I'm currently connecting to a Postgres db from a Python script and I'm using sqlalchemy with psycopg2:
postgresql+psycopg2://user:password#host:port/dbname[?key=value&key=value...]
This Python script is available to users, and the password is shown in clear text. How can I use an encrypted password instead?
Generally, this is done in a few different ways.
1. Hide your database behind a REST API
Basically, don't make the database directly accessible to users. Provide an interface like a REST API or something similar for users to interact with the database. The username and password are only stored on the server side.
2. Create another DB user with less privileges and only distribute that user.
Your postgres database can have multiple users. Don't give them the user and password for the db owner. Just create a user with less privileges (read-only maybe?) and distribute that user and password.
Related
So I’m building a flask app using AAD B2C based off the QuickStart code from Microsoft. All that is fine and is working with no issues but how do I secure individual user data in a backend database (Mongo DB API on Cosmos DB)? I’ve read a lot about RBAC but to create a new role Every time a new user registers isn’t really scalable. Because if you secure data via the mongo db secret key users can still modify data. I’ve thought about maybe adding a “user_id” of some kind to the documents in mongodb and pass along the user_id but in my head it seems that can be easily spoofed. So how do I ensure Users can only modify their own data? Is there a new DB user created for each user of the app that gets mapped to each other? Really I just want to secure user data in the DB with AAD or some kind of Kerberos method. Thank you!
There is my problem, so I need to create a Django app and I think I have to use an already existing database with users in. So I did some research and figured out some issues. So Django store the password with the salt and use it to check the password.But no one says that there will be salt + hashed type password in the database, but we can get read of this issue with the proper check function (related to the encryption function) I think, like this guy Django check_password() always returning False who used bcrypt.checkpw(password, hashedPassword) because in his database passwords are encrypted with bcrypt.
The solution proposed was to create a custom authentification backend (even if I don't really see how we can do this I may be able to find out a tuto to do so) but the main issue is that how I can save a user password who register through the Django web site with the same type of hash that the one already existing in the database (with no salt).
I'm a really sorry for not be able to give you more precision about how the password are stored in the database because even I don't know how they are.
I am reading the Tom Aratyn Book - Building Django 2.0 web application. I am on a basic level.
Before migrating my app to the database, he asks to create a database for our Django project. I didn't understand very well how to create this database, he didn't detailed the process. Follow what he says:
" Now that we have a model, we will need to create a table in our database that matches it. We will use Django to generate a migration for us and then run the migration to create a table for our movie model.
While Django can create and run migrations for our Django apps, it will not create the database and database user for our Django project. To create the database and user, we have to connect to the server using an administrator's account. Once we've connected we can create the database and user by executing the following SQL:"
CREATE DATABASE mymdb;
CREATE USER mymdb;
GRANT ALL ON DATABASE mymdb to "mymdb";
ALTER USER mymdb PASSWORD 'development';
ALTER USER mymdb CREATEDB;
I don't know where to type this line of code. Shell? I know his book uses the PostgreSQL database.
Thank you,
To execute commands on the database, you need some kind of client. If you have access to the database server bash, you can use the command line client psql.
For clients with a GUI, pgadmin is the most common. On the interface, you are able to open a window, in which you can insert the SQL commands.
The company I work for is starting development of a Django business application that will use MySQL as the database engine. I'm looking for a way to keep from having database credentials stored in a plain-text config file.
I'm coming from a Windows/IIS background where a vhost can impersonate an existing Windows/AD user, and then use those credentials to authenticate with MS SQL Server.
As an example: If the Django application is running with apache2+mod_python on an Ubuntu server, would it be sane to add a "www-data" user to MySQL and then let MySQL verify the credentials using its PAM module?
Hopefully some of that makes sense. Thanks in advance!
MySQL controls access to tables from its own list of users, so it's better to create MySQL users with permissions. You might want to create roles instead of users so you don't have as many to manage: an Admin, a read/write role, a read-only role, etc.
A Django application always runs as the web server user. You could change that to "impersonate" an Ubuntu user, but what if that user is deleted? Leave it as "www-data" and manage the database role that way.
I have a couple of python scripts which I plan to put up on a server and run them repeatedly once a day. This python script does some calculation and finally uploads the data to a central database. Of course to connect to the database a password and username is required. Is it safe to input this username and password on my python script. If not is there any better way to do it?
Create a DB user with limited access rights, for example, to that only table where it uploads data to. Hardcode that user in your script or pass it as command line arguments. There is little else you can do for a automated script because it has to use some username and password to connect to the DB somehow.
You could encrypt the credentials and decrypt them in your script, but once a sufficiently determined attacker gets access to your user account and script extracting the username and password from a plain text script should not be too hard. You could use a compiled script to hide the credentials from the prying eyes, but again, it depends on how valuable access to your database is.