From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Qingqing Zhou" <zhouqq(at)cs(dot)toronto(dot)edu> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: How to have a blind-superuser |
Date: | 2006-04-25 02:18:51 |
Message-ID: | 8600.1145931531@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
"Qingqing Zhou" <zhouqq(at)cs(dot)toronto(dot)edu> writes:
> Basically I wonder if I can have a superuer that he has every priviliges as
> he does now (create language, rotate log files, create checkpoint and
> everything superuser can do) but one thing I want to make sure is that he
> could not see any user data for security reason (just think my database is
> filled with very important UFO data ;-)). In another word, I need a
> superuser be able to maintain database but he know nothing about what in the
> database. Is there a solution for this in PG?
AFAICS this is insoluble anywhere, not just in PG. CREATE LANGUAGE for
instance implies the ability to load arbitrary code into the backend.
If you don't trust your DBA, you could imagine encrypting all your data
on the client side before you store it, though this would for instance
severely limit your ability to search it. But there's no such thing as
a partial superuser: either you have unlimited access privileges or you
don't.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2006-04-25 02:34:02 | Re: How to close dead connections immediately |
Previous Message | Qingqing Zhou | 2006-04-25 01:31:48 | Re: How to have a blind-superuser |