| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Frank Eckes <frank(dot)eckes(at)online(dot)de>, pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: security issues |
| Date: | 2021-12-10 16:20:19 |
| Message-ID: | ba32f586b2ba90c1909f32f6cdabefc3a0fc325d.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Fri, 2021-12-10 at 15:33 +0100, Frank Eckes wrote:
> To access data in a PostgreSQL database I write queries which contains
> the business rules
>
> how t access data. This is working fine and also the permission are
> working fine.
>
> But I found out that a user can see the complete business rules in a
> query or a procedure which is
>
> a big security issue.
>
> Is there e possibility that I can hide the definition and th user can
> only see the data or can execute
>
> the procedure/function.
No, there is no good way to do that.
It is very unusual to put secret information into a view definition...
> And even worse, if i define a foreign server (e.g ORACLE) everybody can
> see the credentials in a user mapping
>
> which should not be allowed. This might be a show stopper of using
> PostgreSQL in security environments.
Then you use Oracle external authentication, for example with a
secure key store on the PostgreSQL server. Then you don't need a
password.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2021-12-10 16:21:47 | Re: security issues |
| Previous Message | Frank Eckes | 2021-12-10 14:33:36 | security issues |