RoR: separate the db DBA user and the db app user

Question

How can I separate the database DBA user and app access user in rails? The app user will be able to run the app but perform no DDL. The DBA user will be used for migrations.

I do not want the user that runs the rails app to be able to create, drop or modify database objects. This type of user access-rights separation is a pretty minimal best practice and I am concerned that this does not seem to be the norm in the rails world. What am I missing?

My current thinking is that I should create 2 stanzas per database in the database.yml file. One for the dba user and one for the normal app user. Does anyone have any better suggestions?

Answer 1

In your database.yml file, specify the DBA credentials in the development environment, and the "normal user" credentials in the production environment. Either don't run migrations on the production server, and use a different technique to update the schema there once you have settled on your DB structure, or change the password in the yml file to the DBA for installation/upgrades, and return it to "normal" once you have things working in production.