This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/database-config-docs has been created
at 38af353f6a320d6f489fa5e47b412987e8d67e35 (commit)
- Log -----------------------------------------------------------------
commit 38af353f6a320d6f489fa5e47b412987e8d67e35
Author: Brett Smith <brett@bestpractical.com>
Date: Tue Nov 30 10:22:48 2021 -0500
Document that database credentials are optional
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index e266d0fa51..9505d21ad7 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -221,7 +221,9 @@ Set($DatabasePort, "@DB_PORT@");
=item C<$DatabaseUser>
-The name of the user to connect to the database as.
+The name of the user to connect to the database as. You can leave this blank
+if it's not required by your database (for example, if your database
+uses peer authentication).
=cut
@@ -229,7 +231,9 @@ Set($DatabaseUser, "@DB_RT_USER@");
=item C<$DatabasePassword>
-The password the C<$DatabaseUser> should use to access the database.
+The password the C<$DatabaseUser> should use to access the database. You can
+leave this blank if it's not required by your database (for example, if your
+database uses peer authentication).
=cut
commit 83272954ff8d71ca088d03fcde2c4d9dec743f12
Author: Brett Smith <brett@bestpractical.com>
Date: Tue Nov 30 09:32:30 2021 -0500
Document the true meaning of a blank DatabaseHost
The sentence "If you're running MySQL and on localhost, leave it blank
for enhanced performance." can mislead readers in a few different ways.
One, it implies that setting this blank is something only MySQL
supports. However, I've confirmed that it works the same way for
PostgreSQL. The documentation for DBD::Oracle suggests it should work
for that too, but I haven't tested it.
Two, it implies unsetting this value is *just* a performance
optimization. However, there are many ways that database server
configuration can mean that connecting over the local socket is very
different than connecting over the network:
* The socket may be unavailable to users running RT because of file
permissions, security context, or because it has been disabled in the
database server configuration.
* The socket may support different connection types than the
network. For example, in its stock configuration, PostgreSQL only
authenticates users via the `ident` method over the socket. Password
authentication is typically reserved for network connections.
You could actually use this to do a completely passwordless RT install,
with both MySQL and PostgreSQL. If you have an account with sufficient
permissions to run `rt-setup-database`, and you make DatabaseUser be
www-data/httpd, then that's sufficient to run RT. (You just need to be
careful to run cron jobs etc. also as www-data/httpd, or also grant them
their own database accounts with sufficient privileges.) This improves
security because all authentication is handled by the operating system
itself, and there's no password to leak that would let an attacker
access the database out of band. This is a little difficult to set up
today because rt-setup-database doesn't support creating the account
passwordless, but if you set it up after the fact it works.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index aabfc5cf2a..e266d0fa51 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -201,8 +201,9 @@ Set($DatabaseType, "@DB_TYPE@");
=item C<$DatabaseHost>
-The domain name of your database server. If you're running MySQL and
-on localhost, leave it blank for enhanced performance.
+The domain name of your database server. If this is blank or undefined, RT
+will attempt to connect to the database using a local socket instead of the
+network.
=cut
commit bea0ae037e629c8f3ea4c10f9f2df85cfbd0ac3f
Author: Brett Smith <brett@bestpractical.com>
Date: Tue Nov 30 09:14:03 2021 -0500
Add more documentation for $DatabaseRTHost config
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index b0b0c5cc65..aabfc5cf2a 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -199,18 +199,14 @@ Database driver being used; case matters. Valid types are "mysql",
Set($DatabaseType, "@DB_TYPE@");
-=item C<$DatabaseHost>, C<$DatabaseRTHost>
+=item C<$DatabaseHost>
The domain name of your database server. If you're running MySQL and
on localhost, leave it blank for enhanced performance.
-C<DatabaseRTHost> is the fully-qualified hostname of your RT server,
-for use in granting ACL rights on MySQL.
-
=cut
Set($DatabaseHost, "@DB_HOST@");
-Set($DatabaseRTHost, "@DB_RT_HOST@");
=item C<$DatabasePort>
@@ -238,6 +234,20 @@ The password the C<$DatabaseUser> should use to access the database.
Set($DatabasePassword, q{@DB_RT_PASS@});
+=item C<$DatabaseRTHost>
+
+C<DatabaseRTHost> is only used by MySQL/MariaDB. When C<rt-setup-database>
+creates C<DatabaseUser> in a MySQL database, it will use this value as the
+account hostname. You can set any value MySQL itself supports, including
+hostname or IP address, optionally using SQL wildcards or a netmask in
+dotted quad format to match multiple addresses. For full details, refer to
+the MySQL Reference Manual about L<specifying account
+names|https://dev.mysql.com/doc/refman/5.7/en/account-names.html>.
