Today, with the much-welcome help of docelic and cclausen, I finished the implementation of the new Domtool 2-based dbtool, for allowing users to create DBMS users and databases. A few unresolved issues remain, and I thought I'd bring them up on this list.
We don't know how to grant users permissions to drop tables from MySQL databases without letting them drop whole databases. We can't allow the latter because MySQL keeps permissions around, even after the databases they refer to are dropped. Going through dbtool, a user can only create databases in his AFS space. If he can drop that database and has the permissions to re-create it, it will be created in the default location, the partition housing /var/lib/mysql, and thus not subject to the user's database quota, allowing him to overrun /var. Anyone have a solution to suggest? We also need to figure out access control policies. For MySQL, this takes the form of choosing the latter part of [EMAIL PROTECTED] usernames. The current code is using [EMAIL PROTECTED], but we will of course want to allow users logged into mire to access their databases on deleuze. What do y'all think about 69.90.123.% as the hostname part, which allows connections from servers in our little subnety thing (though it will also allow others at the same colo, since we don't own the whole fourth part of the IP address range). For Postgres, this takes the form of setting up one of those PostgreSQL config files, detailing from which IP addresses ident authentication is allowed, etc.. While I was thinking about this, I briefly considered using %.hcoop.net for MySQL, before remembering that this would be insecure. Nonetheless, it sure would be nice if we had reverse DNS! Nathan, I don't remember if you ever gave me the information about how to submit official support requests to Peer 1. If so, could you remind me; and, if not, could you let the new admins and I know? (Obviously not on this list, but rather over ssh, if possible, the next time we're both on IRC.) _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
