Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
349 views
in Technique[技术] by (71.8m points)

sql - Grant access to just one schema in postgreSQL

I have a user just_one_schema_user.

In my database I have two schemas: public and sample

How can I make this user to see just the sample?

This is what I did:

GRANT USAGE ON SCHEMA sample TO just_one_schema_user

REVOKE ALL PRIVILEGES ON SCHEMA public FROM just_one_schema_user

But the user still can list the tables in public and see their structures.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

About access to the table metadata:

As Islingre commented, there is no good way to hide that information from users.

You would have to deny the user access to the pg_class, pg_namespace and pg_proc and similar tables. This can be done if you set allow_system_table_mods to on, and PostgreSQL will continue functioning, but a lot of things will no longer work:

  • Using the psql utility commands like d or dt

  • Similar tools for other tools

  • Monitoring systems

Essentially, you won't be able to see any metadata any more.

There is no way to allow a user to see only some of the metadata, it is all or nothing.

But that is not a problem. There is no good reason to keep metadata from anybody - that is public information.

PostgreSQL doesn't consider that a security problem. Just because I know that there is a table customer with a column credit_card_number doesn't get me any closer to accessing it if permissions are set properly.

About access to the objects in public:

A REVOKE that removes a privilege that has never been granted will silently do nothing.

The USAGE privilege on schema public is granted to PUBLIC, not just_one_schema_user.

Use this to show the permissions in psql:

dn+

You are looking for:

REVOKE CREATE, USAGE ON SCHEMA public FROM public;

I would recommend storing no application data in public, only extensions. Then don't revoke USAGE, only CREATE.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...