From: | Norbert Poellmann <np(at)ibu(dot)de> |
---|---|
To: | Edwin UY <edwin(dot)uy(at)gmail(dot)com> |
Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
Subject: | Re: GRANT CONNECT ON DATABASE |
Date: | 2024-06-10 10:59:58 |
Message-ID: | ZmbcriGHk23NPkMN@mail.ibu.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Mon, Jun 10, 2024 at 12:09:14PM +1200, Edwin UY wrote:
> Hi,
>
> A role was created as below:
> CREATE ROLE [blah] WITH NOLOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE
> NOREPLICATION VALID UNTIL 'infinity';
>
> Doesn't the following SQLs supposed to give the role login access?
>
> ALTER ROLE [blah] WITH ENCRYPTED PASSWORD 'blahpassword' ;
> GRANT CONNECT ON DATABASE [blahdb] TO [blahuser] ;
>
> We're trying to take the minimalist approach for a user access to have
> access to only the tables he has created and only to a specific database
> and schema.
Hi,
I would suggest, additionally, the strictest doorman for your database
is a record in ${data_directory}/pg_hba.conf, example:
# TYPE DATABASE USER ADDRESS METHOD
hostssl blahdb blahuser 1.2.3.4/32 scram-sha-256
changes followed by a server reload.
cheers
Norbert Poellmann
>
> Regards,
> Ed
From | Date | Subject | |
---|---|---|---|
Next Message | Edwin UY | 2024-06-10 12:17:32 | Re: GRANT CONNECT ON DATABASE |
Previous Message | Muhammad Ikram | 2024-06-10 07:41:06 | Re: How to find the view modified date and time and user name |