[Dbconfig-common-devel] Read only access for all users to database

Sat Jun 11 23:47:25 UTC 2016

On Sat, 2016-06-11 at 09:18 +0200, Paul Gevers wrote:
> Hi Kip,

Hey Paul.

> Just wondering, do you mean with "your postinst" the postinst of
> dbconfig-common, or just the postinst of a package that uses
> dbconfig-common.

As in mydatabase.postinst maintainer script that is executed after
unpacking.

> >     ...
> >     sed -i -r
> > "s/\s*map_all_myapplication\s*\/\.\*\s*myapplication\s*//"
> > /etc/postgresql/9.5/main/pg_ident.conf
> > 
> >     sed -i -r
> > "s/\s*local\s*all\s*all\s*ident\s*map=map_all_myapplication\s*//"
> > /etc/postgresql/9.5/main/pg_hba.conf
> > 
> >     echo "map_all_myapplication /.* myapplication" >>
> > /etc/postgresql/9.5/main/pg_ident.conf
> > 
> >     sed -i -r "s/(local\s*all\s*all\s*peer)/#\1/"
> > /etc/postgresql/9.5/main/pg_hba.conf
> >     ...
> 
> Please be aware that what you are doing above is not allowed in a
> Debian
> proper package without asking the system administrator first:

Good thing I ask then!

> It looks like there are templates in the dbconfig-common package that
> were meant for your use case, but they are not used. Maybe Sean 
> couldn't get his head around of how to do it sanely (just guessing
> here).

The two templates you listed for dbconfig
-common/pgsql/{changeconf,manualconf} are neither appropriate in my
case because the way they are worded they make it sound as if the
change to their postgres config is essential and the package cannot be
installed correctly without it. The template that ships with my package
I think is more appropriate.

> After our discussion so far, could you please try to describe what 
> you want to do (maybe more generic than just your package) and file 
> that as a bug against dbconfig-common (please refer to this thread if 
> you do). I have the feeling that there may be some improvement 
> possible in dbconfig-common, but I don't see exactly what yet. Maybe 
> all I need is a good use case example (of things that aren't working
> without changing).

I think so too. All I want is for a package bootstrapping its database
schema into the local machine (which is nearly always the case) to be
able to configure PostgreSQL to give some (or all) local system users
permission to authenticate as the role provided in dbc_dbuser. This is
useful when the client applications may be run as multiple system
users, but must operate as the same PostgreSQL role. PostgreSQL has a
feature for this called maps.

-- 
Kip Warner -- Senior Software Engineer
OpenPGP encrypted/signed mail preferred
http://www.thevertigo.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20160611/2e2b13f1/attachment.sig>