+
+=cut
+
+Set($DatabaseRTHost, "@DB_RT_HOST@");
+
=item C<$DatabaseName>
The name of the RT database on your database server. For Oracle, the
-----------------------------------------------------------------------
hooks/post-receive
--
rt
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
https://lists.bestpractical.com/mailman/listinfo/rt-commit
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/database-config-docs has been created
at 38af353f6a320d6f489fa5e47b412987e8d67e35 (commit)
- Log -----------------------------------------------------------------
commit 38af353f6a320d6f489fa5e47b412987e8d67e35
Author: Brett Smith <brett@bestpractical.com>
Date: Tue Nov 30 10:22:48 2021 -0500
Document that database credentials are optional
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index e266d0fa51..9505d21ad7 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -221,7 +221,9 @@ Set($DatabasePort, "@DB_PORT@");
=item C<$DatabaseUser>
-The name of the user to connect to the database as.
+The name of the user to connect to the database as. You can leave this blank
+if it's not required by your database (for example, if your database
+uses peer authentication).
=cut
@@ -229,7 +231,9 @@ Set($DatabaseUser, "@DB_RT_USER@");
=item C<$DatabasePassword>
-The password the C<$DatabaseUser> should use to access the database.
+The password the C<$DatabaseUser> should use to access the database. You can
+leave this blank if it's not required by your database (for example, if your
+database uses peer authentication).
=cut
commit 83272954ff8d71ca088d03fcde2c4d9dec743f12
Author: Brett Smith <brett@bestpractical.com>
Date: Tue Nov 30 09:32:30 2021 -0500
Document the true meaning of a blank DatabaseHost
The sentence "If you're running MySQL and on localhost, leave it blank
for enhanced performance." can mislead readers in a few different ways.
One, it implies that setting this blank is something only MySQL
supports. However, I've confirmed that it works the same way for
PostgreSQL. The documentation for DBD::Oracle suggests it should work
for that too, but I haven't tested it.
Two, it implies unsetting this value is *just* a performance
optimization. However, there are many ways that database server
configuration can mean that connecting over the local socket is very
different than connecting over the network:
* The socket may be unavailable to users running RT because of file
permissions, security context, or because it has been disabled in the
database server configuration.
* The socket may support different connection types than the
network. For example, in its stock configuration, PostgreSQL only
authenticates users via the `ident` method over the socket. Password
authentication is typically reserved for network connections.
You could actually use this to do a completely passwordless RT install,
with both MySQL and PostgreSQL. If you have an account with sufficient
permissions to run `rt-setup-database`, and you make DatabaseUser be
www-data/httpd, then that's sufficient to run RT. (You just need to be
careful to run cron jobs etc. also as www-data/httpd, or also grant them
their own database accounts with sufficient privileges.) This improves
security because all authentication is handled by the operating system
itself, and there's no password to leak that would let an attacker
access the database out of band. This is a little difficult to set up
today because rt-setup-database doesn't support creating the account
passwordless, but if you set it up after the fact it works.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index aabfc5cf2a..e266d0fa51 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -201,8 +201,9 @@ Set($DatabaseType, "@DB_TYPE@");
=item C<$DatabaseHost>
-The domain name of your database server. If you're running MySQL and
-on localhost, leave it blank for enhanced performance.
+The domain name of your database server. If this is blank or undefined, RT
+will attempt to connect to the database using a local socket instead of the
+network.
=cut
commit bea0ae037e629c8f3ea4c10f9f2df85cfbd0ac3f
Author: Brett Smith <brett@bestpractical.com>
Date: Tue Nov 30 09:14:03 2021 -0500
Add more documentation for $DatabaseRTHost config
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index b0b0c5cc65..aabfc5cf2a 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -199,18 +199,14 @@ Database driver being used; case matters. Valid types are "mysql",
Set($DatabaseType, "@DB_TYPE@");
-=item C<$DatabaseHost>, C<$DatabaseRTHost>
+=item C<$DatabaseHost>
The domain name of your database server. If you're running MySQL and
on localhost, leave it blank for enhanced performance.
-C<DatabaseRTHost> is the fully-qualified hostname of your RT server,
-for use in granting ACL rights on MySQL.
-
=cut
Set($DatabaseHost, "@DB_HOST@");
-Set($DatabaseRTHost, "@DB_RT_HOST@");
=item C<$DatabasePort>
@@ -238,6 +234,20 @@ The password the C<$DatabaseUser> should use to access the database.
Set($DatabasePassword, q{@DB_RT_PASS@});
+=item C<$DatabaseRTHost>
+
+C<DatabaseRTHost> is only used by MySQL/MariaDB. When C<rt-setup-database>
+creates C<DatabaseUser> in a MySQL database, it will use this value as the
+account hostname. You can set any value MySQL itself supports, including
+hostname or IP address, optionally using SQL wildcards or a netmask in
+dotted quad format to match multiple addresses. For full details, refer to
+the MySQL Reference Manual about L<specifying account
+names|https://dev.mysql.com/doc/refman/5.7/en/account-names.html>.
+
+=cut
+
+Set($DatabaseRTHost, "@DB_RT_HOST@");
+
=item C<$DatabaseName>
The name of the RT database on your database server. For Oracle, the
-----------------------------------------------------------------------
hooks/post-receive
--
rt
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
https://lists.bestpractical.com/mailman/listinfo/rt-commit