Обсуждение: Best practice to create a read-only user?
Hello, Usually I would create user uuu password 'ppp'; GRANT usage on schema zzz to uuu; GRANT select on all tables in schema zzz to uuu; But just this morning someone used create user uuu password 'ppp'; alter user uuu set default_transaction_read_only = on; GRANT select on all tables in schema zzz to uuu; So I only added the grant usage and it worked fine. What do people use day to day? I had frankly never explored the default_transaction_read_only parameter ... -- regards Matthias Ritzkowski -marlinmobile-
default_transaction_read_only is just a default. Users can still disable it for themselves and it is not intended to act as a security measure. In the second example, user uuu could still create and modify data for which s/he has the privileges granted to do so by first issuing a "set transaction read write".
On Fri, May 3, 2013 at 10:03 AM, matthias ritzkowski <matthias@marlinmobile.com> wrote:
Hello,
Usually I would
create user uuu password 'ppp';
GRANT usage on schema zzz to uuu;
GRANT select on all tables in schema zzz to uuu;
But just this morning someone used
create user uuu password 'ppp';
alter user uuu set default_transaction_read_only = on;
GRANT select on all tables in schema zzz to uuu;
So I only added the grant usage and it worked fine.
What do people use day to day?
I had frankly never explored the default_transaction_read_only
parameter ...
--
regards
Matthias Ritzkowski
-marlinmobile-
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
On Fri, May 3, 2013 at 7:03 AM, matthias ritzkowski <matthias@marlinmobile.com> wrote: > What do people use day to day? I usually set default privileges for user postgres like below and create end users in particular roles, either role_ro for read only or role_rw for read-write access. All the database objects one need the default privileges to be applied to must be created with user postgres. ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON SEQUENCES TO role_ro; ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON TABLES TO role_ro; ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT EXECUTE ON FUNCTIONS TO role_ro; ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT,USAGE ON SEQUENCES TO role_rw; ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT,INSERT,DELETE,UPDATE ON TABLES TO role_rw; ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT EXECUTE ON FUNCTIONS TO role_rw; -- Kind regards, Sergey Konoplev PostgreSQL Consultant and DBA Profile: http://www.linkedin.com/in/grayhemp Phone: USA +1 (415) 867-9984, Russia +7 (901) 903-0499, +7 (988) 888-1979 Skype: gray-hemp Jabber: gray.ru@gmail.com