| From: | Greg Stark <gsstark(at)mit(dot)edu> |
|---|---|
| To: | Stefano Nichele <stefano(dot)nichele(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: user/grant - best practices handling permission in production system |
| Date: | 2009-07-23 21:38:54 |
| Message-ID: | 407d949e0907231438r29a596b6nebca8e1c72b43889@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Jul 23, 2009 at 10:09 PM, Stefano
Nichele<stefano(dot)nichele(at)gmail(dot)com> wrote:
> 2. using the user used in step 1, create the schema and populate tables with
> At this point the webapp should work correctly.
> The main missing point for me is how to perform step 4 in a simple way since
> it seems there is not a way to give the right grants to all db objects in
> one shot.
Well there isn't a way to do step 2 in one shot either. You'll have to
issue a CREATE statement for each object, it's no extra work to issue
a GRANT for each object with the specific rights the application
should have at that time. Think of it as an important part of the
process of creating a new object.
Note that it's probably not necessary to grant all rights to every
table. Most applications have some tables that are read-only or
insert-only from the point of view of the application. Your system
will be more secure if the application does not have unnecessary
privileges. So thinking about what rights to grant to the application
for each object when it's created is not a bad thing.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Gould | 2009-07-23 22:20:48 | citext contrib module (building indexes) |
| Previous Message | Brent Wood | 2009-07-23 21:17:32 | Re: commercial adaptation of postgres |