On Thu, Oct 15, 2009 at 7:22 PM, Mark Mielke <m...@mark.mielke.cc> wrote: > It depends on what your goal is. If your goal is to treat users as monkeys > that you do not trust, even with their own password, and the DBA as God, who > you absolutely do trust, than you are correct. > > I don't know about your company - but in my company, the DBAs are in the IT > department, and they really have no business knowing my password, which > would give them access to my employee records, and my authorization > capabilities. For any company that requires security, I do not accept that > we can "trust the DBA". The database is just one small component in a much > larger solution. The DBA is the monkey for a minor backend application, and > the designers are the people earning money for the corporation. We have the > exact opposite of what you are suggesting. A person can get access to much > more data by logging in as the user on their *desktop* than by accessing > some database directly.
You have no choice but to trust the DBA (or sysadmin) if you use PostgreSQL's built in authentication. Just set a pg_hba.conf line to 'password' and start harvesting passwords. > I think you are missing that security is a balance. Your dig at ignorant > people who do JS-based browser side checks of input is not applicable. You > are exchanging one type of security for another type of security. You think > that your proposed type of security is more valid than my proposed type of > security. It depends on the application. Sometimes you might be right. Other > times, you have arguably made things worse. Any company that truly needs > security of this sort - should not be using PostgreSQL based roles with > passwords for authentication. The true value of your proposal is pretty > limited. I never said it wasn't - in fact I said from the outset it was about box-checking, and that anyone doing things properly will use LDAP/SSPI/Kerberos etc. What I did say, was that my proposed GUC doesn't allow the DBA to do anything that he cannot already do in a much easier way, per the comment above. Anyway, as noted in the message you quoted, the current proposal will allow my colleagues to check boxes, and will be implemented in a sensible way on the server side. And it's entirely confined to a plugin, so if you trust all your users, there's no need for you to load it at all. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
