Restricting access to rows?

Benjamin Smith <lists@benjamindsmith.com> schrieb:

How can I set up a user so that Bob can update his records, without letting
Bob update Jane's records? Is it possible, say with a view or some other
intermediate data type?

You can use a VIEW to select all rows for CURRENT_USER, and then create
RULES for this view to do INSERT, UPDATE and DELETE.

A nice framework for row-level access-control is 'veil':
http://pgfoundry.org/projects/veil

HTH, Andreas
--
Really, I'm not out to destroy Microsoft. That will just be a completely
unintentional side effect. (Linus Torvalds)
"If I was god, I would recompile penguin with --enable-fly." (unknow)
Kaufbach, Saxony, Germany, Europe. N 51.05082�, E 13.56889�

Benjamin Smith <lists@benjamindsmith.com> writes:

How can I set up a user so that Bob can update his records, without letting
Bob update Jane's records? Is it possible, say with a view or some other
intermediate data type?

It's not hard to give them access to *view* their records using a view. You
just create the view with WHERE customer_id = .. and then grant SELECT access
to that view but not the underlying table.

In theory that would be enough to give them update access as well. However
Postgres doesn't yet support updateable views, at least not automatically.

You would have to write rules for each view to implement updateable views
which isn't hard but would get pretty tiresome if you're doing this for a lot
of tables and a lot of clients.

There was a project around where someone had implemented some scripts to do
this automatically. You might be able to find it searching back through the
lists.

There are also people interested in working on it as a built-in feature for
Postgres, but I don't think there's any time-line on though or even any
preliminary results yet, so I wouldn't depend on it any time soon.

--
greg

Hi,

Are there any plans to make CREATE USER local to a database? (as opposed
to CLUSTER scope, as it is today)

So that in such cases as Benjamin's, the ISP could satisfy customer
requests by createing and handing over the new database instance within
the managed cluster? Even with the unrestricted CREATE USER privileges?

-R

On Fri, 2006-05-26 at 07:39 +0200, Andreas Kretschmer wrote:

Benjamin Smith <lists@benjamindsmith.com> schrieb:

How can I set up a user so that Bob can update his records, without letting
Bob update Jane's records? Is it possible, say with a view or some other
intermediate data type?

You can use a VIEW to select all rows for CURRENT_USER, and then create
RULES for this view to do INSERT, UPDATE and DELETE.

A nice framework for row-level access-control is 'veil':
http://pgfoundry.org/projects/veil

HTH, Andreas

--
-R

Greg Stark wrote:

There are also people interested in working on it as a built-in feature for
Postgres, but I don't think there's any time-line on though or even any
preliminary results yet, so I wouldn't depend on it any time soon.

Actually, there is a patch which works for some cases. Not sure if it
will make it into 8.2 though.

--
Richard Huxton
Archonet Ltd

Benjamin Smith wrote:

How can I set up a user so that Bob can update his records, without letting
Bob update Jane's records? Is it possible, say with a view or some other
intermediate data type?

I've done something similar using a separate control table where I set
what accounts an user can "see", then I wrote a psql that returns just
the rows for that especific user, it could also be done with pure SQL
joins tough.

--
Sinceramente,
Josu� Maldonado.

... "Si me enga�as una vez, tuya es la culpa. Si me enga�as dos, la
culpa es m�a." -- Anax�goras.

Josue E. Maldonado wrote:

Benjamin Smith wrote:

How can I set up a user so that Bob can update his records, without
letting Bob update Jane's records? Is it possible, say with a view or
some other intermediate data type?

I've done something similar using a separate control table where I set
what accounts an user can "see", then I wrote a psql that returns just
the rows for that especific user, it could also be done with pure SQL
joins tough.

You can put in a some triggers that do a few things, and I think a rule
on SELECT will round it off.

on Insert: populate a column with CURRENT_USER
on Update and Delete: refuse unless CURRENT_USER matches the column
on SELECT rules, apply a filter that column = CURRENT_USER

You also may put in an override for all three that if the CURRENT_USER
is in some particular group these filters will not apply. One level
might be just for selects, a higher level for updates/deletes.

Or you can do the reverse, and say that these filters only apply if the
user is in a certain group.

Rafal Pietrak <rafal@zorro.isa-geek.com> writes:

Are there any plans to make CREATE USER local to a database?

No.

There is the db_user_namespace configuration parameter, but it's a bit
of an ugly kluge if you ask me ...

regards, tom lane

On Fri, 2006-05-26 at 10:25 -0400, Tom Lane wrote:

There is the db_user_namespace configuration parameter, but it's a bit
of an ugly kluge if you ask me ...

Haven't noticed that.

But a superuser@dataabase1, still can create a user@database2 - so it's
of no use for privilege separation. Pity.

--
-R

You are apparently dealing with the downside of co-mingling your clients
data... maybe you should seriously consider revising your approach and
giving each client either separate databases or separate schema's within a
given database --

This is why co-mingling should be avoided...

I'd push for the former -- that way -- you can use a template database
instead of hoping that all of your filters, rules, views, etc are
accurate...

"Benjamin Smith" <lists@benjamindsmith.com> wrote in message
news:200605252155.52906.lists@benjamindsmith.com...