Re: Restricting user to see schema structure - Mailing list pgsql-general

From Bryn Llewellyn
Subject Re: Restricting user to see schema structure
Date
Msg-id D52D6DE9-EC21-4F78-823F-A7564E130FD2@yugabyte.com
Whole thread Raw
In response to Restricting user to see schema structure  (Neeraj M R <neerajmr12219@gmail.com>)
Responses Re: Restricting user to see schema structure
List pgsql-general
neerajmr12219@gmail.com wrote:

bryn@yugabyte.com wrote:

What exactly do you mean by "have created a new user and granted connection access to database"? As I understand it, there's no such thing. I mentioned a simple test in my earlier email that showed that any user (with no schema of its own and no granted privileges) can connect to any database—and see the full metadata account of all its content. I'm teaching myself to live with this.

What I meant by 'created a new user' is that I have used the following commands.

CREATE USER <user_name> WITH ENCRYPTED PASSWORD '<password>';
GRANT CONNECT ON DATABASE <database> TO <user_name>;
GRANT USAGE ON SCHEMA <schema> TO <user_name>; 

Ah… there's obviously something I don't understand here. I've never used "grant connect on database"—and not experience an ensuing problem. I just tried this:

\c postgres postgres
create user joe login password 'joe';
revoke connect on database postgres from joe;
\c postgres joe

It all ran without error. (I've turned off the password challenge in my MacBook PG cluster.) I don't have a mental model that accommodates this. And a quick skim for this variant in the "GRANT" section of the PG doc didn't (immediately) help me. I obviously need to do more study. I'll shut up until I have.

pgsql-general by date:

Previous
From: Laurenz Albe
Date:
Subject: Re: Deferred constraint trigger semantics
Next
From: Bryn Llewellyn
Date:
Subject: Re: Deferred constraint trigger semantics