[Dbconfig-common-devel] new mailing list for db apps [was: Re: RFC: common database policy/infrastracture]

sean finney seanius@seanius.net
Tue, 21 Dec 2004 14:54:46 -0500


--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 21, 2004 at 08:27:52PM +0100, Karsten Hilbert wrote:
> Well, but to grant extra rights to that user I'd have to
> become a user with even more priviledges - which is what we'd
> want to avoid in the first place. If dbconfig-common is trying
> to be helpful it needs to create the user with all the
> necessary rights.

the thing is, in most cases database applications don't need those
extra rights at all.  so, i think what would work best would be to
give you the means to grant those extra privileges easily.  probably
the easiest way to do that is run these database setup scripts/sql as
the real db admin, and give you an avenue to do whatever extra
grants are necessary.

> > in mysql, at least, that
> > would be of some concern to me as a sysadmin/dba that one of my database
> > applications could potentially have full administrative access to
> > all the databases on my system.
> a) our applications don't use that user
> b) the user only has create-database and create-user which
>    means it can create new databases and delete databases
>    owned by itself, same with users: create new ones and
>    delete those created by itself
> c) the user does not have administrative access to other
>    databases
> d) in fact, that user does not have "administrative" access at
>    all in that that would be something generic, it only has
>    the added rights to manage "it's" databases/users

okay, i think i understand where you're coming from now.  i think this
is slightly different in the mysql world; i don't think you can have
that level of granularity on users at least.  anyway, i don't think it
should be a problem.  the trickiest part would be the cleanup process
in removing the package, which might need to take care of the
extra users/dbs that it created.

anyway, i've created a discussion list for dbconfig-common so we can
stop polluting the d-d mailboxes of those not interested in this
discussion.  perhaps it'd be time to move the discussion there?
the mailing list is:

dbconfig-common-devel@lists.alioth.debian.org

i think the occasional cross-post to d-d might still be appropriate,
but as we're getting into more specific technical details i think
folks would appreciate the reduction in traffic.


	sean


--=20

--+QahgC5+KEYLbs62
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFByH+GynjLPm522B0RApXfAJ9rJMmi1juhs5mv7ZM6J1616fxA6wCeLa+l
jekmMet97Gi95GuQiwJnshY=
=EUN2
-----END PGP SIGNATURE-----

--+QahgC5+KEYLbs62--