I'm attempting to create a service that will query different databases.
To obvious the above mentioned statement up:
I personally use the term service in the largest sense: a sofware ingredient that will give you some value towards the database owner.
These databases come in not a way under my control because they will fit in with different companies. They will not be known in advance and multiple suppliers should be supported: Oracle, MS (SQL Server), MySql, PostgreSQL. Also, OLE DB and ODBC connections is going to be supported.
The issue: security of database qualifications and overall visitors are a large concern however the configuration effort ought to be reduced at least. Ideally, all of the security issues ought to be addressed programmatically within the service implementation and require no configuration effort for that database owner apart from give a valid connection string.
Usually, database SSL support is performed through server certificates which I wish to avoid because it is cumbersome for that client (the database owner). I've been considering how to get this done with no success. Hopefully this can be completed with openssl, SSPI, client SSL certificate or any kind of tunneling or might be it is only not posible. Top tips could be greatly apreciatted.
SSL is essential to be able to have a client's database safe. But there's not only that. You need to make certain that every database account is locked lower. Each client must only get access to their very own database. Additionally, every database has other rights that are nasty. For example MySQL has
FILE_PRIV which enables a free account to seeOrcreate files. MS-SQL has
xp_cmdshell which enables the consumer to gain access to cmd.exe from sql (why would edge in the game!?). PostgreSQL enables you to definitely write saved methods in almost any language and after that you are able to call a variety of nasty functions.
Then, you will find other issues. A Malformed query may cause a buffer overflows that will give an assailant the secrets towards the kingdom. You need to make certain all your databases are current, after which pray nobody drops an -day.