On 2008-12-06, at 18:30, Andrew Chernow wrote:
Grzegorz Jaskiewicz wrote:
On 2008-12-06, at 18:21, Andrew Chernow wrote:
Looking for a way to limited a user to a specific set of queries.
I don't think this can be done right now ... or can it? Has this
feature request surfaced in the past?
I currently need this as an extra security measure for a libpq
client app (want to block arbitrary queries from malicious
attackers). The easiest way I found was to add some query_string
checks into backend/tcop/postgres.c for the 'Q' and 'P' commands
in PostgresMain(). Seems to work just fine. If it doesn't match,
I issue an ereport FATAL since that is seen as a "malicious query
execution attempt".
I think it is something rather simple to design/implement
(probably use a table of user allowed queries, support regex
matches, etc.. loaded at session startup and SIGHUP).
Can it be done with views, and adjusting permissions so user is
only allowed to use few views ??
Not sure. The client I am working on only calls functions, small
API to interact with (no knowledge of views or tables). Even if
that were not the case, would views stop a client from sending in
other queries, like "SELECT 1+1" or something that could bog down
the server?
I use views to simplify code. Say you have a simple join, with one
WHERE. You omit the WHERE in view, and leave it like that. Than just
select foo1, foo2 from VIEW WHERE boo1=foo1 and foo3 <> '123';
Postgresql is smart enough, to run it as one query (as oppose to
mysql), so the code is simpler, everybody's happy.
If you want to continue on that discussion, I suggest we move it to pg-
general.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
