From: | Adam Witney <awitney(at)sgul(dot)ac(dot)uk> |
---|---|
To: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
Cc: | "pgsql-general" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Is this a security risk? |
Date: | 2008-12-17 13:47:01 |
Message-ID: | 7AB54740-A5E1-4939-B49A-93BE58587924@sgul.ac.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 17 Dec 2008, at 07:48, Albe Laurenz wrote:
> Adam Witney wrote:
>> I would like to provide a limited view of my database to some users,
>> so i thought of creating a second database (I can control access by
>> IP
>> address through pg_hba.conf) with some views that queried the first
>> database using dblink.
>
> In my opinion dblink is not the right tool for that.
> It will require a user account on the "secret" database through which
> dblink accesses it. You'd have to restrict permissions for that user
> if you want to keep the thing secure.
>
> So why not access the "secret" database directly with that user and
> get rid of the added difficulty of dblink?
>
> You can rely on the permission system. Just grant the user the
> appropriate
> privileges on the necessary objects, and if you need the user to see
> only part of the data in a table, create a view for that.
thanks for your reply,
The user already has permissions within the 'secret' database, but
normally they interact with it through a web interface only. I was
worried that the user could get in and mess around with other things,
such as the sequences which are used to populate primary keys.
Also ideally I only wanted to create a read only access to certain
parts of the database, I couldn't think of any other way to do it...
are there any more standard ways of doing this?
thanks again
adam
From | Date | Subject | |
---|---|---|---|
Next Message | Grzegorz Jaśkiewicz | 2008-12-17 13:54:45 | Re: PostgreSQL installation |
Previous Message | Shahbaz A. Tyagi | 2008-12-17 13:45:53 | Re: PostgreSQL installation |