Re: Fine grained permissions on User Mapping

Hi again Tom,

I re-read your point 2. “You don't want to grant USAGE on the foreign
server to the localuser, either.” to find out this was exactly the solution
I was looking for. That is: it's fine to not let the basic user create the
foreign tables.

Wow, it was as easy as moving the foreign table creations up to a higher
“admin” level and giving only classical “select” grants to my local “basic”
user. That's it, it works! When the basic user tries to list the existing
user mappings of the database the “FDW options” column is now empty thus
not revealing the remote server's username and password.

Thank you very much !

On Wed, 3 Jun 2020 at 22:22, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
wrote:

> On 6/3/20 4:11 AM, Paul Bonaud wrote:
> > Hi Tom,
> >
> > Thank you very much for your answer.
> >
> > I was worried to get this kind of solution, i.e. “don't be so miserly as
> > not to create a separate one for each privilege level you need.”,
> > however in the case of a remote database **you have no control over**it
> > sounds pretty impossible to do.
> >
> > If I understand correctly, my initial question doesn't have a solution
> > within postgres, does this sound right?
>
> As it stands now I can't think of one. You might reach out to the
> postgres_fdw folks and see if they could get it to use a service file:
>
> https://www.postgresql.org/docs/12/libpq-pgservice.html
>
> Then the user mapping could use information the end user can't see
> unless they had permissions on the file system.
>
> >
> > Thanks again !
> > Paul
> > **
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
>