How do I handle webapp users in PostgreSQL? - postgresql

Previously I was using databases from BaaS (Backend as a Service) - Parse, Backendless, Firebase - this services has everything I need to manage users of my webapps: tokens handling, owner policies etc.
How do I manage webapp users in own database? (PostgreSQL 9.4)
Is it suppose to be just a regular table, which will contain columns "login", "password" etc. or there are specific tools to implement that?
How should I handle tokens? Should I store it somehow in database, or tokens suppose to be stored in my server and are not bind to database at all?
How do I implement owner policies? Are there some specific tools in Postgres for this, or I should simply create the column "ownerId" in each table and use it as Foreign Key?
If you know good articles on this topic - please, post a links - it will be very helpful!
I would search for it in google, but I've found nothing but articles about database users handling. I assume, this is not what I'm looking for.

Regular table or postgrsql ROLE system
Usually tokens are on application side
Postgres 9.5 have row security policies but you can implement owner policy by yourself. Hard to say what database features you have to use without
assumptions of the project.

Related

Should I have a seperate database to store financial data for each user in my postgreSQL server?

I am creating accounting/invoicing software and my database is in postgreSQL. Should I create a separate database for each user since the data is sensitive financial data? Or is having a user foreign key secure enough? If I am hosting the database on aws I understand that I could have a few db servers across multiple availability zones and regions so that if one is compromised it wouldn't effect everyone even if many users have info stored in a single database. Is this safe enough? Thanks!
In general no. Encrypt the data so that if someone exfiltrates a dump they can't actually use it without the decryption key. If you're worried that someone with admin access can see the user's information then you might want to consider a user-level encryption for all fields related to personally identifiable information.
There are few ways you could go about it but I wouldn’t create a new DB for every customers. It will be too expensive and a pain to maintain and evolve.
To me, this sounds like you are creating a multi-tenant application.
I’d personally use the row-level security feature in Postgres (see this article) or create a separate Schema for each Customer.
You can add an extra layer of protection with encryption at rest. AWS support it (link)

Postgres Restrict Users from taking db dump

I have an application where security and data theft are primary concerns. I am using Postgres 9.4 on RDS by AWS.
I have several users who need read permission on the db. I know that these users can essentially write a script to scrape all the data from the db but is there a way to deny them from using the pg_dump utility.
I am not sure what code examples I can provide for the same.
Is there any alternate strategy to use here? To share db data with developers without allowing them to take dumps of the same?

LDAP for PostgreSQL

Requires upload user information from Active Directory.
I found on the Internet a few additions that provide this opportunity: multicorn and ldap_fdw.
The problem is that I can not figure out how to filter the result
For example multicorn allows you to specify the directory where to search (path) and the object of the search (objectClass). But this is not enough. It is necessary to restrict the people who are in a particular group.
How to do it?
Postgres uses LDAP only to check password. You must still create roles with proper Postgres options, heritage and grants.
To create roles dynamically from LDAP rather than creating them manually without password, you can use a tool like ldap2pg.
Using ldap_fdw or multicorn should not be useful for this. These extensions are meant to expose foreign data to APP, not to extend Postgres internals.
Cheers,

Azure Mobile Services - Connect to Existing Database

I'd like to create a Azure Mobile Service (.NET) that reads / writes from an existing database that is being used by an MVC 5 app. I've been trying, without luck, for the better part of a day to make this happen through the few examples that exist on the internet.
I've just now come across this SO post where Carlos Figueira says that a mobile service creates a new schema with the same name as the service name and all access is done via that schema and the user that has permission to that schema. If this is the case, how will I be able to have my mobile service connect to an existing table, if it always creates new tables in the new schema?
Also, I'm getting the impression that mobile services using .NET is much happier if I don't attempt to connect to an existing DB. Is this the case?
Azure Mobile Services will only work with tables in the new schema (with the service name). In order to work with an existing database, you need to transfer the tables to this schema, and then you will need to rename all your PK columns to "id" (lowercase). Once you have done that, the tables still don't show up in the Data tab in the management interface, but you can 'add' them and then it will connect and you can work with your existing data.
See this link for full walkthrough: http://www.strathweb.com/2012/12/using-existing-database-with-azure-mobile-services/

Zend Framework - How to manage subscription plan privileges

I'm developing a REST API using Zend Framework 1.12.3.
I have to implement subscriptions for different types of plans (i.e. Basic and Premium), each plan having different privileges (e.g. Premium may offer instant, daily and weekly SMS notifications, while Basic may offer only weekly SMS notifications).
Also, there may be custom plans only for certain clients.
I've added a column in the users table called subscription, but what I cannot figure out is where to save the privileges for each subscription plan.
Should I save these privileges directly into the DB (i.e. create a table called subscriptions, and another one called subscriptions_privileges having as columns subscription_id, privilege_name and privilege_value), or would it be better if I save them into the config file?
Thanks
Note: Actually this question is not linked with Zend Framework, it is system architecture question.
Short answer:
it is much more easy to hardcode your subscription plans in your source code configuration files;
it is much more flexible to store this data in database (you can create some administration panel to allow managers to manage them, track history of plan changes, use these data in analytical SQL queries). Theoretically you can deal with all this stuff through reading and writing to your config files, but databases are just the exact tool for these tasks.
P.S.: You can add separate layer of abstartion in your application. Use model objects for your subscriptions which can be populated either from database or from your hard-coded config files using different adapters.