Mercurial > hg > ltpdarepo
comparison README.rst @ 209:0c2936ea34bf
Document the unprivileged user possibility in the README.
| author | Daniele Nicolodi <daniele@grinta.net> |
|---|---|
| date | Thu, 17 Nov 2011 11:47:28 +0100 |
| parents | dd5e5fc17a62 |
| children | 2a9af8163c46 |
comparison
equal
deleted
inserted
replaced
| 208:f8f898b39058 | 209:0c2936ea34bf |
|---|---|
| 58 # edit etc/ltpdarepo | 58 # edit etc/ltpdarepo |
| 59 | 59 |
| 60 Chose a database name at will: this database will be created during | 60 Chose a database name at will: this database will be created during |
| 61 the application initialization. The user used in the connection should | 61 the application initialization. The user used in the connection should |
| 62 be an user with administrative capabilities on the MySQL database, | 62 be an user with administrative capabilities on the MySQL database, |
| 63 ordinarily the `root` user. | 63 ordinarily the `root` user [1]. |
| 64 | 64 |
| 65 Remember to set an unique encryption key for the SECRET_KEY parameter. | 65 Remember to set an unique encryption key for the SECRET_KEY parameter. |
| 66 This key is used in the application for generating cryptographic | 66 This key is used in the application for generating cryptographic |
| 67 hashes and the security of your application depends on selecting an | 67 hashes and the security of your application depends on selecting an |
| 68 unique and unpredicible value for this key. A good way to obtain a | 68 unique and unpredicible value for this key. A good way to obtain a |
| 104 # ./bin/run | 104 # ./bin/run |
| 105 | 105 |
| 106 and connect to it at the address http://localhost:5000/ | 106 and connect to it at the address http://localhost:5000/ |
| 107 | 107 |
| 108 | 108 |
| 109 [1] An user with the the minimum set of privileges required for | |
| 110 running the application may be obtained with the following SQL | |
| 111 commands:: | |
| 112 | |
| 113 CREATE USER <username>@'localhost' IDENTIFIED BY <password>; | |
| 114 | |
| 115 GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, CREATE VIEW, | |
| 116 CREATE USER ON *.* TO <username>@'localhost' WITH GRANT OPTION; | |
| 117 | |
| 118 GRANT EXECUTE, CREATE TEMPORARY TABLES | |
| 119 ON <database>.* TO <username>@'localhost'; | |
| 120 | |
| 121 However, due to MySQL server limitations, this minimum set of | |
| 122 privileges allows the user to grant himself additional privileges, and | |
| 123 more generally to modify MySQL administrative tables. Therefore, this | |
| 124 is not an effective protection from security issues. | |
| 125 | |
| 126 The initialization of the database and the upgrade procedure require | |
| 127 additional privileges than the ones listed above. Therefore, the | |
| 128 command line administration tool `install` and `upgrade` commands | |
| 129 allow to connect to the database with a different user than the one | |
| 130 specified in the configuration file, via the `--user` and `--password` | |
| 131 parameters. Example:: | |
| 132 | |
| 133 # ./bin/admin install --user root --password <password> | |
| 134 | |
| 135 An user account with username and password specified in the | |
| 136 configuration file, and with minimum privileges suitable for running | |
| 137 the application, may be created during the database initialization | |
| 138 procedure with the `--create-user` option of the `install` command:: | |
| 139 | |
| 140 # ./bin/admin install --create-user --user root --password <password> | |
| 141 | |
| 142 | |
| 109 Deployment | 143 Deployment |
| 110 ---------- | 144 ---------- |
| 111 | 145 |
| 112 For the deployment to a production server you do not want to use the | 146 For the deployment to a production server you do not want to use the |
| 113 embedded HTTP server. You can use any WSGI capable web server. The | 147 embedded HTTP server. You can use any WSGI capable web server. The |