Dont trust anything, The more secure you can be the better, What
happens if you have not patched a single server (maybe you are
testing) then someone gets into it and then has unrestricted access to
all the DB's..

Never trust your own users even, If the data is worth money to you it
is worth more to your competitors since they dont have to do the leg
work to get the data, first into that nice database..




On 10/10/07, Matt Juszczak <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I'm looking to get an unbiased opinion of two possible methods for
> controlling access to database servers.
>
> Here are the specs:
>
> * 6 database servers, all firewalled off to the outside world, but
> accessible to each other on port 3306 unrestricted
> * 10 web servers total, but only half of those need to connect.
>
>
> Which option?
>
> A)
> GRANT replication slave ON *.* TO [EMAIL PROTECTED];
> GRANT replication slave ON *.* TO [EMAIL PROTECTED];
> GRANT replication slave ON *.* TO [EMAIL PROTECTED];
> GRANT SELECT ON database.* TO [EMAIL PROTECTED];
> GRANT SELECT ON database.* TO [EMAIL PROTECTED];
>
> B)
> GRANT REPLICATION SLAVE ON *.* TO ruser;
> GRANT SELECT on database.* TO otheruser;
>
>
>
> A:
>
> Pro: Granular control per host, although the permissions are always
> identical, we still "block" the webservers that don't need access.
>
> Con: Hard to manage, 40 webservers = 40 users with the same permissions,
> 10 slaves = 10 users with the same permissions
>
>
> B:
>
> Pro: Simple to manage.  One user allows access from anywhere on the
> internal network (since the servers are firewalled off to the outside)
>
> Con: Any server on the internal network can connect as that specific user
> to the database.  Could cause problems with old code, etc. if passwords
> aren't changed.
>
>
>
> Which option do you use in your setup?  Which do you see more fit?
>
> Thanks,
>
> Matt
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]
>
>

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]

Reply via email to