@ -37,37 +33,37 @@ On phosphoric-acid, you will additionally need to create a principal
called `ceod/admin` (remember to addprinc **and** ktadd).
#### Database
Edit the `/etc/csc/ceod.ini` with the credentials required to access MySQL and PostgreSQL
create superuser `mysql` with password `mysql`
```
[mysql]
host =
username =
password =
mysql -u root
[postgresql]
host =
usrename =
password =
CREATE USER 'mysql'@'localhost' IDENTIFIED BY 'mysql';
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
```
#### PostgreSQL Database
PostgreSQL is not designed for isolation of users and by default will allow any user to connect and edit any database. To disallow users to create public schema we run
modify superuser `postgres` for password authentication and restrict new users
```
su postgres
psql
ALTER USER postgres WITH PASSWORD 'postgres';
REVOKE ALL ON SCHEMA public FROM public;
GRANT ALL ON SCHEMA public TO postgres;
```
We also want to change `pg_hba.conf` to only allow local connections and force the requested database to have the same name as the user creating the connection ([more info](https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html))
create a new `pg_hba.conf` to force password authentication and reject non local
```
cd /etc/postgres/<version>/<branch>/
mv pg_hba.conf pg_hba.conf.old
```
```
# new pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
local all postgres md5
local sameuser all md5
host all all 0.0.0.0/0 reject
```
```
systemctl restart postgres
```
- peer authentication only requires that your os username matches the postgres username (no password)
- Users will have access to list of databases and users, and this cannot be disabled without possible issues ([more info](https://wiki.postgresql.org/wiki/Shared_Database_Hosting#template1))
- [Managing rights in PostgreSQL](https://wiki.postgresql.org/images/d/d1/Managing_rights_in_postgresql.pdf)