From: | "Richard Huxton" <dev(at)archonet(dot)com> |
---|---|
To: | "Randal L(dot) Schwartz" <merlyn(at)stonehenge(dot)com>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | "Tom Jenkins" <tjenkins(at)devis(dot)com>, <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Delegating User creation |
Date: | 2001-07-21 11:12:39 |
Message-ID: | 009601c111d7$389defc0$1001a8c0@archonet.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
From: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
> merlyn(at)stonehenge(dot)com (Randal L. Schwartz) writes:
> > Couldn't you create an INSERT rule on pg_password for the
> > junior-superuser that narrowed the created users to only sensible
> > permissions?
>
> Obviously, if we invented a "create users" permission, it would have to
> extend only to creating non-superuser users; you'd only want superusers
> to be able to make more superusers.
>
> But that's not really the point IMHO. As I understood the question,
> it was about being able to delegate the right to create users *for
> particular databases*. That can't be delegated because it doesn't
> exist --- we have no concept of users restricted to only some databases
> within an installation. (You can sort of fake it by restricting their
> ability to connect in pg_hba.conf, but that's a pretty ugly approach,
> and certainly not one that's available to anyone but the dbadmin.)
Could you not do it with groups?
All objects in database "foo" are only accessible to users in "foo_group".
Operations on the user tables are only permitted against users who are in
"foo_group" (via Randal's use of rules/triggers).
Any user could connect to any database, but wouldn't have access to the
tables.
- Richard Huxton
From | Date | Subject | |
---|---|---|---|
Next Message | Joel Burton | 2001-07-21 13:48:16 | Re: Microsoft SQL Server Replication |
Previous Message | Lamar Owen | 2001-07-21 11:10:59 | Re: Re: RPM source files should be in CVS (was Re: [GENERAL] psql -l) |