres). Then you either make
www-data the owner of the database ("createdb -O www-data mydb") or
you set the owner to some application-specific PostgreSQL user and
only GRANT the necessary permissions to www-data (usually you need
table creation etc. only for package installation and can restrict
www-data permissions to SELECT/UPDATE).
This solution has the advantage that you don't need to modify
pg_hba.conf (since you can use "ident sameuser" authentication).
The current PostgreSQL default installation does not create the
www-data user by default. If somebody convinces me that this would
be a good idea, then I wouldn't object to creating the user in the
PostgreSQL postinst, though. But instead I would rather just ship a
wrapper script that just ensures that www-data exists, and if not,
creates it.
- Connect as $dbc_dbuser and use "password" authentication. ident
makes not much sense since the database user has not necessarily
a system user counterpart (if it has, then this would of course
work). But if it hasn't, you need a pg_hba.conf entry.
I'm open to suggestions about making modifications to pg_hba.conf
unnecessary in the common case. (I still need some time to read this
thread about the common database infrastructure *sigh*).
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature
