security via views

security via views

am 27.04.2005 17:52:02 von weigelt

Hi folks,

we've got a larger project with several subsystems, which should
run in their own security context / users.

Most of the database access works over views and functions.
For functions its possible to run them with separate privileges
than the calling user. But is this also possible with views ?
I've noticed that for views also GRANT is necessary (AFAIK a
view is nothing else than a table with appropriate RULEs).
Does it work to grant some user access to his own view, but
not to the tables where the view works on ?


thx
--
------------------------------------------------------------ ---------
Enrico Weigelt == metux IT service

phone: +49 36207 519931 www: http://www.metux.de/
fax: +49 36207 519932 email: contact@metux.de
cellphone: +49 174 7066481
------------------------------------------------------------ ---------
-- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops --
------------------------------------------------------------ ---------

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: security via views

am 27.04.2005 18:01:46 von Peter Dockweiler

Hello,

yes this works. Just drop the rights on the table and grand the rights on the
view.

Peter

Am Mittwoch, 27. April 2005 17:52 schrieb Enrico Weigelt:
> Hi folks,
>
> we've got a larger project with several subsystems, which should
> run in their own security context / users.
>
> Most of the database access works over views and functions.
> For functions its possible to run them with separate privileges
> than the calling user. But is this also possible with views ?
> I've noticed that for views also GRANT is necessary (AFAIK a
> view is nothing else than a table with appropriate RULEs).
> Does it work to grant some user access to his own view, but
> not to the tables where the view works on ?
>
>
> thx

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Re: security via views

am 27.04.2005 19:27:30 von Tom Lane

Enrico Weigelt writes:
> Most of the database access works over views and functions.
> For functions its possible to run them with separate privileges
> than the calling user. But is this also possible with views ?
> I've noticed that for views also GRANT is necessary (AFAIK a
> view is nothing else than a table with appropriate RULEs).

You have noticed incorrectly. A view's references to other tables
are privilege-checked with respect to the owner of the view.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster