[ZODB-Dev] Relstorage database permissions
Shane Hathaway
shane at hathawaymix.org
Fri Feb 25 06:44:38 EST 2011
On 02/22/2011 03:10 PM, Maurits van Rees wrote:
> Hi,
>
> Normally RelStorage creates the database tables for you and the user you
> have specified is the owner of those tables. For security reasons a
> client does not want this, but wants a different user to own the tables
> and instead only grant some permissions to the relstorage user. I guess
> theoretically there could be a bug in the relstorage code that could
> lead to more problems when the relstorage user has full rights to those
> tables. I am not losing any sleep over fears like that though. :-)
>
> But putting aside a potentially distracting discussion about whether
> this extra security is needed: which permissions does relstorage really
> need? Select, update, insert and delete are obvious. I have seen that
> packing also needs the truncate permission. Everything seems to work
> with this combination.
>
> But for that extra bit peace of mind: am I overlooking a permission?
Well, this is why transactions are really nice. If you overlooked
anything, it is very likely that some transaction will be aborted
normally and you'll get a nice traceback that narrows the problem
quickly. So I think you'll be fine. :-)
Shane
More information about the ZODB-Dev
mailing list