I'm looking for links, or an answer here, on to how to properly configure the database permissions to secure a Django app? To be clear, I'm looking specifically for material dealing with grants on the database, not permissions within the Django framework itself.
From the django docs:
https://docs.djangoproject.com/en/dev/topics/install/
If you plan to use Django’s manage.py syncdb command to automatically create database tables for your models (after first installing Django and creating a project), you’ll need to ensure that Django has permission to create and alter tables in the database you’re using; if you plan to manually create the tables, you can simply grant Django SELECT, INSERT, UPDATE and DELETE permissions. On some databases, Django will need ALTER TABLE privileges during syncdb but won’t issue ALTER TABLE statements on a table once syncdb has created it. After creating a database user with these permissions, you’ll specify the details in your project’s settings file, see DATABASES for details.
I've just tested initial setup with MySQL. For python manage.py migrate at least you need following grants for simple operation (if yo use db-preparation):
CREATE, ALTER, INDEX
SELECT, UPDATE, INSERT, DELETE
And, by the way - security matters. You can reduce attack impact by limiting your system exposure. In this case - you can restrict 'DROP' - which is fairly huge plus. If you leave some tricky hole with ability to SQL-inject - you probably reduce the damage. I will research in the future if it will not do any harm to remove DELETE keyword - that would limit potential threats as well. Just because we all leave bugs from time to time :)
I usually:
grant all privileges on my_db.* to my_user#localhost identified by 'my_user_pass'
grant all privileges on test_my_db.* to my_user#localhost identified by 'my_user_pass'
I suppose if there were a bug in django, you might be opening your database up to terrible things, but you'd have other problems if there were that big of a security hole in django.
django minimally needs select, insert, update, and delete, to operate. If you're using test or syncdb at all, you'll also need to be able to create tables, and indexes (and maybe the file permission for loading sql fixtures).
So, for a mysql db, I'd guess the optimal set of permissions might be select, insert, update, delete, create, index, and file. If you wanted to get real nitty-gritty, you could selectively grant these permissions as appropriate on the table level (rather than the db level).
Personally, I find grant all ... easier to type.
What's the purpose of configuring permissions on DB level? If your server is compromised then the attacker will be able to do anything with your database (because he has the login/pass) and permissons won't help. If your server is secured then permissions are useless.
Permissions can make sense if your DB server is available from the outer world, but it is not a good idea to do so.
Related
I know GCP's CloudSQL supports instance backups of some kind. Also noted that they make it really easy to create and delete databases from the CloudSQL instance details -> Databases tab.
I am concerned about how easy it is to delete a database, especially since mistakes happen. Is it possible at all to restore an accidentally-deleted db? I cannot find any docs on how one would go about such a scenario. Or better yet, how to prevent such accidental deletes?
Just for clarification, I'm discussing deleting databases on an instance, and not the instances themselves.
Even with a regular SQL instance, deleting a database is very easy. As long as you have the correct permissions, all it takes is the following:
DROP DATABASE db_name
So if you want to prevent someone from deleting a database, just don't give them the DROP permission on the database.
Cloud SQL follows the same logic. If you check out the docs for deleting a database, you'll see it requires the sqlservice.admin scope. Avoid granting users this IAM permission, and they won't be able to delete an instance.
It is possible to manage database structures using evolutions in Play. In the example I only see examples of creating tables. May the creation of users, assigning privileges and creating databases reside in these scripts as well or is it a bad practice and why or why not?
It is a bad idea to have your application connect to the database using a super user on the database. You could run into trouble with cases of sql injections, or if someone gains access to the database login/password.
As evolutions are mainly used by an application, and so use the same user account, it is recommended to have a separate user account with little privileges on the database.
Evolutions by themselves are quite modular and could be used by themselves to manage a database (if the user facing applications use other users). But there may be more complete tools that may do the same job, like flyway
Question: As a DBA/BI Developer, should we install SSMS on the PCs of power-users of business data? What are the risks with this approach?
Context: I love SSMS. It's ergonomically designed and enables not just the exploration and management of the SQL Server, but also the data within it (e.g. select/edit rows)
Our business users are not interested in the server, just the data. Some of them grasp the data models but are limited in what they can do with the data by the production system interfaces. We are initiating BI projects to improve data access in the medium-term.
In the short-term, a quick install of SSMS 2014, a Windows Authenticated Login and User with minimum required permissions, and some training would appear to satisfy some of our data management requirements. Some of the users can already write basic SQL.
You can do it but you cannot grant the users anything but very limited permissions. Do not grant the dbo privileges or even worse SA. Take the time to really lock down what they can do (except for select) and be very careful about what SQL server groups you put them in (if any).
Even on selects you should think about (i.e. don't do it) putting them in the db_datareader group which will allow them to read any table in the database. You can revoke permissions but you may forget to revoke read from at view they shouldn't see. I would grant them limited permissions and as they complain add, if appropriate, more permissions.
I am creating an application that will track hours for employees. Ideally, HR has asked that certain tables not be modified once data is commited. This is done easily enough from the front-end and stored procedures. However, it would be great to be able to prevent it from the server itself through constraints so that folks that have access to the back-end data can't change any values in the selected tables (unless they are sneaky enough to know how to disable the constraints).
If you trust your SQL Server admins then it’s possible. Have your admin to create users that don’t have datawriter permissions for those tables or schema.
So, application would write the data into database and users who have access to those tables would only be able to read the data.
If you don’t want admins to have the ability to modify data that’s not possible. There is no way to prevent it but there is a way to detect it if it happens. Check out this article for details on details how to this is done in third party application and see if it helps.
Use Server Side security roles to give only the HR Group data-write privileges.
Can anyone tell me if there are RDBMSs that allow me to create a separate database for every user so that there is full separation of users' data?
Are there any?
I know I can add UID to every table but this solution has its own problems (for example per user database schema changes are impossible).
Doesnt MySQL, PostgreSQL, Oracle and so on and so on allow you to do that?. There's the grant statements to control ACLs
I would imagine most (all?) databases allow you to create a user which you could then grant database level access to? SQL server certainly does.
Another simple solution if you don't need the databases to be massive or scalable, say for teaching SQL to students or having many testers work against their own database to isolate problems is SQLite, that way the whole database is a single file (per user), and each user cannot possibly screw up or interfere with other users.
They can even mail you the databases, or install them anywhere, say at home and at work with no internet required.
MS SQLServer2005 is one which can be used for multiple users.An instance can be created
if you have any, run the previlegs and use one user per instance
Oracle lets you create a separate schema (set of tables, indexes, functions, etc) for individual users. This is good if they should have separate different tables. Creating a new user could be a very expensive operation as you would be making new tables. Updating is a nightmare as well, as you need to update the model for each user.
If you want everyone to have the same set of tables, but only able to view their own records then you could use Fine Grain Access Control or Virtual Private Database features to do this.