security via views
am 27.04.2005 17:52:02 von weigelt
Hi folks,
we've got a larger project with several subsystems, which should
run in their own security context / users.
Most of the database access works over views and functions.
For functions its possible to run them with separate privileges
than the calling user. But is this also possible with views ?
I've noticed that for views also GRANT is necessary (AFAIK a
view is nothing else than a table with appropriate RULEs).
Does it work to grant some user access to his own view, but
not to the tables where the view works on ?
thx
--
------------------------------------------------------------ ---------
Enrico Weigelt == metux IT service
phone: +49 36207 519931 www: http://www.metux.de/
fax: +49 36207 519932 email: contact@metux.de
cellphone: +49 174 7066481
------------------------------------------------------------ ---------
-- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops --
------------------------------------------------------------ ---------
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
Re: security via views
am 27.04.2005 18:01:46 von Peter Dockweiler
Hello,
yes this works. Just drop the rights on the table and grand the rights on the
view.
Peter
Am Mittwoch, 27. April 2005 17:52 schrieb Enrico Weigelt:
> Hi folks,
>
> we've got a larger project with several subsystems, which should
> run in their own security context / users.
>
> Most of the database access works over views and functions.
> For functions its possible to run them with separate privileges
> than the calling user. But is this also possible with views ?
> I've noticed that for views also GRANT is necessary (AFAIK a
> view is nothing else than a table with appropriate RULEs).
> Does it work to grant some user access to his own view, but
> not to the tables where the view works on ?
>
>
> thx
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
Re: security via views
am 27.04.2005 19:27:30 von Tom Lane
Enrico Weigelt writes:
> Most of the database access works over views and functions.
> For functions its possible to run them with separate privileges
> than the calling user. But is this also possible with views ?
> I've noticed that for views also GRANT is necessary (AFAIK a
> view is nothing else than a table with appropriate RULEs).
You have noticed incorrectly. A view's references to other tables
are privilege-checked with respect to the owner of the view.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster