| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | KuroiNeko <evpopkov(at)carrier(dot)kiev(dot)ua> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: dissallowing access to databases |
| Date: | 2000-10-15 15:56:01 |
| Message-ID: | 4890.971625361@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
CREATE TABLE is not considered to be an access violation; we have no
concept of read-only access to a whole database, only to individual
tables.
If you want to restrict each user to connect only to his own database,
there's an option for that in pg_hba.conf:
# host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT]
#
# DBNAME is the name of a PostgreSQL database, "all" to indicate all
# databases, or "sameuser" to restrict a user's access to a database with
# the same user name.
If that's not flexible enough for you, allowing a particular subset of
users to connect to a particular database is possible but tedious.
One way is to set up a separate password file for each such DB, and use
password authentication that specifies the alternate password file ---
ie, a separate pg_hba.conf line for each such DB, with the allowed users
listed in a separate file per DB. Another way is to use ident
authentication, specifying a separate "ident map name" for each DB,
and listing the allowed users for each DB under that map name.
This could stand to be improved; there's no comparable facility for
Kerberos auth methods.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Gould | 2000-10-15 18:15:02 | int8 vs text in odbc link |
| Previous Message | KuroiNeko | 2000-10-15 11:39:46 | Re: dissallowing access to databases |