Sat Jan 21 09:27:40 PST 2006
- Previous message: [Slony1-general] "Blueprints for High Availability"
- Next message: [Slony1-general] Security with slony
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
All, I posted a similar query to the Slony mailing list back in November, and got a very clear reply from Jan, but having thought about the problem some more (and having lots of issues with our current MySQL replication solution), I wondered if there was a different way of looking at the problem and finding a Postgres+Slony solution.... Here is the summary: We have a network with multiple geographic sites, some of which are machines in racks at ISPs. We are very concerned about security and are working on the principle that, even with our best efforts, one of the machines in the network will get compromised at some point by a malicious user. They will then have complete access to the machine including all the accounts and passwords on it. With slony running with full postgres super-user privileges on each node, our concern is that this malicious user could then reconfigure the master-slave relationships across the network then send out a sequence of update or delete operations to corrupt or destroy all the databases across the entire network. We would, of course, have regular backups, but restoring them would be a lot of hassle and take time. During the intervening period, the databases would be unavailable, which would be very "inconvenient". To try to prevent the above scenario from being possible, I was wondering if it was possible to reduce the privileges that the Slony user had on each node in the database. Clearly, the Slony user would need write privileges on any slave table that it was replicating data to, but would the Slony user need write privileges to a table that it was simply reading for replication to a different node? If we could reduce the privileges of the Slony user to a custom set of privileges on each node, then even if the Slony network was compomised as described above, the Slony user would not have the privileges to corrupt all the tables across the entire network. The original master tables would still be intact. Does this above make sense, and can anyone offer assistance on this? Ideally, I am looking for information on what privileges and commands Slony needs for the configuration and replication operations for the master and slave nodes in the system. I can go through the code, but that is going to take some time, so I was hoping that someone might know the answers or point me to some more detailed documentation. Thanks in advance, Roger
- Previous message: [Slony1-general] "Blueprints for High Availability"
- Next message: [Slony1-general] Security with slony
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Slony1-general mailing list