Secure DSN strings
Securing Your Database Connection
We take security seriously at GluonDB. While you can connect using any valid PostgreSQL DSN, we strongly recommend creating a dedicated database user with restricted permissions specifically for GluonDB.
Why Create a Dedicated User?
- Principle of Least Privilege: GluonDB only needs to read your data to generate insights and dashboards
- Audit Trail: Easily track which queries originate from GluonDB
- Risk Mitigation: Even if credentials are compromised, damage is limited to read-only operations
Creating a Read-Only User in PostgreSQL
Step 1: Connect as a Superuser
sql
psql -U postgres -d your_database
Step 2: Create the GluonDB User
sql
-- Create a new user for GluonDB
CREATE USER gluondb_reader WITH PASSWORD 'your_secure_password';
Step 3: Grant Read-Only Permissions
sql
-- Grant connect permission to the database
GRANT CONNECT ON DATABASE your_database TO gluondb_reader;
-- Grant usage on schema (typically 'public')
GRANT USAGE ON SCHEMA public TO gluondb_reader;
-- Grant SELECT on all existing tables
GRANT SELECT ON ALL TABLES IN SCHEMA public TO gluondb_reader;
-- Grant SELECT on all existing sequences (for serial/identity columns)
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO gluondb_reader;
-- Automatically grant SELECT on future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO gluondb_reader;
Step 4: Build Your Secure DSN
Your DSN will follow this format:
text
postgresql://gluondb_reader:your_secure_password@hostname:5432/your_database
DSN Components:
gluondb_reader- The read-only user you createdyour_secure_password- The password you sethostname- Your database host (e.g.,localhostordb.example.com)5432- PostgreSQL port (default)your_database- Your database name
Additional Security Options
Enable SSL/TLS Connection
For production databases, always use SSL:
text
postgresql://gluondb_reader:password@hostname:5432/your_database?sslmode=require
SSL modes:
require- Encrypt connection, don't verify certificateverify-ca- Encrypt and verify server certificateverify-full- Encrypt, verify certificate, and check hostname
Restrict to Specific Tables
If you only want GluonDB to access certain tables:
sql
-- Revoke access to all tables first
REVOKE SELECT ON ALL TABLES IN SCHEMA public FROM gluondb_reader;
-- Grant access only to specific tables
GRANT SELECT ON TABLE users, orders, products TO gluondb_reader;
Multiple Schemas
If your database uses multiple schemas:
sql
-- Grant access to additional schemas
GRANT USAGE ON SCHEMA analytics TO gluondb_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA analytics TO gluondb_reader;
ALTER DEFAULT PRIVILEGES IN SCHEMA analytics GRANT SELECT ON TABLES TO gluondb_reader;
Verifying Permissions
Test that your user has the correct (limited) permissions:
sql
-- Connect as the gluondb_reader user
psql -U gluondb_reader -d your_database
-- This should work
SELECT * FROM your_table LIMIT 1;
-- These should fail (permission denied)
INSERT INTO your_table (column) VALUES ('test');
DELETE FROM your_table;
DROP TABLE your_table;
Quick Reference
| Permission | Granted | Purpose |
|---|---|---|
| SELECT | ✅ | Read data for analysis |
| INSERT | ❌ | Not needed |
| UPDATE | ❌ | Not needed |
| DELETE | ❌ | Not needed |
| CREATE | ❌ | Not needed |
| DROP | ❌ | Not needed |
Need help? If you have questions about securing your database connection, reach out to our support team.