From: | Thomas F(dot)O'Connell <tfo(at)alumni(dot)brown(dot)edu> |
---|---|
To: | Randy Yates <yates(at)ieee(dot)org> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Another Security Question: User-based Roles vs. Application Business Rules |
Date: | 2004-09-11 07:48:20 |
Message-ID: | F31B6E99-03C6-11D9-8609-000D93AE0944@alumni.brown.edu |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Presumably in the context of a web application, you've got control over
the contexts in which users exist and log in. People accessing publicly
accessible page, for instance, might connect as one user; people
accessing content via a login might connect as another.
Basically, for each role your web application creates in terms of types
of users, you can create a postgres user.
Often, it's as simple as creating a single postgres user that acts as a
proxy for the entire web application because, if you're the web
application designer as well, or can have authority over the
application in some way, you can know what sorts of permissions will be
required in the database.
-tfo
On Sep 7, 2004, at 11:39 PM, Randy Yates wrote:
> Forgive me if this is a basic and trivial (i.e., stupid) question. I
> haven't
> been using postgres very long, and I'm not an experienced database
> system
> developer.
>
> I noticed that there is a very powerful group-based security feature in
> postgres. Very nice - I like it alot. So one way to implement security
> constraints is to define appropriate groups, assign memobership of
> users
> to those groups, and then assign group-based permissions to the
> assorted
> database objects (e.g., tables). Fantastic!
>
> However, ... this requires each entity accessing the databse to be
> defined as a user. In the context of a web application, this paradigm
> doesn't necessarily make sense since there may be many unknown users.
> Somehow those users must be mapped to a "role." I suppose you can map
> all unknown users into the user "guest" and then define guest
> privileges
> appropriately.
>
> Is this a good approach? Is there better way to do this? Is there an
> altnerate way to consider?
> --
> % Randy Yates % "My Shangri-la has gone away, fading
> like
> %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
> %%% 919-577-9882 %
> %%%% <yates(at)ieee(dot)org> % 'Shangri-La', *A New World Record*,
> ELO
> http://home.earthlink.net/~yatescr
From | Date | Subject | |
---|---|---|---|
Next Message | Ian Barwick | 2004-09-11 07:59:45 | Re: unicode and varchar |
Previous Message | Anton Nikiforov | 2004-09-11 07:42:46 | pg_shadow in a constraint |