User without ALTER/DROP privs for production?


#1

Our department has started to develop some web-applications with Rails -
finally breaking free of the java-for-everything approach. A lot of the
pre-existing policies for deployment procedures will, naturally, need to
be followed when moving to rails. So, I’m trying to figure out how rails
will fit into our current deployment model…

As it stands today, developers are separated from the people in charge
of deployment. Developers don’t have credentials to the production
systems/databases, and when applications get moved to production, the
database user does not have alter/drop privileges. We’ve solved the
connection credential problems by using JNDI database pooling (with
jRuby). I’m not sure, however, about the permission issues for our
production database user.

Assuming we have two database users: super_user and runtime_user - and
we give super_user the ability to add/alter/drop tables, and then run
our migrations on prod as this user - should there be any problems with
using runtime_user for our database pools (without add/alter/drop privs)
for the application as it’s running in prod?

Has anyone dealt with this? If so, has it caused any problems?

Thanks,
M@