On Sun, Jun 30, 2013 at 09:31:18PM -0400, Michael Orlitzky wrote:
> (why do I get the feeling nobody is going to check out the repo):
Probably because you're asking random strangers on the Internet to
help you solve their problems, and many of such strangers have other
things to do than go somewhere else to learn about your problems.
> # Admins can do anything.
You've been able to create this situation with the superuser flag for
as long as I can remember (I started with Postgres in the 6.5.x era,
but I won't claim my memory goes back that far).
> # The customer's developers can access their own projects.
Surely this is the "create a database per user" issue. Give each dev
user a ROLE that is the same as the owner of the database. This has
been available for many releases.
> # The anonymous user can only read things.
Create a role that can read anything (in a database? In all
databases? You don't say) and GRANT that automatically to these anon
users. This has been possible for ages.
> This will work for eternity, and is perfectly secure.
It is not even remotely "perfectly" secure. It has truck-sized holes.
Every dev can screw over every other's area. There is no
write-can't-read case. Admins are all or nothing. This is
"perfectly" secure only to someone who thinks the traditional UNIX
permissions system is a good model. Anyone who has spent much more
time with the disasters of ACL abuse knows that a general purpose
system cannot be both easy and fully secure ("hard and fully secure"
also turns out to be either false or impossible). But if the
description you give is accurate, then Postgres has been able to do
this for ages, and I've used exactly the Postgres facilities to
implement something like what you're describing. Any 9-era manual has
all you need for this, in my experience. I'm not sure what to tell
you except that, perhaps, you need a Postgres consultant.
A
--
Andrew Sullivan
ajs@crankycanuck.ca