From: | "David Legault" <legault(dot)david(at)gmail(dot)com> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Per Database Roles |
Date: | 2007-02-19 15:32:06 |
Message-ID: | e0b20d410702190732t5e824862ua5c6377bf2376aff@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hello,
Is there a way to attach roles to only certain databases so that the login
[from PHP pg_connect(username, password, database)] is tied to that
particular database and any creation of roles (users/groups) can be
constrained into that particular database.
I plan to use the roles system to be able to create the users/groups
access/permissions and I would like to have them isolated on a per database
basis instead of having them in a situation that Role A (user) belonging to
DB C could also be used in DB D (security issue).
I've seen this from the docs :
db_user_namespace (boolean)
This parameter enables per-database user names. It is off by default. This
parameter can only be set in the postgresql.conf file or on the server
command line.
If this is on, you should create users as username(at)dbname(dot) When username is
passed by a connecting client, @ and the database name are appended to the
user name and that database-specific user name is looked up by the server.
Note that when you create users with names containing @ within the SQL
environment, you will need to quote the user name.
With this parameter enabled, you can still create ordinary global users.
Simply append @ when specifying the user name in the client. The @ will be
stripped off before the user name is looked up by the server.
*Note: * This feature is intended as a temporary measure until a complete
solution is found. At that time, this option will be removed.
But in the CREATE ROLE portion of the docs it talks about them being global
and doesn't mention anything about creating them as role(at)db to tie them to
that particular DB.
Thanks
David
From | Date | Subject | |
---|---|---|---|
Next Message | Edwin Quijada | 2007-02-19 15:35:10 | Re: postgreSQL |
Previous Message | Tom Lane | 2007-02-19 15:25:20 | Re: Why *exactly* is date_trunc() not immutable ? |