17-How to secure your Odoo 13 database?

Securing the database is very important to keep data safe in odoo and to isolate customer databases running on the same cluster. So we need to make the best practices in terms of users, passwords, access control management. Video Contents: 00:00 Introduction 00:35 Key points to secure Odoo 13 database 01:27 Secure Odoo 13 Database 01:48 Configuration of Odoo Config file 10:39 Configuration of PostgreSQL 13:00 Connection Settings of PostgreSQL Configuration 16:12 Security and Authentication for PostgreSQL First, let us go through some key points related to securing the Odoo 13 database: Set a strong super-admin password, and restrict access to the database management pages as soon as the system is set up Unique logins and strong passwords for all admin accounts on all databases Better not to install demo data that may contain default logins and passwords which is not secure to use Use database filters to restrict the visibility of your databases according to the hostname Make sure the PostgreSQL user (db_user) is not a super-user Now let us discuss the configurations that can be done to enhance the security of the database: In odoo.config file adds some database settings which include: admin_password-- admin_password is a master database password that is set at first boot and can be set from front end also.It is used to manage the databases ie. To create,duplicate,delete,backup and restore databases. db_host--To specify the database host.By default it is localhost db_port--The database port(by default it is None) db_user--Database User name db_password--Database password for db_user db_maxconn--Maximum number of physical connections to postgresql db_name and db_filter: It is used to determine which database should be used to load the website page Database should be selected based on the hostname (domain) that is being requested.Odoo is an multi-tenant system that run and serve a number of database instances which is not an issue for a logged in company user who can log-in and select the databases.But users like website users and portal users are not bound to the database.So it is neccessery to decide which database needed to be used to load the website page. db_filter value contains a regular expression, that includes the dynamically injected hostname (%h) or the first subdomain (%d) through which the system is being accessed. Following can be added to the configuration file [options] db_filter = ^yourcompany.*$ (It shows only databases matching the first subdomain) db_name=yourcompany ( This database only will be loaded) If db_name value is given as false, then all databases are loaded See the changes by restarting the service Configuring PostgreSQL In pg_hba.conf file: Here you can add local connections with address, methods and it is possible to allow replication connection from local host by a user with replication privilage. In postgresql.conf file: Connections and Authentication settings Set the following in your configuration file: Connection Settings: listen_addresses (string) port (integer) max_connections (integer) superuser_reserved_connections (integer) unix_socket_directories (string) unix_socket_group (string) unix_socket_permissions (integer) bonjour (boolean) bonjour_name (string) tcp_keepalives_idle (integer) tcp_keepalives_interval (integer) tcp_keepalives_count (integer) Security and Authentication: authentication_timeout (integer) ssl (boolean) ssl_ca_file (string) ssl_cert_file (string) ssl_crl_file (string) ssl_key_file (string) ssl_ciphers (string) ssl_prefer_server_ciphers (bool) ssl_ecdh_curve (string) password_encryption (boolean) krb_server_keyfile (string) krb_caseins_users (boolean) db_user_namespace (boolean) #odoodatabase #odoosecurity #odoo13