| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Ron Watkins <rwatki(at)gmail(dot)com> |
| Cc: | pgsql-novice(at)lists(dot)postgresql(dot)org |
| Subject: | Re: create read-only and revoke create function? |
| Date: | 2023-08-14 18:04:33 |
| Message-ID: | CAKFQuwZc+snoidGFK+LDr=A5_Jc-YhdADVsY7AvN681WzP-a7w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
On Mon, Aug 14, 2023 at 8:20 AM Ron Watkins <rwatki(at)gmail(dot)com> wrote:
>
> GRANT "RO_Role" to <users>;
> GRANT SELECT ON TABLE <tablename> TO "RO_Role";
> GRANT EXECUTE ON FUNCTION <functions> TO "RO_ROLE";
>
> On one server, this seems to have limited the users ability to write to
> tables, but on the other server it didn't work, they can still write to
> tables.
>
Then the other server has permissions being granted to those users roles
that the first one doesn't. Fix that.
> As for the functions, they can still create. Not sure how to prevent this
> from happening.
> Suggestions?
>
>
You seem to be missing default privileges for the PUBLIC group - in
particular I suspect you are seeing the ability to create stuff on the
public schema by PUBLIC. If you revoke that you should be good.
Every role is read-only (in the sense of being unable to modify schema
directly) by default, aside from whatever it inherits from PUBLIC and any
other default privileges you may have setup. If you are able to do
something you shouldn't, you need to figure out where that privilege is
coming from and either remove it or remove the membership (you cannot
remove membership in PUBLIC).
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Connah | 2023-08-27 11:49:06 | Stored procedures |
| Previous Message | Ron Watkins | 2023-08-14 15:19:20 | create read-only and revoke create function? |