| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Ravi Roy <ravi(dot)aroy(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Creating a role with read only privileges but user is allowed to change password |
| Date: | 2014-05-11 16:56:33 |
| Message-ID: | 1789.1399827393@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Ravi Roy <ravi(dot)aroy(at)gmail(dot)com> writes:
> I've created a role named "MyRole" in posgresql with the following :
> CREATE ROLE "MyRole" NOSUPERUSER LOGIN NOCREATEDB NOCREATEROLE NOINHERIT
> PASSWORD "MyPassword";
> ALTER ROLE "MyRole" set default_transaction_read_only = on;
> Because I wanted this role to readonly (can not change anything in DB but
> only view).
You realize, I hope, that breaking out of that restriction is no harder
than issuing
SET default_transaction_read_only = off;
or even
BEGIN TRANSACTION READ WRITE;
So that ALTER ROLE might be of some use as a protection against accidental
changes, but it's certainly no form of security restriction. (What you
probably want to do instead of this is make sure the role doesn't have
select/update/delete privileges for any of your tables.)
> But later I realized this role is not even allowed to change his password.
Just do one of the above things first...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ravi Roy | 2014-05-11 17:01:31 | Re: Creating a role with read only privileges but user is allowed to change password |
| Previous Message | Tom Lane | 2014-05-11 16:51:09 | Re: Re: Partitioning such that key field of inherited tables no longer retains any selectivity |