 | | | -none- | -none- 2007-10-09 - By Matt Juszczak
Back
Hi all,
I'm looking to get an unbiased opinion of two possible methods for
controlling access to database servers.
Here are the specs:
* 6 database servers, all firewalled off to the outside world, but
accessible to each other on port 3306 unrestricted
* 10 web servers total, but only half of those need to connect.
Which option?
A)
GRANT replication slave ON *.* TO ruser@(protected);
GRANT replication slave ON *.* TO ruser@(protected);
GRANT replication slave ON *.* TO ruser@(protected);
GRANT SELECT ON database.* TO otheruser@(protected);
GRANT SELECT ON database.* TO otheruser@(protected);
B)
GRANT REPLICATION SLAVE ON *.* TO ruser;
GRANT SELECT on database.* TO otheruser;
A:
Pro: Granular control per host, although the permissions are always
identical, we still "block" the webservers that don't need access.
Con: Hard to manage, 40 webservers = 40 users with the same permissions,
10 slaves = 10 users with the same permissions
B:
Pro: Simple to manage. One user allows access from anywhere on the
internal network (since the servers are firewalled off to the outside)
Con: Any server on the internal network can connect as that specific user
to the database. Could cause problems with old code, etc. if passwords
aren't changed.
Which option do you use in your setup? Which do you see more fit?
Thanks,
Matt
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=mysql@(protected)
|
|
|