Re: user/grant - best practices handling permission in production system

From: Greg Stark <gsstark(at)mit(dot)edu>
To: Stefano Nichele <stefano(dot)nichele(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: user/grant - best practices handling permission in production system
Date: 2009-07-23 21:38:54
Message-ID: 407d949e0907231438r29a596b6nebca8e1c72b43889@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Thu, Jul 23, 2009 at 10:09 PM, Stefano
Nichele<stefano(dot)nichele(at)gmail(dot)com> wrote:

> 2. using the user used in step 1, create the schema and populate tables with

> At this point the webapp should work correctly.
> The main missing point for me is how to perform step 4 in a simple way since
> it seems there is not a way to give the right grants to all db objects in
> one shot.

Well there isn't a way to do step 2 in one shot either. You'll have to
issue a CREATE statement for each object, it's no extra work to issue
a GRANT for each object with the specific rights the application
should have at that time. Think of it as an important part of the
process of creating a new object.

Note that it's probably not necessary to grant all rights to every
table. Most applications have some tables that are read-only or
insert-only from the point of view of the application. Your system
will be more secure if the application does not have unnecessary
privileges. So thinking about what rights to grant to the application
for each object when it's created is not a bad thing.

--
greg
http://mit.edu/~gsstark/resume.pdf

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Michael Gould 2009-07-23 22:20:48 citext contrib module (building indexes)
Previous Message Brent Wood 2009-07-23 21:17:32 Re: commercial adaptation of postgres