最佳实践？ Web应用程序：单个PostgreSQL用户与多个用户 [英] Best practice? Web application: single PostgreSQL user vs. multipleusers

问题描述

我正在尝试了解大多数人正在做或考虑最好的事情

练习。


给定一个mod_perl应用程序与a postgreSQL数据库在

相同的主机上，不同的用户使用

LDAP登录到Web服务器进行身份验证，做大多数人


1）使用自己的用户

帐户（可能通过ident）连接到数据库的Web服务器，并严格控制对不同的

数据库实体的访问本身


2）让web服务器实际使用

用户的帐户连接到数据库（可能使用针对PostgreSQL的LDAP身份验证），

并通过GRANT等控制对不同数据库实体的访问。


显然，（2）导致更多的数据库连接，你仍然需要

让应用程序在可用的表单方面做一些工作

用户等等。但我有点担心它是否是最好的安全实践。


---- -----------------------（播出结束）---------------------- -----

提示4：不要杀死-9''邮政局长

I''m trying to get a feel for what most people are doing or consider best
practice.

Given a mod_perl application talking to a PostgreSQL database on the
same host, where different users are logging onto the web server using
LDAP for authentication, do most people

1) have the web server connecting to the database using its own user
account (possibly through ident), and controlling access to different
database entities strictly through the application itself

2) have the web server connecting to the database actually using the
user''s account (possibly using LDAP authentication against PostgreSQL),
and controlling access to different database entities through GRANT, etc.

Obviously, (2) leads to more database connections, and you still have to
have the application do some work in terms of which forms are available
to which users, etc. But I''m a little worried about whether it''s best
security practice.

---------------------------(end of broadcast)---------------------------
TIP 4: Don''t ''kill -9'' the postmaster

推荐答案

Keith G. Murphy说：

Keith G. Murphy said:

2）让web服务器实际上使用
用户的帐户连接到数据库（可能使用针对PostgreSQL的LDAP身份验证），<通过GRANT等控制对不同数据库实体的访问。

2) have the web server connecting to the database actually using the
user''s account (possibly using LDAP authentication against PostgreSQL),
and controlling access to different database entities through GRANT, etc.

$ b使用连接池的$ b优于使用每个

连接用户的单个连接 - 它可以更好地扩展。


你可以考虑的是一个或者更多映射到角色的池。

你的（网络）应用程序支持。例如，如果用户需要最小权限

访问数据库资源，那么您的cgi（请求处理程序）将使用来自...的连接访问数据

。最小权利连接池。用户

需要更大的权利会有cgi从

更大权利访问数据库池。


通常，我将数据库函数/表/对象放入不同的

逻辑模式，然后创建一个或多个特定用户（用于Web） / app

server only）等同于逻辑角色，我对这些用户的不同架构对象授予特定权限

。


您的里程可能会有所不同。


John Sidney-Woollett


------------- --------------（广播结束）---------------------------

提示5：您是否检查了我们广泛的常见问题解答？

http://www.postgresql.org/docs/faqs/FAQ.html

My experience with java web/app servers indicates that for most setups
using a pool of connections is preferable to using a single connection per
connected user - it scales much better.

What you could consider is one or more pools which map to the "roles" that
your (web) app supports. For example, if a user needs "minimal rights"
access to db resources, then your cgi (request handler) accesses the data
using a connection from the "minimal rights" connection pool. A user
needing "greater rights" would have the cgi access the database from the
"greater rights" pool.

Normally, I place the database functions/tables/objects into different
logical schemas, then I create one or more specific users (for the web/app
server only) which equates to a logical role, and I grant specific rights
on the different schema objects to those users.

Your mileage may vary.

John Sidney-Woollett

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

John Sidney-Woollett写道：

John Sidney-Woollett wrote:

Keith G. Murphy说：

Keith G. Murphy said:

2）让web服务器实际使用
用户连接到数据库的帐户（可能使用LDAP身份验证） nst PostgreSQL），通过GRANT等控制对不同数据库实体的访问

2) have the web server connecting to the database actually using the
user''s account (possibly using LDAP authentication against PostgreSQL),
and controlling access to different database entities through GRANT, etc.

我对java web / app服务器的体验表明，对于大多数设置使用
连接池优于使用每个连接用户的单个连接 - 它可以更好地扩展。

您可以考虑的是一个或多个映射到角色的池。
您的（网络）应用程序支持。例如，如果用户需要最小权限访问数据库资源，那么您的cgi（请求处理程序）使用来自最小权限的连接来访问数据。连接池。用户需要更大的权利会有cgi从
更大权利访问数据库游泳池。

My experience with java web/app servers indicates that for most setups
using a pool of connections is preferable to using a single connection per
connected user - it scales much better.

What you could consider is one or more pools which map to the "roles" that
your (web) app supports. For example, if a user needs "minimal rights"
access to db resources, then your cgi (request handler) accesses the data
using a connection from the "minimal rights" connection pool. A user
needing "greater rights" would have the cgi access the database from the
"greater rights" pool.

这听起来像是一个很好的妥协。你如何处理

使用这个方案在

connect上从Web服务器到PostgreSQL的验证机制？

-

为什么浪费时间学习什么时候无知是暂时的？

- 霍布斯

---------------- -----------（播出结束）---------------------------

提示2：您可以使用取消注册命令一次性取消所有列表

（发送取消注册YourEmailAddressHere到 ma ******* @ postgresql.org ）

That sounds like an excellent compromise. How do you typically handle
the mechanics of authentication from web server to PostgreSQL on the
connect, using this scheme?
--
Why waste time learning when ignorance is instantaneous?
-- Hobbes
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Keith G. Murphy说：

Keith G. Murphy said:

这听起来像是一个很好的妥协。你如何使用这个方案处理
连接上从Web服务器到PostgreSQL的身份验证机制？

That sounds like an excellent compromise. How do you typically handle
the mechanics of authentication from web server to PostgreSQL on the
connect, using this scheme?

抱歉，我可以不要帮助你们，我是一个新手，而且是一个新朋友。

Postgres - 我希望别人会回答你的第一部分！ :)


John


----------------------- ----（广播结束）---------------------------

提示4：唐'' t''杀死-9''邮政局长

Sorry but I can''t help you out here, I''m too much of a newbie with
Postgres - I was hoping that someone else would answer your part 1! :)

John

---------------------------(end of broadcast)---------------------------
TIP 4: Don''t ''kill -9'' the postmaster

这篇关于最佳实践？ Web应用程序：单个PostgreSQL用户与多个用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！