Thread: Preventing database access (including valid users in other databases)

Preventing database access (including valid users in other databases)

From
Allan Kamau
Date:
I would like to prevent users including users who may
be valid in other databases from accessing a
particular database, I have excluded database –
username associations of their usernames with the
database in the hba.conf file, but I observed that
they can still connect to the database, query metadata
(by use of \d) but cannot perform queries. Is there a
way to fully prevent database connect and query of
metadata?

Interesting scenario, I have a user who owns database
objects (tables, sequences) in a database, now I have
decided not to allow the user by connect to the
database by excluding the user's username from the
database – username association in the hba.conf, I
restarted the server. However the user can still
connect to the database, and the user can query the
objects they own but cannot query objects they do not
own in that database. Is this the expected behaviour
and should I explicitly change ownership of the
objects.

Allan.




__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com

Re: Preventing database access (including valid users in

From
Robert Treat
Date:
On Mon, 2005-09-26 at 06:09, Allan Kamau wrote:
> Interesting scenario, I have a user who owns database
> objects (tables, sequences) in a database, now I have
> decided not to allow the user by connect to the
> database by excluding the user's username from the
> database – username association in the hba.conf, I
> restarted the server. However the user can still
> connect to the database, and the user can query the
> objects they own but cannot query objects they do not
> own in that database. Is this the expected behaviour

Personally I think you've misconfigured your pg_hba.conf. If you'd like
to send it along with your db version you might be able to get a more
definitive answer.

> and should I explicitly change ownership of the
> objects.
>

Well, it doesn't make much sense to me to have a bunch of objects in a
database owned by someone who will never be allowed to connect to that
database.


Robert Treat
--
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL