tags:

views:

136

answers:

2
Q: 

Postgres: making a schema restricted/unchangable?

We like our production environment with a restricted/unchangable schema -- the development side can be owned by the developers and changed as they like -- and we like to vet changes as they are promoted.

I'm wondering if this may be a solution to making that happen:

postgres% create proddb with owner=postgres;

unixside% pg_restore --dbname=devdb [--schema-only] --no-owner proddb
/* grants to users on schema objects appear to remain intact */

/* here's the magic, I hope... */
postgres% revoke create on schema public from public;
postgres% grant usage on schema public to produser(s);

Some testing seems to show that a user in this new proddb can interact with tables normally (with appropriate grants) and cannot alter the schema (alter table, create table, drop table, etc). But I'm paranoid and very new to Postgres, so...

Q: Is this correct?

Q: Am I missing anything?

Thanks muchly.

+1  A: 

Yes, that is correct. The only addition is that the owner of a table can always delete or modify it. So it may not work if you have existing tables in the schema.

Magnus Hagander  2009-10-28 20:15:47
Understood. There never should be an owner of a table in production if I do this right: everything should be owned by postgres from inception.Thanks.
Joe  2009-10-28 21:36:40
A: 

Discovered a missing element: sequences.

The user was finding errors in his scripts; similar errors appeared in the logs:

ERROR:  permission denied for sequence <sequence>

The production schema showed that although sequences were created, they were owned by postgres and no explicit grants were given to the users. As per the GRANT documentation:

Granting permission on a table does not automatically extend permissions to any sequences used by the table, including sequences tied to SERIAL columns. Permissions on sequence must be set separately.

Our fix (verbose for this demonstration) was to find all sequences:

unixside% pg_dump --schema-only proddb > proddb.schema
unixside% grep -i 'create sequence' proddb.schema

...and apply appropriate grants (select to prevent table scans, update to prevent the above errors):

postgres% grant select,update on <sequence> to produser(s);

So far, the user says it's working and errors to the log have stopped...

Joe  2009-11-10 21:00:09

related questions

How do I (or can I) SELECT DISTINCT on multiple columns (postgresql)?
Is it possible to make a recursive SQL query ?
What does it mean when a PostgreSQL process is "idle in transaction"?
C# .NET + PostgreSQL
Possible to perform cross-database queries with postgres?
Cascading deletes in PostgreSQL
How to concatenate strings of a string field in a PostgreSQL 'group by' query?
Languages other than SQL in postgres
How to prevent Write Ahead Logging on just one table in PostgreSQL?
Using MS Access & ODBC to connect to a remote PostgreSQL
Reasons for SQL differences
PostgreSQL perfomance monitoring tool
How do you use script variables in PostgreSQL?
MySQL vs PostgreSQL for Web Applications
joining latest of various usermetadata tags to user rows
Good strategy for leaving an audit trail/change history for DB applications?
PostgreSQL: GIN or GiST indexes?
Migrating from MySQL to PostgreSQL
What's the preferred way to connect to a postgresql database from PHP?
Use for the phppgadmin Reports Database?
Recommendation for a PostgreSQL Programming Tutorial?
SQL Case Statement Syntax?
What language do you use for Postgresql triggers and stored procedures?
String literals and escape characters in postgresql
Python and MySQL