Rails uses one ID for database
31 views
Skip to first unread message
Frank2016
Apr 8, 2015, 1:54:07 AM4/8/15
to rubyonra...@googlegroups.com
Hi,
I am a beginner for Rails. I just studied the GUIDE and did some exercises (https://www.railstutorial.org/book). However I have one concern. Rails uses ONE ID (usually is ROOT) to do everything on database, such as DB migration, application accesses database, etc. This architecture raises a security concern, especially the cyber attack is happening so often nowadays. Although RAILS has strong parameters feature but once a hacker is hacking into database, hacker has total control on the database. Is a way to use one ID for database migration (i.e. database schema owner) and another ID for application access (to database)? The ID for application to access database should have limited privileges.
Does anyone know a way to implement one ID to do the database migration and another ID to access database? Share your solution will be appreciated.
Colin Law
Apr 8, 2015, 4:18:02 AM4/8/15
to rubyonra...@googlegroups.com
On 8 April 2015 at 04:10, Frank2016 <fnlin...@gmail.com> wrote:
> Hi,
> I am a beginner for Rails. I just studied the GUIDE and did some exercises
> (https://www.railstutorial.org/book). However I have one concern. Rails uses
> ONE ID (usually is ROOT) to do everything on database, such as DB migration,
> application accesses database, etc.
It should certainly not be root. That is entirely up to you to specify.
> Hi,
> I am a beginner for Rails. I just studied the GUIDE and did some exercises
> (https://www.railstutorial.org/book). However I have one concern. Rails uses
> ONE ID (usually is ROOT) to do everything on database, such as DB migration,
> application accesses database, etc.
> This architecture raises a security
> concern, especially the cyber attack is happening so often nowadays.
> Although RAILS has strong parameters feature but once a hacker is hacking
> into database, hacker has total control on the database. Is a way to use one
> ID for database migration (i.e. database schema owner) and another ID for
> application access (to database)? The ID for application to access database
> should have limited privileges.
>
> Does anyone know a way to implement one ID to do the database migration and
> another ID to access database? Share your solution will be appreciated.
doomed anyway. The user name should only allow him access to the one
database.
Colin
tamouse pontiki
Apr 8, 2015, 8:45:01 AM4/8/15
to rubyonra...@googlegroups.com
Coliin
Expanding a bit on Colin's response: the id's and credentials you use during development and test should be completely different from the id's and credentials your application will use in production. Development and test can have relaxed security, as the databases and other things should be quite isolated from the Internet as a whole.
When your application is ready to be put into production, i.e. deployed, you will need to take precautions such as you allude to ensuring proper security when the world has visibility on your application.
Reply all
Reply to author
Forward
0 new messages