On 12/09/2011 9:16 PM, Rainer Leo wrote:
Hello,
I have been asked to configure a database role
to be used for ODBC access.
So far I have done this:
CREATE ROLE odbc_user LOGIN
ENCRYPTED PASSWORD 'bar'
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
REVOKE ALL ON DATABASE foo FROM odbc_user;
REVOKE CREATE ON SCHEMA public FROM public;
GRANT SELECT ON v_sales TO odbc_user;
When I try:
foo-> SELECT * FROM customers;
access is denied as expected
foo->\d baz
I see table definitions.
You'd have to mess with permissions on the pg_catalog tables and the
INFORMATION_SCHEMA views. This may have unexpected side-effects or cause
some clients that expect to be able to use those schema to get metadata
to cease functioning correctly.
I don't think denying access to table definitions is part of the
security model's goals at the moment; it's about limiting access to
_data_ not DDL or definitions. You'll note that function sources are
also available via pg_catalog, though it seems to be reasonably safe
(from what I hear, having not tested it) to change permissions to deny
access to those.
--
Craig Ringer
--
Sent via pgsql-admin mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
