| From: | "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com> |
|---|---|
| To: | Dan Tenenbaum <dandante(at)gmail(dot)com> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: the "users" group and restricting privileges |
| Date: | 2005-11-30 00:13:04 |
| Message-ID: | 20051130001304.GV78939@pervasive.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Tue, Nov 29, 2005 at 03:30:33PM -0800, Dan Tenenbaum wrote:
> I want to create a postgresql user with restricted permissions--all it
> should be able to do is select on a few views that I specify.
>
> So I did the following, as the database owner:
> create user viewer password 'xxxx';
> grant select on myview to viewer;
>
> Then, when I start psql as the viewer user, specifying the same database
> with the -d switch, I try this:
> select * from myview;
> and get this:
> ERROR: permission denied for schema myschema
> What do I need to do to get the correct permissions?
GRANT USAGE ON SCHEMA myschema TO viewer;
> Also, there is a group called "users" and the database owner is in that
> group. But I have not granted any explicit privileges to that group. And the
> database is owned by a particular user, not a group. However, I notice that
> when I added the "viewer" user to the "users" group, that the user seemed to
> be able to do everything that the database owner could do. That is not what
> I want. But the above (not being able to select a view that I thought I had
> select permission for) is not what I want either.
>
> The above paragraph would seem to suggest that a group called "users" has
> some special properties. I could not find any documentation for that in the
> postgres docs (I am using version 7.4). Perhaps I couldn't find it because
> almost every page in the docs seems to have the word "users" in it, so it is
> hard to disambiguate my search.
> If someone could point me towards documentation of the special properties of
> the "users" group that would be helpful...but the thing I most want help
> with is creating a user with restricted views as described above.
There is no default users group, only PUBLIC (which isn't really a group
in the system afaict).
If you install newsysviews (http://pgfoundry.org/projects/newsysviews/)
you can query pg_user_grants to help diagnose where the permissions are
comming from. Or you could use a big, hairy query to do it...
--
Jim C. Nasby, Sr. Engineering Consultant jnasby(at)pervasive(dot)com
Pervasive Software http://pervasive.com work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-11-30 00:21:31 | Re: the "users" group and restricting privileges |
| Previous Message | Dan Tenenbaum | 2005-11-29 23:30:33 | the "users" group and restricting privileges |