| From: | <btober(at)computer(dot)org> |
|---|---|
| To: | <shridhar(at)frodo(dot)hserus(dot)net> |
| Cc: | <bartko(dot)zoltan(at)pobox(dot)sk>, <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Securing a db app - RFC |
| Date: | 2004-06-02 12:28:27 |
| Message-ID: | 64713.216.238.112.88.1086179307.squirrel@$HOSTNAME |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> On Wednesday 02 June 2004 02:04, BARTKO Zoltan wrote:
>> I would appreciate anyone wiser than me to comment on the following:
>>
>> I am making an app for PostgreSQL (the server). The clients are
>> connecting through the same single user. ...
>>
>> If I want to access a function (like do this or that with data), I
>> use a stored function and pass the id# of the user plus all the
>> necessary things. First, I check if the person is authorized to carry
>> out the operation. if so, the operation is performed.
>>
>> There are users, who are administrators. Thus, they are allowed to do
>> anything.
>>
> You can probably use set session authorization. Here are some brief
> steps.
>
> 1. Convert all your users as postgresql database users
If he's going to do this, why bother with hard-coding a single user id
and password in the application -- why not have the user log in as their
defined Postgresql user, and let the data base handle all the security
and permission issues?
--Berend Tober
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shridhar Daithankar | 2004-06-02 12:36:14 | Re: Securing a db app - RFC |
| Previous Message | zhicheng wang | 2004-06-02 10:38:32 | Re: after using pg_resetxlog, db lost |