Обсуждение: security via views

Поиск
Список
Период
Сортировка

security via views

От
Enrico Weigelt
Дата:
Hi folks,

we've got a larger project with several subsystems, which should
run in their own security context / users.

Most of the database access works over views and functions.
For functions its possible to run them with separate privileges
than the calling user. But is this also possible with views ?
I've noticed that for views also GRANT is necessary (AFAIK a
view is nothing else than a table with appropriate RULEs).
Does it work to grant some user access to his own view, but
not to the tables where the view works on ?


thx
--
---------------------------------------------------------------------
 Enrico Weigelt    ==   metux IT service

  phone:     +49 36207 519931         www:       http://www.metux.de/
  fax:       +49 36207 519932         email:     contact@metux.de
  cellphone: +49 174 7066481
---------------------------------------------------------------------
 -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops --
---------------------------------------------------------------------

Re: security via views

От
Peter Dockweiler
Дата:
Hello,

yes this works. Just drop the rights on the table and grand the rights on the
view.

Peter

Am Mittwoch, 27. April 2005 17:52 schrieb Enrico Weigelt:
> Hi folks,
>
> we've got a larger project with several subsystems, which should
> run in their own security context / users.
>
> Most of the database access works over views and functions.
> For functions its possible to run them with separate privileges
> than the calling user. But is this also possible with views ?
> I've noticed that for views also GRANT is necessary (AFAIK a
> view is nothing else than a table with appropriate RULEs).
> Does it work to grant some user access to his own view, but
> not to the tables where the view works on ?
>
>
> thx

Re: security via views

От
Tom Lane
Дата:
Enrico Weigelt <weigelt@metux.de> writes:
> Most of the database access works over views and functions.
> For functions its possible to run them with separate privileges
> than the calling user. But is this also possible with views ?
> I've noticed that for views also GRANT is necessary (AFAIK a
> view is nothing else than a table with appropriate RULEs).

You have noticed incorrectly.  A view's references to other tables
are privilege-checked with respect to the owner of the view.

            regards, tom lane