Mercurial > hg > ltpdarepo
diff README.rst @ 209:0c2936ea34bf
Document the unprivileged user possibility in the README.
author | Daniele Nicolodi <daniele@grinta.net> |
---|---|
date | Thu, 17 Nov 2011 11:47:28 +0100 |
parents | dd5e5fc17a62 |
children | 2a9af8163c46 |
line wrap: on
line diff
--- a/README.rst Thu Nov 17 11:46:12 2011 +0100 +++ b/README.rst Thu Nov 17 11:47:28 2011 +0100 @@ -60,7 +60,7 @@ Chose a database name at will: this database will be created during the application initialization. The user used in the connection should be an user with administrative capabilities on the MySQL database, -ordinarily the `root` user. +ordinarily the `root` user [1]. Remember to set an unique encryption key for the SECRET_KEY parameter. This key is used in the application for generating cryptographic @@ -106,6 +106,40 @@ and connect to it at the address http://localhost:5000/ +[1] An user with the the minimum set of privileges required for +running the application may be obtained with the following SQL +commands:: + + CREATE USER <username>@'localhost' IDENTIFIED BY <password>; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, CREATE VIEW, + CREATE USER ON *.* TO <username>@'localhost' WITH GRANT OPTION; + + GRANT EXECUTE, CREATE TEMPORARY TABLES + ON <database>.* TO <username>@'localhost'; + +However, due to MySQL server limitations, this minimum set of +privileges allows the user to grant himself additional privileges, and +more generally to modify MySQL administrative tables. Therefore, this +is not an effective protection from security issues. + +The initialization of the database and the upgrade procedure require +additional privileges than the ones listed above. Therefore, the +command line administration tool `install` and `upgrade` commands +allow to connect to the database with a different user than the one +specified in the configuration file, via the `--user` and `--password` +parameters. Example:: + + # ./bin/admin install --user root --password <password> + +An user account with username and password specified in the +configuration file, and with minimum privileges suitable for running +the application, may be created during the database initialization +procedure with the `--create-user` option of the `install` command:: + + # ./bin/admin install --create-user --user root --password <password> + + Deployment ----------