allow db users to login remotely

README.md

@@ -49,7 +49,7 @@ ALTER USER postgres WITH PASSWORD 'postgres';
 REVOKE ALL ON SCHEMA public FROM public;
 GRANT ALL ON SCHEMA public TO postgres;
 ```
-create a new `pg_hba.conf` to force password authentication and reject non local
+create a new `pg_hba.conf` to force password authentication 
 ```
 cd /etc/postgresql/<version>/<branch>/
 mv pg_hba.conf pg_hba.conf.old
@@ -58,12 +58,22 @@ mv pg_hba.conf pg_hba.conf.old
 # new pg_hba.conf
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 local   all             postgres                                md5
+host    all             postgres        localhost               md5
+host    all             postgres        0.0.0.0/0               reject
+host    all             postgres        ::/0                    reject
 local   sameuser        all                                     md5
 host    sameuser        all             0.0.0.0/0               md5
+host    sameuser        all             ::/0                    md5
+```
+```
+# modified postgresql.conf
+# listen_addresses = 'localhost'
+listen_address = '*'
 ```
 ```
 systemctl restart postgresql
 ```
+users can login remotely but superusers (`postgres` and `mysql`) are only allowed to login from the database host
 
 #### Mailman
 You should create the following mailing lists from the mail container:

ceod/db/MySQLService.py

@@ -40,10 +40,14 @@ class MySQLService:
         password = gen_password()
         search_for_user = f"SELECT user FROM mysql.user WHERE user='{username}'"
         search_for_db = f"SHOW DATABASES LIKE '{username}'"
-        create_user = f"CREATE USER '{username}'@'localhost' IDENTIFIED BY %(password)s"
+        create_user = f"""
+        CREATE USER '{username}'@'localhost' IDENTIFIED BY %(password)s;
+        CREATE USER '{username}'@'%' IDENTIFIED BY %(password)s;
+        """
         create_database = f"""
         CREATE DATABASE {username};
         GRANT ALL PRIVILEGES ON {username}.* TO '{username}'@'localhost';
+        GRANT ALL PRIVILEGES ON {username}.* TO '{username}'@'%';
         """
 
         with self.mysql_connection() as con:
@@ -59,7 +63,10 @@ class MySQLService:
     def reset_db_passwd(self, username: str) -> str:
         password = gen_password()
         search_for_user = f"SELECT user FROM mysql.user WHERE user='{username}'"
-        reset_password = f"ALTER USER '{username}'@'localhost' IDENTIFIED BY %(password)s"
+        reset_password = f"""
+        ALTER USER '{username}'@'localhost' IDENTIFIED BY %(password)s
+        ALTER USER '{username}'@'%' IDENTIFIED BY %(password)s
+        """
 
         with self.mysql_connection() as con:
             with con.cursor() as cursor:
@@ -70,8 +77,11 @@ class MySQLService:
                 return password
 
     def delete_db(self, username: str):
-        drop_user = f"DROP USER IF EXISTS '{username}'@'localhost'"
         drop_db = f"DROP DATABASE IF EXISTS {username}"
+        drop_user = f"""
+        DROP USER IF EXISTS '{username}'@'localhost';
+        DROP USER IF EXISTS '{username}'@'%';
+        """
 
         with self.mysql_connection() as con:
             with con.cursor() as cursor:

ceod/db/PostgreSQLService.py

@@ -71,8 +71,8 @@ class PostgreSQLService:
                 return password
 
     def delete_db(self, username: str):
-        drop_user = f"DROP USER IF EXISTS {username}"
         drop_db = f"DROP DATABASE IF EXISTS {username}"
+        drop_user = f"DROP USER IF EXISTS {username}"
 
         with self.psql_connection() as con:
             with con.cursor() as cursor: