On Mon, Feb 26, 2018 at 4:55 PM, Paul Jungwirth <p...@illuminatedcomputing.com > wrote:
> On 02/26/2018 03:47 PM, Tom Lane wrote: > >> PropAAS DBA <d...@propaas.com> writes: >> >>> We have a client which is segmenting their multi-tenant cluster >>> (PostgreSQL 9.6) by schema, however if one of their clients connects via >>> pgadmin they see ALL schemas, even the ones they don't have access to >>> read. >>> >> PG generally doesn't assume that anything in the system catalogs is >> sensitive. If you don't want user A looking at user B's catalog >> entries, give them separate databases, not just separate schemas. >> > > I'm sure this is what you meant, but you need to give them separate > *clusters*, right? Even with separate databases you can still get a list of > the other databases and other roles in the cluster. I would actually love > to be mistaken but when I looked at it a year or two ago I couldn't find a > way to lock that down (without breaking a lot of tools anyway). > Yes, both the database and role namespace is global to an individual cluster. Its another level of trade-off; database and role names could realistically and easily be done UUID-style so knowing the labels doesn't really tell anything except a vague impression of host size. Assuming clients don't want to see their log files... David J.
