...
todo - add Summco directions here
Security
This is my best guess - feel free to recommend alternatives.
The dataserver should be accessible only from the following:
- web server
- geo server
- localhost
Each environment (DEV, QA, PROD) will have it's own web server and geoserver.
See this diagram if it's not clear.
We use postgres's hba.conf to control this access.
Get the IPs for the hba.conf from Henry or Paul.
We want to be as strict as is reasonable - not as strict as possible.
I think we'll want 3 users:
- postgres
- eas_user
- etl_user
- geoserver_user
Postgres User
The postgres user will be
- used mostly by DBAs
- be used by developers in DEV and QA
- used in emergency cases by developers in PROD
EAS User
The eas_user is for users of the EAS application...
- needs to be able to read and write to all tables in the public schema in the mad database
- should we use a group or role here?
ETL User
The etl_user needs to read and write to all tables and views in the mad and sfmaps databases.
In addition, this user needs to be able to create and drop objects (tables and views) from the database.
Geoserver User
The geoserver user user needs to be able to read all of the tables and views in the sfmaps DB.
For all of these users, we'll need to set the correct access privileges.
Until now, I have been using the postgres user everywhere (sorry!).
Errors
error:
| Code Block |
|---|
configure: error: no acceptable C compiler found in $PATH |
...