Search Postgresql Archives

Re: (Default) Group permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/30/2013 09:56 PM, Andrew Sullivan wrote:
> On Sun, Jun 30, 2013 at 09:31:18PM -0400, Michael Orlitzky wrote:
>> (why do I get the feeling nobody is going to check out the repo):
> 
> Probably because you're asking random strangers on the Internet to
> help you solve their problems, and many of such strangers have other
> things to do than go somewhere else to learn about your problems.
> 

It's a link to a README file. You certainly don't have to clone the repo
and run the scripts.


>>   # Admins can do anything.
> 
> You've been able to create this situation with the superuser flag for
> as long as I can remember (I started with Postgres in the 6.5.x era,
> but I won't claim my memory goes back that far).
> 

I'm not giving root to people who don't need it. They need to be able to
read/write any database.


>>   # The customer's developers can access their own projects.
> 
> Surely this is the "create a database per user" issue.  Give each dev
> user a ROLE that is the same as the owner of the database.  This has
> been available for many releases.
> 
>>   # The anonymous user can only read things.
> 
> Create a role that can read anything (in a database?  In all
> databases?  You don't say) and GRANT that automatically to these anon
> users.  This has been possible for ages.
> 

In one database. The example.com user should be able to read the
example.com database. If you can come up with a way to grant permissions
automatically, I'd like to hear it. You can do it for a user but not for
a group, which is the whole problem I'm trying to describe.


>> This will work for eternity, and is perfectly secure.
> 
> It is not even remotely "perfectly" secure.  It has truck-sized holes.

I defined a set of requirements, and these permissions exactly meet them
without granting anyone access that they don't need. That's what I want.
I'm not going to argue over the meaning of "secure."




-- 
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux