From: | Ravi Roy <ravi(dot)aroy(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Creating a role with read only privileges but user is allowed to change password |
Date: | 2014-05-11 17:17:10 |
Message-ID: | CAFMBnF_0+JrRe0sUuGq2ndyFEWaULuyBXfUZmtPJB2C1rUq9mg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Thanks a lot Tom, it worked by putting off the read only mode to off before
changing the password and putting it on again.
> SET default_transaction_read_only = off;
Worked for me..
Many thanks to you!
Regards
Ravi
On Sun, May 11, 2014 at 10:26 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Ravi Roy <ravi(dot)aroy(at)gmail(dot)com> writes:
> > I've created a role named "MyRole" in posgresql with the following :
>
> > CREATE ROLE "MyRole" NOSUPERUSER LOGIN NOCREATEDB NOCREATEROLE NOINHERIT
> > PASSWORD "MyPassword";
>
> > ALTER ROLE "MyRole" set default_transaction_read_only = on;
>
> > Because I wanted this role to readonly (can not change anything in DB but
> > only view).
>
> You realize, I hope, that breaking out of that restriction is no harder
> than issuing
>
> SET default_transaction_read_only = off;
>
> or even
>
> BEGIN TRANSACTION READ WRITE;
>
> So that ALTER ROLE might be of some use as a protection against accidental
> changes, but it's certainly no form of security restriction. (What you
> probably want to do instead of this is make sure the role doesn't have
> select/update/delete privileges for any of your tables.)
>
> > But later I realized this role is not even allowed to change his
> password.
>
> Just do one of the above things first...
>
> regards, tom lane
>
From | Date | Subject | |
---|---|---|---|
Next Message | Tim Kane | 2014-05-11 18:07:01 | Re: Re: Partitioning such that key field of inherited tables no longer retains any selectivity |
Previous Message | Ravi Roy | 2014-05-11 17:01:31 | Re: Creating a role with read only privileges but user is allowed to change password |