0

I am definitely a Symfony noob and I'm on the uphill of the learning curve at the moment, but I'm still trucking along - we've all been there at some point.

I've read several resources in designing my application and one of them was the principle of least privilege in information security:

In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.

With this in mind I decided that I require 3 distinct database users to access my database:

  1. Read only
  2. Volatile - Insert, update, delete
  3. Admin - lock, backup, alter

With Symfony it seems to me that it's designed with a single database user in mind and although it appears that it's possible to use multiple users/connections it also appears that this is not recommended as the standard practice:

Using multiple entity managers is pretty easy, but more advanced and not usually required. Be sure you actually need multiple entity managers before adding in this layer of complexity.

My questions then are:

  1. Am I making this more complicated that it needs to be?
  2. Does using a single database user make my Symfony less secure?
  3. Is the article I linked to the correct way to achieve the least privilege principle in Symfony?
Improve this question

2 Answers 2

Reset to default
2

I think you're making it more complicated than it needs to be.

In most cases you're concerned with a user's access or privileges to a domain object. Often times you can approach this level of security using a simpler means of identifying ownership at the application level (e.g. checking to see if the associated user for an object is in fact the one logged in and trying to access it), or you can apply a more complex model of ownership and permissions via an Access Control List.

As for whether using a single-user makes your database more-or-less secure. It depends on the architecture and what you're trying to do. However, I do think that it inevitably will create design and architectural challenges beyond what you're already experiencing.

In my experience with web applications you do want to limit the privileges of the database user associated with the application, however this user should have read-and-write privileges (e.g. a combination of your read-only and volatile users listed above in your question). You may also had a secondary database user (externalized from your application logic) which is directly usable against the database for your administrative actions.

Below, Nico makes a good observation, suggesting that what you are really looking for is Role based security, this allows you to define different roles (e.g. Anonymous, User, Admin, etc.) which you can then use to perform rudimentary logic around who can do what in your application.

For example: Anonymous users can view data but they cannot create or edit it. Authenticated users with the User role can view, create, and edit content, but they may be further restricted in the application to only being able to edit content which they own. Finally, a user with the Admin role has unrestricted access to view, create, and edit all content.

The above example is using a single database user on the backend, associated with the database connection you've configured.

In addition to that, as mentioned above and discussed below, you can have another database user. It largely depends on whether you want to have your Symfony application have full-or-partial rights. If you wanted to have another user in the role of a system admin for DBAs you would create the user and attach it to the database table space or schema, this user is not associated with the Symfony application. It serves as a power-user that can be run external to the application to manage the database without being restricted by the possibly restricted privileges on the application database user.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Your last paragraph is what I'm getting at. To implement the principle of least privilege my app requires multiple database users each with a pre-defined set of privileges. If some person hits my view page then a read user should connect to the database to retrieve the records. Another person may hit my comment page and leave a comment. This should be done with the volatile user. Offline admin work would be done with a third account and not have the credentials stored in any config files. Can this be done with Symfony and Doctring?
Yes but your logic for "who can perform what actions" is at the application level, most likely using an ACL. So you'd only really have a single database user which, at the very least, is a combination of your read-only and volatile users. It might also include the administrative privileges functionality if you wanted to expose that via the application as well. Though I would just externalize the administrative privileges to a second user and not have any Symfony application which interfaces with that user.
Are you saying that I should not have multiple backend database users for my Symfony application or for any application? From a few articles I read about POLP it is good practice to have multiple backend users based on their functions. I'm going to link those articles if I can find them again.
I'm saying that for your application, the way I would structure it is with a single database user. This database user should be a combination of your read-only and volatile roles. If you have need of an administrative database user, you can create one but they are external to the Symfony application (e.g. you use them when you interact with Oracle, PostgreSQL, MySQL, etc. directly). I will try to clarify above when I have time today.
@JohntheRipper You seem to be trying to implement an ACL with mysql users. This could potentialy lead to a mysql user mess because the more functionnality your application will have, the more user you will need to fragment your application. I suggest you read en.wikipedia.org/wiki/Role-based_access_control
|
0

Your quote apply to user at the server level and not directly to application level. If you want your application to be multi-user, i.e. user1 can access that page and add comments but user2 cannot, you need to code such behaviour. Check how RBAC is implemented. This is what you need.

The php/ruby/python/whatever code that will be run on your server is usually run by one user which is the http user. In your case it might be the user apache that can access the http folder, /tmp folder and connect with mysql. In mysql, you can have multiple user that can only access certain database. Keep in mind that mysql user have nothing to do with the server user or your application user.

If what you need is multiple user that each have their own database, then you need a login layer that will create the entity-manager which will connect with a mysql user that can only read/write the user database.

Improve this answer

2 Comments

I disagree with what you said about the mysql user. There are several articles related to the principle of least privilege stating that for database connections it is best practice to use multiple accounts each tailored to a specific role. For example if you have a blog and some hits your read_blog page you have a read only database user connect and retrieve the data. Adding comments on the other hand requires a user with write access, etc. So I'm trying to achieve this within symfony: multiple users connecting to the database with different roles/permissions.
@JohntheRipper IMHO, it is much harder to implement your way (RO, RW user on mysql) than to implement this functionnality at application level. What I describe is the general way to do this kind of thing without much problem.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.