Re: Novice question about users and...rights?
| От | Stephen Frost |
|---|---|
| Тема | Re: Novice question about users and...rights? |
| Дата | |
| Msg-id | 20171127171508.GS4628@tamriel.snowman.net обсуждение исходный текст |
| Ответ на | Novice question about users and...rights? ("Dale Schmitz" <dschmitz4@cox.net>) |
| Список | pgsql-novice |
Dale, * Dale Schmitz (dschmitz4@cox.net) wrote: > My big question for this post regards database login by end users. In the > Access database, users logged in as a way of verifying to the database super > user that they were legitimate users of the database, but everything ran as > the DB owner (the super user I mentioned). In converting this application > I'm tempted to go the same route, but only because I saw that it worked in > Access. The users will have flags in their records stating their role, and > hence what they can and can't do, but I wonder if this is smart. First off, be careful when you talk about 'superuser' as it means different things in different places. Definitely do *not* use a PostgreSQL superuser account for your application. > Would it be smarter/wiser/more secure/more efficient, etc., to have the > users actually log in to Postgres and assign them appropriate permissions to > tables and such, as opposed to having the database owner run everything with > knowledge of what the user is authorized to do? For a small number of users, such as what it sounds like you have here, I'd suggest having a database-level user for each user of the application and managing privileges using roles, where access on each of the tables is GRANT'd to some appropriate role and then those roles are GRANT'd to the users who should have a given role (or roles). This also means you can essentially avoid having the application have to care about authentication or authorization, since it's all done in the database and the user actually authenticates to the database and not to the application. This also has the advantage that if you have other applications in the future you don't have to reimplement the authentication or authorization pieces, and you could even give advanced users access to the database itself if you wish to (note, however, that PostgreSQL doesn't currently have any way to 'throttle' users who have SQL-level access, so one user could potentially use a lot of resources with direct SQL access, though this may also be true when accessing the system through your application, so it might not be different, really). Thanks! Stephen
В списке pgsql-novice по дате отправления: