Home > mailing lists

Re: Creating a role with read only privileges but user is allowed to change password - Mailing list pgsql-general

From	Tom Lane
Subject	Re: Creating a role with read only privileges but user is allowed to change password
Date	May 11, 2014 19:56:37
Msg-id	1789.1399827393@sss.pgh.pa.us Whole thread Raw
In response to	Creating a role with read only privileges but user is allowed to change password (Ravi Roy <ravi.aroy@gmail.com>)
Responses	Re: Creating a role with read only privileges but user is allowed to change password
List	pgsql-general

Tree view

Ravi Roy <ravi.aroy@gmail.com> writes:
> I've created a role named "MyRole" in posgresql with the following :

> CREATE ROLE "MyRole" NOSUPERUSER LOGIN NOCREATEDB NOCREATEROLE NOINHERIT
> PASSWORD "MyPassword";

> ALTER ROLE "MyRole" set default_transaction_read_only = on;

> Because I wanted this role to readonly (can not change anything in DB but
> only view).

You realize, I hope, that breaking out of that restriction is no harder
than issuing

SET default_transaction_read_only = off;

or even

BEGIN TRANSACTION READ WRITE;

So that ALTER ROLE might be of some use as a protection against accidental
changes, but it's certainly no form of security restriction.  (What you
probably want to do instead of this is make sure the role doesn't have
select/update/delete privileges for any of your tables.)

> But later I realized this role is not even allowed to change his password.

Just do one of the above things first...

            regards, tom lane

pgsql-general by date:

From: Tom Lane
Date: 11 May 2014, 19:51:14
Subject: Re: Re: Partitioning such that key field of inherited tables no longer retains any selectivity

From: Ravi Roy
Date: 11 May 2014, 20:01:36
Subject: Re: Creating a role with read only privileges but user is allowed to change password

Re: Creating a role with read only privileges but user is allowed to change password - Mailing list pgsql-general

Previous

Next