On 12/09/2011 9:16 PM, Rainer Leo wrote:
Hello, I have been asked to configure a database role to be used for ODBC access. So far I have done this: CREATE ROLE odbc_user LOGIN ENCRYPTED PASSWORD 'bar' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE; REVOKE ALL ON DATABASE foo FROM odbc_user; REVOKE CREATE ON SCHEMA public FROM public; GRANT SELECT ON v_sales TO odbc_user; When I try: foo-> SELECT * FROM customers; access is denied as expected foo->\d baz I see table definitions.
You'd have to mess with permissions on the pg_catalog tables and the INFORMATION_SCHEMA views. This may have unexpected side-effects or cause some clients that expect to be able to use those schema to get metadata to cease functioning correctly.
I don't think denying access to table definitions is part of the security model's goals at the moment; it's about limiting access to _data_ not DDL or definitions. You'll note that function sources are also available via pg_catalog, though it seems to be reasonably safe (from what I hear, having not tested it) to change permissions to deny access to those.
-- Craig Ringer -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
