Thread: Shared hosting with FDW on AWS RDS
Hi, We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different databaseand FDW will be configured, so that the remote tables have access to the full data, but materialized views will bepulling from them data specific to each customer. So far, everything seems to work fine and be secure, as we've revokedaccess to the remote tables for the customer users, but I'm feeling a bit uneasy considering that the credentialsfor full access are stored in each database. My understanding is that remote user mapping is designed so thatthis will not be an issue, but I was wondering if access to the metadata schema might allow to circumvent this restriction.Also, I was wondering if someone has experience hardening databases on RDS, as the so called superuser does nothave the right to revoke access from the metadata schema. Comments and suggestions are welcome. -- Regards, Peter
On 2/10/19 2:57 PM, auxsvr wrote:
> We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different
databaseand FDW will be configured, so that the remote tables have access to the full data
I've set up something like this before (but on EC2), and the only
problem I couldn't solve was that any user can see your full customer
list by typing `\l` or `\du`. They can't see other customers' stuff, but
they can see how many customers you have and their database/login names.
The only way around it I know is that run separate "clusters" aka RDS
instances.
You can try to lock this down somewhat by revoking access to various
system tables, but it starts breaking a lot of tools (e.g. some GUI
tools don't know what to do if they get an error just listing the
databases). Also it is so piecemeal I wouldn't trust that I'd blocked
off all avenues of getting the information.
I'd love to be corrected on this btw if anyone has better information! :-)
--
Paul ~{:-)
pj@illuminatedcomputing.com
On Sun, Feb 10, 2019 at 03:19:48PM -0800, Paul Jungwirth wrote: > On 2/10/19 2:57 PM, auxsvr wrote: > >We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different databaseand FDW will be configured, so that the remote tables have access to the full data > > I've set up something like this before (but on EC2), and the only problem I > couldn't solve was that any user can see your full customer list by typing > `\l` or `\du`. They can't see other customers' stuff, but they can see how > many customers you have and their database/login names. The only way around > it I know is that run separate "clusters" aka RDS instances. > > You can try to lock this down somewhat by revoking access to various system > tables, but it starts breaking a lot of tools (e.g. some GUI tools don't > know what to do if they get an error just listing the databases). Also it is > so piecemeal I wouldn't trust that I'd blocked off all avenues of getting > the information. > > I'd love to be corrected on this btw if anyone has better information! :-) Heroku had that issue and used hash values for the user and database names. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
On 2019-02-14 10:21 p.m., Bruce Momjian wrote: > On Sun, Feb 10, 2019 at 03:19:48PM -0800, Paul Jungwirth wrote: >> On 2/10/19 2:57 PM, auxsvr wrote: >>> We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different databaseand FDW will be configured, so that the remote tables have access to the full data >> I've set up something like this before (but on EC2), and the only problem I >> couldn't solve was that any user can see your full customer list by typing >> `\l` or `\du`. They can't see other customers' stuff, but they can see how >> many customers you have and their database/login names. The only way around >> it I know is that run separate "clusters" aka RDS instances. >> >> You can try to lock this down somewhat by revoking access to various system >> tables, but it starts breaking a lot of tools (e.g. some GUI tools don't >> know what to do if they get an error just listing the databases). Also it is >> so piecemeal I wouldn't trust that I'd blocked off all avenues of getting >> the information. >> >> I'd love to be corrected on this btw if anyone has better information! :-) > Heroku had that issue and used hash values for the user and database > names. Yes, we have the same problem here... We want to consolidate users and databases and we can do it easily with PostgreSQL, while that's not easily the case with some other RDBMS. Even if we can mask real clients name by using hashes, it is still sort of an information leakage that our security team is concerned about, and that is a burden to manage from our clients. It would be nice to have PG to not list things you don't have rights to. I think that MySQL "show databases" list only stuff you have access to. Would modifying pg_catalog views make it possible? Thanks Bruno