Re: Client/Server Security question

Lonnie Cumberland wrote:
>
> Hello All,
>
> We are developing an application that will allow our websites to talk to our
> database.
>
> In the interest of security, I am wondering if it is possible to turn off some
> of the functions in the SQL command list such that a user can only communicate
> to the database through our functions.
>
> What I mean is this. We have built a number of "C" extensions and PL/pgSQL
> proceedures that will work on our database, but I only want to allow an outside
> query to only one or two of our selected entry points.
>
> The webserver interface query statement might, for example, be able to only
> call "select register_user(.......)" or "select login_user(....)" and NONE of
> the other PostgreSQL command functions.
>
> I only want to allow access to these functions from the outside world, but the
> server needs to be able to execute all of the original functions without
> restrictions.

Lonnie,

Have you checked the Postgres docs on security and access? It offers a
lot of flexibility. For example, you can use a different postgres
username to access the database from the outside world, in conjunction
with using "grant" statements and views to give that user only the
ability to perform specific actions on specific tables and views. If
after reading the docs you still have specific questions about details
that are not clear them, send a follow-up post with a more specific
question and we can give you a more useful answer. :)

-mark