| From: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
|---|---|
| To: | Steve Holdoway <steve(at)treshna(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Security... |
| Date: | 2004-07-05 23:30:22 |
| Message-ID: | 1089070222.17493.150.camel@stromboli |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 2004-07-05 at 23:27, Steve Holdoway wrote:
> Hi folks,
>
> I'm trying to seriously restrict what a particular user can see within a
> database. Using various schemas, rules, groups and grants, I've managed
> to restrict them to only being able to _do_ what I want them to, but
> they can still _see_ the rest of the schemas, system tables, etc. I've
> tried revoking everything on public, pg_catalogs, etc, but you can still
> describe tables.
>
> Anyone know how to stop this, or if it's even possible??
>
I think there was some discussion on this on the ODBC list.
Teradata and Oracle use views that have a subselect in them that only
displays objects that a user has at least one privilege on/over.
In Oracle, they're called ALL and USER views, so there are multiple
versions of the schema depending upon your (security) needs. Teradata
gives you the option at system init time.
Currently, psql issues complex SQL directly against the catalog, though
I did once have plans to rework that so the same commands would be
available from any interface.
Best regards, Simon Riggs
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-07-05 23:31:35 | Re: pgsql-server: plperl update from Andrew Dunstan, deriving (I believe) |
| Previous Message | Mike Mascari | 2004-07-05 23:30:21 | Re: Recovery Features |