Re: Best practice to create a read-only user?

From: "E(dot) S(dot)" <yields(dot)falsehood(at)gmail(dot)com>
To: matthias ritzkowski <matthias(at)marlinmobile(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Best practice to create a read-only user?
Date: 2013-05-03 15:05:23
Message-ID: CAGHT9YP2VBu-WKszP+NarOZZ8mfNWEJ+m=O4QzSNtabxCyP8Gg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

default_transaction_read_only is just a default. Users can still disable it
for themselves and it is not intended to act as a security measure. In the
second example, user uuu could still create and modify data for which s/he
has the privileges granted to do so by first issuing a "set transaction
read write".

On Fri, May 3, 2013 at 10:03 AM, matthias ritzkowski <
matthias(at)marlinmobile(dot)com> wrote:

> Hello,
>
> Usually I would
>
> create user uuu password 'ppp';
> GRANT usage on schema zzz to uuu;
> GRANT select on all tables in schema zzz to uuu;
>
>
> But just this morning someone used
> create user uuu password 'ppp';
> alter user uuu set default_transaction_read_only = on;
> GRANT select on all tables in schema zzz to uuu;
>
> So I only added the grant usage and it worked fine.
> What do people use day to day?
>
> I had frankly never explored the default_transaction_read_only
> parameter ...
>
>
> --
>
> regards
> Matthias Ritzkowski
> -marlinmobile-
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Rodrigo Barboza 2013-05-03 15:09:00 pg_stat_tmp file
Previous Message Ray Stell 2013-05-03 14:28:38 Re: Problem: pg_hba.conf is automatically rewritten every day