Sharing a DB user password among units of the app

[Andreas Hasenack]

On Tue, Mar 25, 2014 at 7:51 AM, Stuart Bishop <stuart at stuartbishop.net> wrote:

> The simple fix is to add a usernames or extra_usernames parameter on
> the relation, similar to database, allowing the client to specify a
> list of extra usernames that should be allowed to connect from the
> client to this relation's database.

This works, and has the benefit of using randomly generated passwords.
But I need these to be shared among different services, like mysql's
shared-db relation.

>
> There are security issues with this approach. A malicious client can
> specify a database and user with permissions, gaining access to
> another service's data. If service_a and service_b are related to the
> same PostgreSQL service, then if service_a is compromised then all of
> service_b's data is also accessible.

This is the same as with mysql's shared-db relation, right? The same
risk exists there, as all services have access to each other's
credentials.


> For your particular use case of patching the database, we could use
> the db-admin relation. This already connects as a superuser to any
> database, and we could open that up to connecting to any database as
> any user without lowering security further.

The patch would be like: "GRANT DELETE ON TABLE person TO landscape".
That "landscape" is hardcoded, so that user has to exist and be the
user the services use. So your first paragraph above solves this
already, right? We give a list of users to postgresql via the
relation, and "landscape" is in that list.