Re: Role based database access

From: mack(at)ips(dot)cs(dot)tu-bs(dot)de
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: Role based database access
Date: 2007-05-24 20:02:49
Message-ID: 1288.85.177.32.107.1180036969.squirrel@webmail.ips.cs.tu-bs.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

> Thomas Mack wrote:
>> Hello!
>>
>> I face a problem here with restricting access to databases to
>> the owners of the database (Postgres 8.1.4).
>>
>> We would like any postgres user to have database access restricted
>> to their own databases only. This is so, as we use postgres for
>> educational purposes.
>>
>> I looked into pg_hba.conf, but unfortunately, when restricting
>> database access in the database field, the NAME(!) of the database
>> is concerned, which we do not restrict. Any user can create as
>> many databases as needed, and the name may be choosen freely.
>>
>> The 'user' field does not help in this either.
>>
>> So is there any chance to achieve what we need without revoking
>> the 'create database' permission and pre-creating the databases
>> for all our users?
>>
>> Thanks,
>> Thomas Mack
>>
> Does not the sameuser database name work for you in pg_hba.conf? I.e.
> you can only log into the database that bears your name.
>
Well no. As soon as they own more than one database, or when they use a
different database name, it does not work out anymore.

And yes, we can force them by some means or the other to just use one
database with the correct name. But it would be nice, if we wouldn't have
to.

The work around with a custom 'createdb' command looks nice at first, but
as one can use 'create database' as an SQL command, it does not really
help out.

So currently, I think I will leave it with 'sameuser' or similar, and let
the students know about the database name. Unfortunately, the pgAdmin III
(version 1.4) likes to pop up a message for any database, the user does
not have access to. So this will keep them a little busy on pgadmin3
startup, but anyway, they don't have to use this tool.

I was initially thinking, there 'should' be some way to limit the access
in the desired way. So now I know, there is not.

Schemas might be a way out of the problem, but it's a little late now, to
force them using different schemas and take care of access control
themselves. Maybe next year.

Thomas Mack
TU Braunschweig, Institut für Informationssysteme

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Tom Lane 2007-05-25 01:13:06 Re: Role based database access
Previous Message Carol Walter 2007-05-24 19:43:38 Re: Role based database access