Thread: Best procedure for restricted access

Best procedure for restricted access

From
Rainer Leo
Date:
Hello,

I have been asked to configure a database role
to be used for ODBC access.

So far I have done this:

CREATE ROLE odbc_user LOGIN
  ENCRYPTED PASSWORD 'bar'
  NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;

REVOKE ALL ON DATABASE foo FROM odbc_user;
REVOKE CREATE ON SCHEMA public FROM public;
GRANT SELECT ON v_sales TO odbc_user;

When I try:

foo-> SELECT * FROM customers;
access is denied as expected

foo->\d baz
I see table definitions.


How can I restrict the role "odbc_user" to just
"SELECT whatever FROM v_sales;" and nothing else?


Any help would be very appreciated.


Regards,

Rainer Leo

workfile Datenbankservice
Bocksberg 20c
D-22395 Hamburg                                

Fon: 040.60 44 90 41
Fax: 040.34 92 61 08
www.workfile.de


Re: Best procedure for restricted access

From
Craig Ringer
Date:
On 12/09/2011 9:16 PM, Rainer Leo wrote:
> Hello,
>
> I have been asked to configure a database role
> to be used for ODBC access.
>
> So far I have done this:
>
> CREATE ROLE odbc_user LOGIN
>    ENCRYPTED PASSWORD 'bar'
>    NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
>
> REVOKE ALL ON DATABASE foo FROM odbc_user;
> REVOKE CREATE ON SCHEMA public FROM public;
> GRANT SELECT ON v_sales TO odbc_user;
>
> When I try:
>
> foo->  SELECT * FROM customers;
> access is denied as expected
>
> foo->\d baz
> I see table definitions.

You'd have to mess with permissions on the pg_catalog tables and the
INFORMATION_SCHEMA views. This may have unexpected side-effects or cause
some clients that expect to be able to use those schema to get metadata
to cease functioning correctly.

I don't think denying access to table definitions is part of the
security model's goals at the moment; it's about limiting access to
_data_ not DDL or definitions. You'll note that function sources are
also available via pg_catalog, though it seems to be reasonably safe
(from what I hear, having not tested it) to change permissions to deny
access to those.

--
Craig Ringer