What is the purpose of creating DB user?

[mrdumpty]

Hello.

Why does your role always create DB user when you need to create new DB? Creation of the database is totally understandable, but user?

Just about the logic, you MUST provide db user credentials to the role, with "create user" and "create database" access rights. That does mean that you must ALREADY have valid user for the DB beforehand. Why do you need to create another one in that case?

[dj-wasabi]

Hi,

Yes, you must provide user credentials that are already configured. This will probably be the 'root' or 'admin' account on the database, so you can create a user for the database specific for the application, in this case Zabbix. By using a separate user account for in this case Zabbix, this user only has access to the Zabbix database and not other databases that might have been configured on the server. And running all applications on a single admin account is not desirable from a security point-of-view.

[mrdumpty]

This will probably be the 'root' or 'admin' account on the database, so you can create a user for the database specific for the application, in this case Zabbix

Well, may be implementing this as an option (like zabbix_database_user_creation) makes sense? Providing full admin access to existing DB server only for purposes of creating another DB can not be considered as a secure decision.

[dj-wasabi]

I don't understand your comment. A zabbix user is created that has only rights to do its thing for the zabbix database, no access/rights on other databases on the database host. But in order to create a user, you'll have to provide credentials that have enough rights to create this zabbix user.

[mrdumpty]

But in order to create a user, you'll have to provide credentials that have enough rights to create this zabbix user.

I mean this is the bad security design. Imagine you're database administrator and your server runs several databases for different projects. Your teammate asking you for a root account of DB server. Why? Only for purposes of installing a zabbix server.

My opinion is that creating database users is best to be outside of this role's tasks (or to be just the option for the convenience of deployment of a small all-in-one severs).

[dj-wasabi]

Ok, I understand. But what you describe is only for a minority of users, not every one has a team of database administrators working on their job.

So if you want, you can create a PR for this functionality. I would however, based on that I think it is only for a minority of users, that a default installation should be able to create a user and a database during its run.

If you are not able to (Or do not want to, which is of course also fine 😉) create a PR, then I will be take a look at it. Don't know when though.

[dj-wasabi]

There is already a property named zabbix_database_creation for this functionality. When set to False (Default is set t True) the database and corresponding user aren't created.