Thread: Shared hosting with FDW on AWS RDS

Shared hosting with FDW on AWS RDS

From
auxsvr
Date:
Hi,

We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different
databaseand FDW will be configured, so that the remote tables have access to the full data, but materialized views will
bepulling from them data specific to each customer. So far, everything seems to work fine and be secure, as we've
revokedaccess to the remote tables for the customer users, but I'm feeling a bit uneasy considering that the
credentialsfor full access are stored in each database. My understanding is that remote user mapping is designed so
thatthis will not be an issue, but I was wondering if access to the metadata schema might allow to circumvent this
restriction.Also, I was wondering if someone has experience hardening databases on RDS, as the so called superuser does
nothave the right to revoke access from the metadata schema.
 

Comments and suggestions are welcome.
-- 
Regards,
Peter




Re: Shared hosting with FDW on AWS RDS

From
Paul Jungwirth
Date:
On 2/10/19 2:57 PM, auxsvr wrote:
> We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different
databaseand FDW will be configured, so that the remote tables have access to the full data
 

I've set up something like this before (but on EC2), and the only 
problem I couldn't solve was that any user can see your full customer 
list by typing `\l` or `\du`. They can't see other customers' stuff, but 
they can see how many customers you have and their database/login names. 
The only way around it I know is that run separate "clusters" aka RDS 
instances.

You can try to lock this down somewhat by revoking access to various 
system tables, but it starts breaking a lot of tools (e.g. some GUI 
tools don't know what to do if they get an error just listing the 
databases). Also it is so piecemeal I wouldn't trust that I'd blocked 
off all avenues of getting the information.

I'd love to be corrected on this btw if anyone has better information! :-)

-- 
Paul              ~{:-)
pj@illuminatedcomputing.com


Re: Shared hosting with FDW on AWS RDS

From
Bruce Momjian
Date:
On Sun, Feb 10, 2019 at 03:19:48PM -0800, Paul Jungwirth wrote:
> On 2/10/19 2:57 PM, auxsvr wrote:
> >We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different
databaseand FDW will be configured, so that the remote tables have access to the full data
 
> 
> I've set up something like this before (but on EC2), and the only problem I
> couldn't solve was that any user can see your full customer list by typing
> `\l` or `\du`. They can't see other customers' stuff, but they can see how
> many customers you have and their database/login names. The only way around
> it I know is that run separate "clusters" aka RDS instances.
> 
> You can try to lock this down somewhat by revoking access to various system
> tables, but it starts breaking a lot of tools (e.g. some GUI tools don't
> know what to do if they get an error just listing the databases). Also it is
> so piecemeal I wouldn't trust that I'd blocked off all avenues of getting
> the information.
> 
> I'd love to be corrected on this btw if anyone has better information! :-)

Heroku had that issue and used hash values for the user and database
names.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +


Re: Shared hosting with FDW on AWS RDS

From
Bruno Lavoie
Date:
On 2019-02-14 10:21 p.m., Bruce Momjian wrote:
> On Sun, Feb 10, 2019 at 03:19:48PM -0800, Paul Jungwirth wrote:
>> On 2/10/19 2:57 PM, auxsvr wrote:
>>> We'd like to configure an RDS server for shared hosting. The idea is that every customer will be using a different
databaseand FDW will be configured, so that the remote tables have access to the full data
 
>> I've set up something like this before (but on EC2), and the only problem I
>> couldn't solve was that any user can see your full customer list by typing
>> `\l` or `\du`. They can't see other customers' stuff, but they can see how
>> many customers you have and their database/login names. The only way around
>> it I know is that run separate "clusters" aka RDS instances.
>>
>> You can try to lock this down somewhat by revoking access to various system
>> tables, but it starts breaking a lot of tools (e.g. some GUI tools don't
>> know what to do if they get an error just listing the databases). Also it is
>> so piecemeal I wouldn't trust that I'd blocked off all avenues of getting
>> the information.
>>
>> I'd love to be corrected on this btw if anyone has better information! :-)
> Heroku had that issue and used hash values for the user and database
> names.

Yes, we have the same problem here...

We want to consolidate users and databases and we can do it easily with 
PostgreSQL, while that's not easily the case with some other RDBMS.

Even if we can mask real clients name by using hashes, it is still sort 
of an information leakage that our security team is concerned about, and 
that is a burden to manage from our clients.

It would be nice to have PG to not list things you don't have rights to. 
I think that MySQL "show databases" list only stuff you have access to. 
Would modifying pg_catalog views make it possible?


Thanks

Bruno