Skip site navigation (1) Skip section navigation (2)

Re: Restricting the CREATEROLE privilege

From: "Wappler, Robert" <rwappler(at)ophardt(dot)com>
To: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Restricting the CREATEROLE privilege
Date: 2010-02-25 15:22:21
Message-ID: C8E2DAF0E663A948840B04023E0DE32A0260B71C@w2k3server02.de.ophardt.com (view raw or flat)
Thread:
Lists: pgsql-general
On 2010-02-25, Alex Hunsaker wrote:
 
> You could create a base role that does not have connect privileges on
> the other databases.  Then just inherit from that role.  Something
like:
> CREATE ROLE base_user; REVOKE CONNECT ON database from base_user; ...
> 
> CREATE ROLE my_user inherit base_user;
> 

Unfortunately, base_user inherits the connect privileges from role
PUBLIC, regardless, whether it was created with NOINHERIT.

> You could also go the other route and default deny connect databases
> and explicitly allow connect.
>

That other way round seems to be the only solution for now, first revoke
the CONNECT privileges from PUBLIC and then grant them to individual
roles.

How about changing the CREATEROLE privilege to be associated with a
specific database instead of affecting all databases?

-- 
Robert...
 


In response to

Responses

pgsql-general by date

Next:From: TerryDate: 2010-02-25 15:42:42
Subject: Re: select issue with order v8.1
Previous:From: paragasuDate: 2010-02-25 15:21:21
Subject: Re: postgres password change

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group