| From: | "Wappler, Robert" <rwappler(at)ophardt(dot)com> |
|---|---|
| To: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Restricting the CREATEROLE privilege |
| Date: | 2010-02-25 15:22:21 |
| Message-ID: | C8E2DAF0E663A948840B04023E0DE32A0260B71C@w2k3server02.de.ophardt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 2010-02-25, Alex Hunsaker wrote:
> You could create a base role that does not have connect privileges on
> the other databases. Then just inherit from that role. Something
like:
> CREATE ROLE base_user; REVOKE CONNECT ON database from base_user; ...
>
> CREATE ROLE my_user inherit base_user;
>
Unfortunately, base_user inherits the connect privileges from role
PUBLIC, regardless, whether it was created with NOINHERIT.
> You could also go the other route and default deny connect databases
> and explicitly allow connect.
>
That other way round seems to be the only solution for now, first revoke
the CONNECT privileges from PUBLIC and then grant them to individual
roles.
How about changing the CREATEROLE privilege to be associated with a
specific database instead of affecting all databases?
--
Robert...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Terry | 2010-02-25 15:42:42 | Re: select issue with order v8.1 |
| Previous Message | paragasu | 2010-02-25 15:21:21 | Re: postgres password change |