Re: How does connect privilege works? - Mailing list pgsql-general

From Albe Laurenz
Subject Re: How does connect privilege works?
Date
Msg-id D960CB61B694CF459DCFB4B0128514C2084194F5@exadv11.host.magwien.gv.at
Whole thread Raw
In response to How does connect privilege works?  (Shridhar Daithankar <ghodechhap@ghodechhap.net>)
List pgsql-general
Shridhar Daithankar wrote:
> I am trying to setup a cluster for trac databases and want to isolate
each db, by assigning a specific
> user to a DB.
>
> I followed the documentation but as shown in the following example,
limiting access by connect does
> not seem to be working.
>
> What am I missing?

The fact that by default the CONNECT privilege is granted to
PUBLIC, so everybody can connect.

> shridhar@bheem ~$ createuser testuser1

> shridhar@bheem ~$ createdb testdb2
>
> shridhar@bheem ~$ psql testdb2
> testdb2=# revoke connect ON database testdb2 FROM testuser1;
> REVOKE
> testdb2=# \q
>
> shridhar@bheem ~$ psql -U testuser1 testdb2
> psql (9.1.4)
> Type "help" for help.
> testdb2=> \q

PostgreSQL privileges are additive, you cannot specifically deny
a privilege to a certain user when the privilege is granted to PUBLIC.

The REVOKE-Statement you quote does nothing (no CONNECT privilege
was granted to "testuser1").

What you'll have to do is first REVOKE CONNECT ON DATABASE testdb2
FROM PUBLIC and then grant it to those users that you want to be able
to connect.

A good idea would be to create a role "testdb2_users", grant this
role CONNECT and then add everybody to the role who should be allowed
to connect.

Yours,
Laurenz Albe

pgsql-general by date:

Previous
From: Craig Ringer
Date:
Subject: JSON in 9.2: limitations
Next
From: Samba
Date:
Subject: warnings about invalid "search_path"