Re: few securiry questions - Mailing list pgsql-admin

From Peter Eisentraut
Subject Re: few securiry questions
Date
Msg-id Pine.LNX.4.21.0005292022500.359-100000@localhost.localdomain
Whole thread Raw
In response to few securiry questions  (R D <mrk279@yahoo.com>)
List pgsql-admin
R D writes:

>   1. How can I forbid to some users to create tables
> in some databases which they can acccess.

You can't. Working on that ...

>   2. How can I GRANT/REJECT some privileges on all
> objects in a database TO/FROM some users, since i
> can't type "GRANT ALL ON * TO SOMEUSER;" in PgSQL. Is
> there any functional analog?

You can't internally. You can read the list of all tables from the
pg_class system catalog and have your application issue the command GRANT
x ON table1, table2, table3, ... TO y.

>   3. How can I reject to some users connections to
> some databases from any host using password
> authentication?

You can create a separate password file for the databases and only list
the users you want in that password file. The syntax for this is
`... password filename' in pg_hba.conf. See also the pg_passwd command for
making password files.

>   4. Why this pg_hba.conf does not alow uses from
> 192.168.200.X to connect to the databases with message
> telling that there was no entry for 192.168.200.x in
> pg_hba.conf?
> # pg_hba.conf
>
> local  all                                   trust
> host   all    0.0.0.0          0.0.0.0       reject
> host   all    192.168.200.0    255.255.255.0 password

Because a mask of 0.0.0.0 matches every host, so the reject kicks in. The
logic here is that

    ({host entry} XOR {actual host}) AND {mask entry}

must be 0 for a record to match.


--
Peter Eisentraut                  Sernanders väg 10:115
peter_e@gmx.net                   75262 Uppsala
http://yi.org/peter-e/            Sweden


pgsql-admin by date:

Previous
From: Eugene Karpachov
Date:
Subject: Re: grant select,update - bug or feature?
Next
From: Loïc TREGOUËT
Date:
Subject: Password crypted storage utilisation