Securing Roles - Mailing list pgsql-novice
| From | Ryan Quinn |
|---|---|
| Subject | Securing Roles |
| Date | |
| Msg-id | 1477325777.5149.16.camel@gmail.com Whole thread Raw |
| List | pgsql-novice |
Hello, I'm playing around with setting up Postgres as a backend for an authoritative PowerDNS service, and I'm trying to compile data on how to setup the users in Postgres securely. I'm mostly familiar with MySQL, and the default permissions setup is a little bit different in Postgres. I'm just kind of confused about how to go about getting the grants correct. Here is the setup I'm going for: * Database: powerdomains * Tables and indexes specified here in the PowerDNS docs: https://rtfm. powerdns.com/md/authoritative/backend-generic-postgresql/ * Users: ** pdro - Read only user for the PowerDNS server. The PowerDNS docs mention this user only needs select access, but they may be targeting MySQL with that statement. ** pdrwd - Read, write, delete user for tools to add, edit, and remove entries. This user is implied by the PowerDNS docs, and it makes sense. Here is what I have so far: # After initdb: postgres=# revoke all on schema public from public; # Create the database: postgres=# create database powerdomains owner = postgres; # Cut down rights of the public role: postgres=# revoke all on database powerdomains from public; # Create the users: ## Create read-only user pdro. postgres=# create role pdro with login encrypted password 'secureropassword'; ## Create read-write-delete user pdrwd. postgres=# create role pdrwd with login encrypted password 'securerwdpassword'; # Grant permissions to pd users: ## Grant permissions to read-only user. postgres=# grant connect on database powerdomains to pdro; (At this point, the user is able to connect and select data, so I'm not sure the rest of the grants are necessary.) postgres=# grant usage on schema public to pdro; postgres=# grant select on all tables in schema public to pdro; postgres=# grant select on all sequences in schema public to pdro postgres=# grant execute on all functions in schema public to pdro; ## Grant permissions to read-write-delete user. postgres=# grant connect on database powerdomains to pdrwd; postgres=# grant usage on schema public to pdrwd; postgres=# grant select, update, insert, delete on all tables in schema public to pdrwd; postgres=# grant select on all sequences in schema public to pdrwd postgres=# grant execute on all functions in schema public to pdrwd; The steps above are based off of the Managing_rights_in_postgresql.pdf file I found (https://wiki.postgresql.org/images/d/d1/Managing_rights_i n_postgresql.pdf), so I'm not sure how old they are. Any references or advice is welcome. Ryan
pgsql-novice by date: