Re: [HACKERS] user-based query white list

2017-07-03 Thread Euler Taveira
2017-07-03 3:11 GMT-03:00 Tim Burgan : > > Since then, is it now possible to configure a user to only be able to > execute a limited white-listing of queries? Is this something that could > now be implemented through extensions? > Since pg_stat_statements infrastructure, it

[HACKERS] user-based query white list

2017-07-03 Thread Tim Burgan
This old thread on "user-based query white list" is now nearly 10 years old! http://grokbase.com/t/postgresql/pgsql-hackers/08c6zh42fa/user-based-query-white-list Since then, is it now possible to configure a user to only be able to execute a limited white-listing of queries? Is this something

Re: [HACKERS] user-based query white list

2008-12-08 Thread Andrew Chernow
Andrew Dunstan wrote: Andrew Chernow wrote: I think what is missing is a way to deny the execution of queries that don't operate on an object (like a table, sequence, role, schema, etc...), OR queries not covered by the priv system. Object-based queries can be locked down using the

Re: [HACKERS] user-based query white list

2008-12-07 Thread Asko Oja
Hi We use plproxy for this kind of security enhancement. We create plpgsql functions that do whats needed and then we create so called proxy database that contains only plproxy interfaces for these functions. Users get access only to proxy database. This way it is easier to rest assured that

Re: [HACKERS] user-based query white list

2008-12-07 Thread Hannu Krosing
On Sat, 2008-12-06 at 13:30 -0500, Andrew Chernow wrote: Grzegorz Jaskiewicz wrote: On 2008-12-06, at 18:21, Andrew Chernow wrote: Looking for a way to limited a user to a specific set of queries. I don't think this can be done right now ... or can it? Has this feature request

Re: [HACKERS] user-based query white list

2008-12-07 Thread Merlin Moncure
There is extra safety from using whitelists... For one, it's trivial to write a query that consumes unlimited CPU resources that accesses no built in tables or functions. There are various other dangerous things that are difficult to lock down like temp tables. Assuming you can handle

Re: [HACKERS] user-based query white list

2008-12-07 Thread Andrew Chernow
Merlin Moncure wrote: There is extra safety from using whitelists... For one, it's trivial to write a query that consumes unlimited CPU resources that accesses no built in tables or functions. There are various other dangerous things that are difficult to lock down like temp tables. Assuming

Re: [HACKERS] user-based query white list

2008-12-07 Thread Andrew Dunstan
Andrew Chernow wrote: I think what is missing is a way to deny the execution of queries that don't operate on an object (like a table, sequence, role, schema, etc...), OR queries not covered by the priv system. Object-based queries can be locked down using the existing priv system. Not

Re: [HACKERS] user-based query white list

2008-12-07 Thread Andrew Chernow
Andrew Dunstan wrote: Andrew Chernow wrote: I think what is missing is a way to deny the execution of queries that don't operate on an object (like a table, sequence, role, schema, etc...), OR queries not covered by the priv system. Object-based queries can be locked down using the

[HACKERS] user-based query white list

2008-12-06 Thread Andrew Chernow
Looking for a way to limited a user to a specific set of queries. I don't think this can be done right now ... or can it? Has this feature request surfaced in the past? I currently need this as an extra security measure for a libpq client app (want to block arbitrary queries from malicious

Re: [HACKERS] user-based query white list

2008-12-06 Thread Grzegorz Jaskiewicz
On 2008-12-06, at 18:21, Andrew Chernow wrote: Looking for a way to limited a user to a specific set of queries. I don't think this can be done right now ... or can it? Has this feature request surfaced in the past? I currently need this as an extra security measure for a libpq client

Re: [HACKERS] user-based query white list

2008-12-06 Thread Andrew Chernow
Grzegorz Jaskiewicz wrote: On 2008-12-06, at 18:21, Andrew Chernow wrote: Looking for a way to limited a user to a specific set of queries. I don't think this can be done right now ... or can it? Has this feature request surfaced in the past? I currently need this as an extra security

Re: [HACKERS] user-based query white list

2008-12-06 Thread Grzegorz Jaskiewicz
On 2008-12-06, at 18:30, Andrew Chernow wrote: Grzegorz Jaskiewicz wrote: On 2008-12-06, at 18:21, Andrew Chernow wrote: Looking for a way to limited a user to a specific set of queries. I don't think this can be done right now ... or can it? Has this feature request surfaced in the

Re: [HACKERS] user-based query white list

2008-12-06 Thread Andrew Chernow
Grzegorz Jaskiewicz wrote: On 2008-12-06, at 18:30, Andrew Chernow wrote: Grzegorz Jaskiewicz wrote: On 2008-12-06, at 18:21, Andrew Chernow wrote: Looking for a way to limited a user to a specific set of queries. I don't think this can be done right now ... or can it? Has this feature

Re: [HACKERS] user-based query white list

2008-12-06 Thread Andrew Dunstan
Andrew Chernow wrote: I don't think view-based security solves my problem. I need to limit a user to 20 fixed queries, for example. That means the user cannot execute SELECT NOW() or SELECT 'hello world'. The user can only execute a pre-defined list of queries. Put your queries in