How to secure your Odoo 13 database?
Securing the database is very important to keep data safe in Odoo and to isolate customer databases running on the same cluster. So we need to make the best practices in terms of users, passwords, access control management.
First, let us go through some key points related to securing odoo13 database:
Set a strong super-admin password, and restrict access to the database management pages as soon as the system is set up
Unique logins and strong passwords for all admin accounts on all databases
Better not to install demo data that may contain default logins and passwords which is not secure to use
Use database filters to restrict the visibility of your databases according to the hostname
Make sure the PostgreSQL user (db_user) is not a super-user
Now let us discuss the configurations that can be done to enhance the security of the database:
In odoo.config file adds some database settings which include:
admin_password — admin_password is a master database password that is set at first boot and can be set from the front end also. It is used to manage the databases ie. To create,duplicate,delete,backup and restore databases.
db_host — To specify the database host. By default it is localhost
db_port — The database port(by default it is None)
db_user — Database User name
db_password — Database password for db_user
db_maxconn — Maximum number of physical connections to PostgreSQL
db_name and db_filter:
It is used to determine which database should be used to load the website page
The database should be selected based on the hostname (domain) that is being requested. Odoo is a multi-tenant system that runs and serves a number of database instances which is not an issue for a logged-in company user who can log-in and select the databases. But users like website users and portal users are not bound to the database. So it is necessary to decide which database needed to be used to load the website page.
db_filter value contains a regular expression, that includes the dynamically injected hostname (%h) or the first subdomain (%d) through which the system is being accessed.
The following can be added to the configuration file
[options]
db_filter = ^yourcompany.*$ (It shows only databases matching the first subdomain)
db_name=yourcompany ( This database only will be loaded)
If db_name value is given as false, then all databases are loaded
See the changes by restarting the service
Configuring PostgreSQL
In pg_hba.conf file:
Here you can add local connections with address, methods and it is possible to allow replication connection from localhost by a user with replication privilage.
In postgresql.conf file:
Connections and Authentication settings
Set the following in your configuration file:
Connection Settings:
listen_addresses (string)
port (integer)
max_connections (integer)
superuser_reserved_connections (integer)
unix_socket_directories (string)
unix_socket_group (string)
unix_socket_permissions (integer)
bonjour (boolean)
bonjour_name (string)
tcp_keepalives_idle (integer)
tcp_keepalives_interval (integer)
tcp_keepalives_count (integer)
Security and Authentication:
authentication_timeout (integer)
ssl (boolean)
ssl_ca_file (string)
ssl_cert_file (string)
ssl_crl_file (string)
ssl_key_file (string)
ssl_ciphers (string)
ssl_prefer_server_ciphers (bool)
ssl_ecdh_curve (string)
password_encryption (boolean)
krb_server_keyfile (string)
krb_caseins_users (boolean)
db_user_namespace (boolean)
Odoo / OpenERP is a suite of enterprise management applications, targeting Small, Medium and Multinational Enterprises encompassing several departments. Odoo ERP streamlines all managements segments like Manufacturing, Finance and Accounting, Purchase, Sales, Warehouse, Customer Relationship Management, Human Resource, Point of Sale, Ecommerce and Website, Project Management, Document Management under one roof, thereby improving the efficiency and productivity of an enterprise.
