Closed
Bug 1207991
Opened 9 years ago
Closed 8 years ago
Reduce the number of permissions held by the MySQL user used by Django on stage/prod
Categories
(Tree Management :: Treeherder: Infrastructure, defect, P3)
Tree Management
Treeherder: Infrastructure
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: emorley, Unassigned)
References
Details
This is the Heroku equivalent of bug 1184167.
|
Reporter | |
Updated•9 years ago
|
|
||
Comment 1•8 years ago
|
||
As we're about to nuke the treeherder-heroku rds instance, is this still needed? alternatively, is this something we need to look at for the other RDS instances?
Flags: needinfo?(emorley)
|
|
Reporter | |
Comment 2•8 years ago
|
||
Yeah this is not specific to one RDS instance, we'll want to check all permissions (and possibly switch to having fewer permissions on the account used by the app).
Flags: needinfo?(emorley)
|
|
Reporter | |
Comment 3•8 years ago
|
||
The th_admin user on the various RDS instances we have, is the primary RDS user and used for both admin tasks and by Django via the DATABASE_URL environment variable. It has the following permissions:
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: N
Process_priv: Y
File_priv: N
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: N
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: N
Of those, Django doesn't need the following:
Reload_priv: Y
Grant_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Summary: Check the Heroku RDS instance user permissions → Reduce the number of permissions held by the MySQL user used by Django on stage/prod
|
|
Reporter | |
Comment 4•8 years ago
|
||
I don't think this buys us much, since Django will still need most of the dangerous permissions (eg DROP TABLE) for migrations.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•