Re: revoked permissions on table still allows users to see table's structure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We had the same problem, and we still do not have an elegant solution, we have a workaround which I really don't like.
I agree with Juan - it is a limitation. I understand that you can solve this problem outside of a database, but it will be nice to have a strictly read only user who can just see data of the assigned objects and nothing else. 

Dinesh

O-+n 7/22/2011 11:00 AM, Kevin Grittner wrote:

"Juan Cuervo (Quality Telecom)"<juanrcuervo@xxxxxxxxxxxxxxxxxxx>
wrote:


Imagine you own a software development company,


Not too hard for me.  Been there, done that.


and decides to base the company's product on Postgresql databases.
Such a company surely dont want to expose his database design to
its customers, but in some time might want to provide 'select'
access to some users, so they can pull data to external datamining
or data analisys tools, for example. If this is not possible in
postgresql right now, then all users with connect privilege will
be able to see not only the table's structure, but also the stored
procedures code, wich in many cases, stores a business logic or
know-how.


Imagine that the software is running on a machine under the client's
control, where they have root access to the OS.  They can then
disassemble or debug through code to see how the encrypted procedure
code is turned into something the database can compile, they can
connect to the database as the superuser to view all details.  The
only protection provided by what you suggest is from those too inept
to really pose a competitive threat.  If you think some other
product gives you protection beyond this, it is an illusion.

The only way to protect your schema and logic from view is to offer
"software as a service".  While someone might still infer a lot
about the structure of the data and the logic of the code from
observing its displays and the procedures available to the user, you
would have some insulation.

-Kevin




--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux