Re: system catalog permissions

On Mon, Feb 26, 2018 at 4:55 PM, Paul Jungwirth <pj(at)illuminatedcomputing(dot)com
> wrote:

> On 02/26/2018 03:47 PM, Tom Lane wrote:
>
>> PropAAS DBA <dba(at)propaas(dot)com> writes:
>>
>>> We have a client which is segmenting their multi-tenant cluster
>>> (PostgreSQL 9.6) by schema, however if one of their clients connects via
>>> pgadmin they see ALL schemas, even the ones they don't have access to
>>> read.
>>>
>> PG generally doesn't assume that anything in the system catalogs is
>> sensitive. If you don't want user A looking at user B's catalog
>> entries, give them separate databases, not just separate schemas.
>>
>
> I'm sure this is what you meant, but you need to give them separate
> *clusters*, right? Even with separate databases you can still get a list of
> the other databases and other roles in the cluster. I would actually love
> to be mistaken but when I looked at it a year or two ago I couldn't find a
> way to lock that down (without breaking a lot of tools anyway).
>

​Yes, both the database and role namespace is global to an individual
cluster. Its another level of trade-off; database and role names could
realistically and easily be done UUID-style so knowing the labels doesn't
really tell anything except a vague impression of host size.

Assuming clients don't want to see their log files...

David J.