MIME-Version: 1.0
References: 
 <CAN0-mGtt_JLUuomwYfLNUc2yTQkY4AZMBFWKZhUumv5a6eJxRg@mail.gmail.com>
 <74CE8CC4-3A14-4A64-AF90-9514E27CC56B@elevated-dev.com>
 <CAN0-mGunfW-X9-moKOtvQ-LrbXTYFEDxuqnfQH3NcJdxhtbbdA@mail.gmail.com>
In-Reply-To: 
 <CAN0-mGunfW-X9-moKOtvQ-LrbXTYFEDxuqnfQH3NcJdxhtbbdA@mail.gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
Date: Wed, 20 Nov 2024 19:50:43 -0700
Message-ID: 
 <CAKFQuwZ0CBYkYVcH2YX_RLGoFCaZyL_OvqhBUB7Xo3oGRPFxrg@mail.gmail.com>
Subject: Re: Disable Save results to file button
To: Srini Genji <srini.genji@gmail.com>
Cc: Scott Ribe <scott_ribe@elevated-dev.com>, pgsql-admin@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000695cc606276357f2"
Archived-At: 
 <https://www.postgresql.org/message-id/CAKFQuwZ0CBYkYVcH2YX_RLGoFCaZyL_OvqhBUB7Xo3oGRPFxrg%40mail.gmail.com>
Precedence: bulk

--000000000000695cc606276357f2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Nov 20, 2024 at 7:38=E2=80=AFPM Srini Genji <srini.genji@gmail.com>=
 wrote:

>
> This is coming mainly from security to avoid users downloading huge
> datasets containing sensitive data in to their machine
>
>
I appreciate the desire here, and it isn't unreasonable, but it is also
technically nearly impossible.  If you have given a person credentials,
network access, and the relevant database permissions to see all of that
data they will be able to make a copy of it that you do not control.  While
marginal improvements are possible, the cost of doing them (and available
mitigations) discourages people from working on such patches in favor of
other things.

If this is a security risk you need to mitigate in PostgreSQL you probably
need to implement a solution where the user does not directly have
credentials for the database, but asks some proxy to access the database on
their behalf (e.g., a webapp) and in that proxy you institute such
policies.  I feel like some tools and extensions in this area likely exist,
though I am not personally familiar with any of them if that is so.

Yes, ideally pgAdmin, if you can otherwise lock down their machine and
prohibit any other software from being run as well as ensure their
credentials only are usable on that machine (both doable propositions I
daresay) would fill in the missing piece and provide a viewer-only option.
Or maybe just run it on a server where the local machine isn't accessible
to the user...

David J.

(p.s., this is the admin mailing list for the PostgreSQL server, not the
mailing list for the third-party pgAdmin product.  If you have a
requirement to use pgAdmin you may wish to converse with that team in their
own channels.)

--000000000000695cc606276357f2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif"><span style=3D"font-family:Arial,Helve=
tica,sans-serif">On Wed, Nov 20, 2024 at 7:38=E2=80=AFPM Srini Genji &lt;<a=
 href=3D"mailto:srini.genji@gmail.com">srini.genji@gmail.com</a>&gt; wrote:=
</span></div></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex"><div dir=3D"auto"><br><div dir=3D"auto">This is coming=
 mainly from security to avoid users downloading huge datasets containing s=
ensitive data in to their machine</div><div dir=3D"auto"><br></div></div></=
blockquote><div><br></div><div class=3D"gmail_default" style=3D"font-family=
:arial,helvetica,sans-serif">I appreciate the desire here, and it isn&#39;t=
 unreasonable, but it is also technically nearly impossible.=C2=A0 If you h=
ave given a person credentials, network access, and the=C2=A0relevant datab=
ase permissions to see all of that data they will be able to make a copy of=
 it that you do not control.=C2=A0 While marginal improvements are possible=
, the cost of doing them (and available mitigations) discourages people fro=
m working on such patches in favor of other things.</div><div class=3D"gmai=
l_default" style=3D"font-family:arial,helvetica,sans-serif"><br></div><div =
class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">If=
 this is a security risk you need to mitigate in PostgreSQL you probably ne=
ed to implement a solution where the=C2=A0user does not directly have crede=
ntials for the database, but asks some proxy to access the=C2=A0database on=
 their behalf (e.g., a webapp) and in that proxy you institute such policie=
s.=C2=A0 I feel like some tools and extensions in this area likely exist, t=
hough I am not personally familiar with any of them if that is so.</div><di=
v class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">=
<br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif">Yes, ideally pgAdmin, if you can otherwise lock down their mac=
hine and prohibit any other software from being run as well as ensure their=
 credentials only are usable on that machine (both doable propositions I da=
resay) would fill in the missing piece and provide a viewer-only option.=C2=
=A0 Or maybe just run it on a server where the local machine isn&#39;t acce=
ssible to the user...</div><div class=3D"gmail_default" style=3D"font-famil=
y:arial,helvetica,sans-serif"><br></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif">David J.</div><div class=3D"gma=
il_default" style=3D"font-family:arial,helvetica,sans-serif"><br></div><div=
 class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">(=
p.s., this is the admin mailing list for the PostgreSQL server, not the mai=
ling list for the third-party pgAdmin product.=C2=A0 If you have a requirem=
ent to use pgAdmin you may wish to converse with that team in their own cha=
nnels.)</div></div></div>

--000000000000695cc606276357f2--