Rails uses one ID for database

Hi, I am a beginner for Rails. I just studied the GUIDE and did some exercises (https://www.railstutorial.org/book). However I have one concern. Rails uses ONE ID (usually is ROOT) to do everything on database, such as DB migration, application accesses database, etc. This architecture raises a security concern, especially the cyber attack is happening so often nowadays. Although RAILS has strong parameters feature but once a hacker is hacking into database, hacker has total control on the database. Is a way to use one ID for database migration (i.e. database schema owner) and another ID for application access (to database)? The ID for application to access database should have limited privileges.

Does anyone know a way to implement one ID to do the database migration and another ID to access database? Share your solution will be appreciated.

Hi, I am a beginner for Rails. I just studied the GUIDE and did some exercises (https://www.railstutorial.org/book). However I have one concern. Rails uses ONE ID (usually is ROOT) to do everything on database, such as DB migration, application accesses database, etc.

It should certainly not be root. That is entirely up to you to specify.

This architecture raises a security concern, especially the cyber attack is happening so often nowadays. Although RAILS has strong parameters feature but once a hacker is hacking into database, hacker has total control on the database. Is a way to use one ID for database migration (i.e. database schema owner) and another ID for application access (to database)? The ID for application to access database should have limited privileges.

Does anyone know a way to implement one ID to do the database migration and another ID to access database? Share your solution will be appreciated.

I think once a hacker has any write access to the database you are doomed anyway. The user name should only allow him access to the one database.

Colin

Expanding a bit on Colin's response: the id's and credentials you use during development and test should be completely different from the id's and credentials your application will use in production. Development and test can have relaxed security, as the databases and other things should be quite isolated from the Internet as a whole.

When your application is ready to be put into production, i.e. deployed, you will need to take precautions such as you allude to ensuring proper security when the world has visibility on your application.