| From: | Andreas Wenk <a(dot)wenk(at)netzmeister-st-pauli(dot)de> |
|---|---|
| To: | Stefano Nichele <stefano(dot)nichele(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org, gsstark(at)mit(dot)edu |
| Subject: | Re: user/grant - best practices handling permission in production system |
| Date: | 2009-07-24 08:18:37 |
| Message-ID: | 4A696E5D.1090708@netzmeister-st-pauli.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Stefano Nichele schrieb:
> Hi All,
> I have some questions for you about the best way to handle permission on
> a database in a production system.
> The final goal is to have a web application connected to the db using a
> single user that must run select/delete/insert/update (and maybe truncate)
>
> In my opinion that user should NOT own the db and the db itself should
> NOT be created using that user. Of course that user should NOT be able
> to create database or other users.
>
> The steps could be:
> 1. using postgres user (or another user with grant for creating
> database) create the database
> 2. using the user used in step 1, create the schema and populate tables
> with initial data
> 3. using the user used in the previous step, create a new user (the one
> the webapp will use)
> 4. give to the new user the grant on all database objects for
> select/delete/insert/update
I totally agree with Greg's answer but just want to give a hint for granting privileges to
several objects in one shot as in step 4. pgAdmin III is giving this ability with the
grant wizard ... this may help if you don't want to put all the steps in a "init script"
for automatic db setup.
Cheers
Andy
| From | Date | Subject | |
|---|---|---|---|
| Next Message | martin | 2009-07-24 08:35:10 | Re: Converting SQL to pg |
| Previous Message | Albe Laurenz | 2009-07-24 08:17:50 | Re: Converting SQL to pg |