Re: revoked permissions on table still allows users to see table's structure

Juan,

That is what schemas, permissions and search paths are for.  You create multiple schemas, put the tables in the appropriate ones, grant usage permissions to those users that need access to the schemas and set the search path to search the schemas for objects.  Below is the test case.  It helps if you reset the psql prompt to display the current user:

\set PROMPT1 '%m:%>:%n:%/:%R%x%# '

As the database owner:

create schema seethat;
create schema seewhat;
create user al_low;
create user dee_ny;
grant usage on schema seethat to al_low, dee_ny;
grant usage on schema seewhat to al_low;
set search_path to seethat, seewhat, public;

create table seethat.open(open_id int);
create table seewhat.closed(closed_id int);

set session authorization al_low;

\d

set session authorization dee_ny;

\d

Hope that helps!

Bob Lunney

----- Original Message -----
From: Juan Cuervo (Quality Telecom) <juanrcuervo(at)quality-telecom(dot)net>
To: Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Sent: Friday, July 22, 2011 8:24 AM
Subject: Re: [ADMIN] revoked permissions on table still allows users to see table's structure

Hi Scott

Thanks for your answer.

It should be a way to prevent this from normal users who only need
access to a set of tables, a view or even a store procedure. (Maybe a
VIEW_SCHEMA privilege of roles?). View a table's structure should only
be allowed to users who has at least one privilege on the table.

It doesnt make much sense to me that every user with access to the
database , would be able to see the whole database design.

Do you know if this is common in other RDBMS ?

Regards,

Juan R. Cuervo Soto
Quality Telecom Ltd
www.quality-telecom.net
PBX : (575) 3693300
CEL : (57)  301-4174865

El 21/07/2011 08:48 p.m., Scott Marlowe escribió:
> On Thu, Jul 21, 2011 at 6:08 PM, Juan Cuervo (Quality Telecom)
> <juanrcuervo(at)quality-telecom(dot)net>  wrote:
>> Hi All
>>
>> I'm new to the list, but have a few years as postgres user. I want to share
>> what I consider a rare behavior of postgresql regarding database object's
>> premissions:
>>
>> I have noticed that there is no way (at least no one I know) to prevent a
>> user from seeing the table's structures in a database.
>>
>> Is this a normal behavior of the product ?
> Yep.  Completely normal.
>
>> Is there a way to prevent a user from seeing my table's, procedure's and
>> function's code ?
> Don't let them connect to the db?  That's all I can think of.
>