Skip site navigation (1) Skip section navigation (2)

Extended security/restriction to any role with login access

From: "Domingo Alvarez Duarte" <mingodad(at)gmail(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Extended security/restriction to any role with login access
Date: 2008-06-25 12:12:00
Message-ID: c2f38c3e0806250512y72def40eof0cdc83347a63d50@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Hello !

I'm trying to use postgresql in an application that by design will give
access to users to a subset of the database.

For example for customers access to products_view (wich will only show
public offers), orders (only their own orders).

I'll provide an application as user interface for the data.

For that I'll give for each of then a role in the database that will belong
to a group role customers_group.

The customers_group only has access to the views/functions that I'll
specify.

Till here no problem postgresql do that pretty well.

My concern is once I give login access to any user, even without grant
him/her any access to any database, he/she can using an application like
pgadmin3 view all databases/roles/functions/table-definitions on my server.
And that was not my intention.

Removing all from public doesn't work : revoke all on schema public from
public;

What I think would be the server behavior when I create a role with login
access an say that I only grant access to one view like this:

create role oneuser login;
grant select on somedatabase.someview to oneuser;

In that case when the user login the only thing he/she sees is the view
database.someview, even when they use pgadmin3 to connect.

Actually he/she can see with pgadmin3 : all databases, all roles and it's
right access, all tables on every database (no access to data), all
functions, all triggers, all table definitions.

The above isn't the intention to a user with a restrict view of the
database.

Can I achieve it actually, if not how hard could be to implement that in the
official release ?

Thanks in advance for any feedback/ideas !

pgsql-hackers by date

Next:From: Domingo Alvarez DuarteDate: 2008-06-25 12:12:07
Subject: Extended security/restriction to any role with login access
Previous:From: Heikki LinnakangasDate: 2008-06-25 09:58:04
Subject: Re: the un-vacuumable table

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group