Daniel Staal wrote
> --As of February 10, 2015 4:04:55 PM +0300,
> petrov.boris.v@
> is
> alleged to have said:
>
>> If one have database web_site_data
>> And two users: php_script and boris_developer
>> Who should own database?
>>
>> I have some point on that when using mysql, but PostgreSQL role
>> management looks much more versatile, so I am looking for opinion of
>> PostgreSQL users. What is your practice and why?
>
> --As for the rest, it is mine.
>
> Who needs to do what with the database? The owner should be the user that
> needs the permissions that come with being the owner. (Or the owner
> should
> be a specific account set up just to be the owner, and the others should
> only have the permissions they need.)
>
>From just the names, I'd suggest if you are picking one of the two, to
have
> boris_developer be the owner, as php_script sounds like a web interface,
> and it's usually best not to give web interfaces any permission they don't
> absolutely *need*.
I tend to use both user roles and group roles. Schema object ownership is
given to group roles. There is also a user role that is given membership in
this group role. Only your schema loader code needs to use this user all
others get roles that do not inherit from this owner role. The owner login
role should issue "set role [owner group role]" before issuing create
statements and the like.
Maybe a bit of over engineering initially but it's worth considering.
Slightly simpler is to make the owner role a login role. In either case
client application users should never be able to get owner permissions.
David J.
--
View this message in context: http://postgresql.nabble.com/Who-should-own-database-tp5837354p5837380.html
Sent from the PostgreSQL - novice mailing list archive at Nabble.com.
