Re: Filtering DatabaseMetaData to show only the items for which the current user has access

Langley, Scott E schrieb am 13.09.2016 um 01:54:
> We have a desire to hide unneeded database objects from our
> database-challenged users - as they might see in a simple database
> viewer application - by removing their privileges on such objects.
>
> It appears that many database viewing applications, e.g.,
> DbVisualizer, rely on what is returned by the JDBC driver’s
> DatabaseMetaData methods to determine which schemas and tables to
> display to the user
>
> Another way would be to:
>
> 1. Modify the information_schema views for a particular database to
> only show the current user the objects for which they have
> privileges.
>
> 2. Then, have the PostgreSQL JDBC driver populate its
> DatabaseMetatData information only using the contents of the
> information_schema and not query pg_catalog, pg_class, and the other
> Postgres-specific system information tables.

If your aim is users of SQL clients, then what's the use of that?

As you can run any SQL statement inside those applications, the users
can still run the query directly against pg_class and the other system tables

Or they just use psql or any other tools that is not based on the JDBC driver
to get that information. You can never get security right on the client side.

Plus: with the driver being OpenSource, anyone can build their own version
with those checks disabled, or simply use an older version of the driver.

Thomas