postgresql 如何防止用户看到其他数据库和其他数据库的表?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3349136/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to prevent a user from being able to see other databases and the tables from other databases?
提问by Dan
I want to create a postgres user that can access only one database on the postgres server at all.
我想创建一个 postgres 用户,它只能访问 postgres 服务器上的一个数据库。
Currently my flow is:
目前我的流程是:
create database database1;
create user user1 with password 'pass';
grant all privileges on database database1 to user1;
but user1 can still see a list of dbs, users, tables etc. Is there a way to prevent that user from seeing that info? The user needs to be able to write to and read from that db.
但是 user1 仍然可以看到 dbs、用户、表等的列表。有没有办法阻止该用户看到该信息?用户需要能够写入和读取该数据库。
Thanks a lot.
非常感谢。
采纳答案by Rdbhost
Each user can see other databases and roles listed, but should not be able to see tables in other databases, ever.
每个用户都可以看到列出的其他数据库和角色,但永远不能看到其他数据库中的表。
If you revoke CONNECT privilege on all databases except the allotted one, the user will not be able to access the contents of other databases.
如果您撤销对除分配的数据库之外的所有数据库的 CONNECT 权限,用户将无法访问其他数据库的内容。
Roles and database names are global, and not readily blockable. You can try Frank Heikens suggestion of selective revocations on the system tables, but you take risks to do that. PostgreSQL developers on the usenet mailing lists have discouraged tampering with access to the system catalogs.
角色和数据库名称是全局的,不容易被阻止。您可以尝试 Frank Heikens 建议对系统表进行选择性撤销,但这样做是要冒险的。usenet 邮件列表上的 PostgreSQL 开发人员不鼓励篡改对系统目录的访问。
Psql, among other tools, assumes they will be available and functions poorly without them.
Psql 和其他工具假定它们将可用并且没有它们时功能会很差。
Why is knowing the namesof other databases and roles so bad?
为什么知道其他数据库和角色的名称如此糟糕?
回答by Frank Heikens
REVOKE the SELECT permissions on the information_schemaand some sections in the system catalog.
撤销对information_schema和系统目录中某些部分的 SELECT 权限。
回答by Sam Coles
By default any objects you create are created in the public schema. Also, any users that you create have CREATE and USAGE privileges on the public schema. You should revoke CREATE and USAGE to the public schema for this user, or you should change the default access level. You'll also need to move the database to which this user has access into the user's schema, or a schema accessible to the user. See DDL Schemasin the Postgres manual.
默认情况下,您创建的任何对象都是在公共架构中创建的。此外,您创建的任何用户都对公共架构具有 CREATE 和 USAGE 权限。您应该撤销此用户的公共架构的 CREATE 和 USAGE,或者您应该更改默认访问级别。您还需要将这个用户有权访问的数据库移动到用户的架构中,或者移动到用户可以访问的架构中。请参阅Postgres 手册中的DDL 模式。
