undefined | Better HN

0 pointsslagfart8y ago0 comments

I think, with Postgres, if you have:

1. A dedicated read-only schema

2. A dedicated user, with only CONNECT to the read-only schema

3. A unique password

4. A dedicated read-only replica DB

you should be safe against pretty much everything.

I'd actually like to be corrected if I'm wrong - this is how I've built numerous externally-facing services.

0 comments

4 comments · 1 top-level

philip12098y ago· 3 in thread

For non-secured connections, a snooper could still gain full access to all production data.

slagfartOP8y ago

How? Even with the password for this user, you could still only gain access to the read-only schema.

Something I should have spelled out - the read-only schema has only the data that the charts need (heavily aggregated views). We basically build with the assumption that the schema will be compromised, but only that one schema.

andrewstuart28y ago

Without ssl all that data can be observed in transit between your read-only schema and the consuming service. There's very low risk to integrity (i.e. nobody can modify data via read-only methods), but complete list of confidentiality.

dx0348y ago

I think it was related to the "with or without SSL". Obviously the data you send can be intercepted without SSL but no other data (and with SSL not even that).

j / k navigate · click thread line to collapse