RE: [ADMIN] Any user can create table in any database?

[KOOPMAN,JON (A-SantaClara,ex1)]

On Thu, 16 Mar 2000, Karel Zak - Zakkr <[EMAIL PROTECTED]> wrote:
> On Thu, 16 Mar 2000, KOOPMAN,JON (A-SantaClara,ex1) wrote:
> > Thanks for the quick response,
> > 
> >  o Possibly add a permission structure to database level ACL
> >    that can turn off read privilege to a database to certain
> >    /all users.  Is there any reason to limit database
> >    connectivity different than grant/revoke on individual
> >    database objects?
> > 
>
> If I good understand you, you want privilage like ACL for DB?
>
> The PostgreSQL check access to database *out* of SQL engine - connect
access
> control postmaster ant it is before postgres start. The postmaste knows
> pg_shadow/hba_conf only, it not allow work with standard relation
routines.
>
> A solution is remove access check to postgresql layout and check it after 
> fork(), but is it effective?

The points I layed out were in order of importance.  It would be more
important to add a write limiting ACL (and proper controls for this
ACL, and the ability to modify the ACL) to a database to limit other
users ability to interact with that database.  This last point really just
adds convenience to existing ACL features.  Is it worth adding read level
access control to a database ACL if you are going to add that ACL anyway?

I would guess this implementation would just allow setting up default
non-read access to all database contents, rather than having to create
individual database objects and then setup grant/revoke statements on
all of them.

I think the easiest way to implement would be to allow database
connection via normal pg_hba.conf, but deny all attempts to access
data objects, similar to doing a SELECT on a table you don't have
a grant for.