| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | David Legault <legault(dot)david(at)gmail(dot)com> |
| Cc: | pgsql general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: REVOKE ALL |
| Date: | 2007-02-21 12:40:43 |
| Message-ID: | 45DC3DCB.3050204@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
David Legault wrote:
> Concerning the pg_hba.conf file, I don't want to prevent external
> connections to the DB as I need all my web apps to connect to them. I was
> referring the fact that ROLE A "belongs" to DB G so that I don't want
> him to
> access anything in DB H for example.
>
> I'd like to be able to create roles that can't connect (not the pg_hba.conf
> user configs) to any database except the ones for which they have been
> granted the privilege to do so.
>
> So when creating ROLE A, he wouldn't be able to connect [through a PHP call
> pg_connect(user, pass, db)] until I explicitly grant him access to the DB
> for connexion via GRANT ON DATABASE G TO A.
REVOKE CONNECT ON DATABASE g FROM public;
Then you'll need to add "GRANT CONNECT" for each user/group.
Also check the section on database-specific roles in the manuals
(there's a setting in postgresql.conf that lets you have user(at)database).
Might be useful.
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Martijn van Oosterhout | 2007-02-21 12:48:07 | Re: Odd behaviour of timestamptz |
| Previous Message | David Legault | 2007-02-21 12:33:01 | Re: REVOKE ALL |