-none-

Mailing List

Home

Forum Home

MySQL General - General MySQL discussion

MySQL++ - Programming with the C++ API to MySQL

MaxDB - Everything about MaxDB, formerly known as SAP DB

ODBC - ODBC with the MySQL Connector/ODBC driver

MySQL on Win32 - Runing MySQL on Windows 9x/Me/NT/2000/XP

Java Help - Mostly related to the MySQL Connector/J driver

Perl - Perl support for MySQL with DBI and DBD::mysql

GUI - MySQL GUI Tools

Announcement

Subjects

•	mysql openssl Question
•	ERROR 1045: Access denied for user: 'root@localhost ' (Using password: NO)
•	Update one field with more fields from another table
•	Getting Identity after INSERT
•	ERROR 2002: Can 't connect to local MySQL server through socket
•	mysql test 4 1 fails with the gis test
•	MySQL Cluster Software
•	Downgrade Mysql from 4 to 3 23
•	Mysql 4 0 Oracle Stored Procedure Trigger Conversion
•	Can 't access mysql after kernel upgrade
•	Executing MySQL Commands From Within C Program
•	Comparing and writing out BLOBS
•	Preventing Duplicate Entries
•	FULLTEXT query format question
•	Strange behavior, Table Level Permission
•	Does the binary log enabling affect the MySQL performances?
•	mysql:it 's a db not a dbms how it 's possible?!
•	mysql have same function mthod as Oracle decode()

-none-

-none-

2007-10-11 - By Michael Cole

Back
Dont trust anything, The more secure you can be the better, What
happens if you have not patched a single server (maybe you are
testing) then someone gets into it and then has unrestricted access to
all the DB's..

Never trust your own users even, If the data is worth money to you it
is worth more to your competitors since they dont have to do the leg
work to get the data, first into that nice database..

On 10/10/07, Matt Juszczak <matt@(protected)> wrote:
> Hi all,
>
> I'm looking to get an unbiased opinion of two possible methods for
> controlling access to database servers.
>
> Here are the specs:
>
> * 6 database servers, all firewalled off to the outside world, but
> accessible to each other on port 3306 unrestricted
> * 10 web servers total, but only half of those need to connect.
>
>
> Which option?
>
> A)
> GRANT replication slave ON *.* TO ruser@(protected);
> GRANT replication slave ON *.* TO ruser@(protected);
> GRANT replication slave ON *.* TO ruser@(protected);
> GRANT SELECT ON database.* TO otheruser@(protected);
> GRANT SELECT ON database.* TO otheruser@(protected);
>
> B)
> GRANT REPLICATION SLAVE ON *.* TO ruser;
> GRANT SELECT on database.* TO otheruser;
>
>
>
> A:
>
> Pro: Granular control per host, although the permissions are always
> identical, we still "block" the webservers that don't need access.
>
> Con: Hard to manage, 40 webservers = 40 users with the same permissions,
> 10 slaves = 10 users with the same permissions
>
>
> B:
>
> Pro: Simple to manage. One user allows access from anywhere on the
> internal network (since the servers are firewalled off to the outside)
>
> Con: Any server on the internal network can connect as that specific user
> to the database. Could cause problems with old code, etc. if passwords
> aren't changed.
>
>
>
> Which option do you use in your setup? Which do you see more fit?
>
> Thanks,
>
> Matt
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=colemichae@(protected)
>
>

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=mysql@(protected)