Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1s2Pg2-002lgC-Q1
	for pgsql-general@arkaria.postgresql.org; Thu, 02 May 2024 06:12:18 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1s2Pg0-00G2Rq-8j
	for pgsql-general@arkaria.postgresql.org; Thu, 02 May 2024 06:12:17 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <kashi.zeeshan@gmail.com>)
	id 1s2Pfz-00G2Rh-UC
	for pgsql-general@lists.postgresql.org; Thu, 02 May 2024 06:12:16 +0000
Received: from mail-vs1-xe33.google.com ([2607:f8b0:4864:20::e33])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <kashi.zeeshan@gmail.com>)
	id 1s2Pfu-0017kT-5b
	for pgsql-general@lists.postgresql.org; Thu, 02 May 2024 06:12:16 +0000
Received: by mail-vs1-xe33.google.com with SMTP id ada2fe7eead31-47c1cf8a7d7so2123236137.0
        for <pgsql-general@lists.postgresql.org>; Wed, 01 May 2024 23:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1714630328; x=1715235128; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=qJf9nx3BiSwwMimqGXSXnTMxmpEXHVZ0vYEHMgtTGIY=;
        b=RaHG/331jeLcqBkYNZt9QwEAijgKaGY7EuhTmtOL0ptXqo9J2V7BpcRvzVehZlou8P
         PdEPv21Y0NJRjxFu6Wi+Tfc5/djxsdZo68GwBSURntVTh0NIb3OXbDWky581eYzq8xHr
         dPsg3raOx1VsFNwNQqKy7JpHjtz459/Ug9/3h6oKuOtp8HiltKCTO7xZ9CNtanHVci/m
         /0hJkFfPjGc7InueKDbtlVpWcmM1/pM7TcsXf5pVj4+57HGcUu2VSiRWFVR7eL/skzrg
         4EniegT0BCyIUNswsz8gt2KXczX9cfjUqKq3Ka3T0CWtinYiz0Yh7S+qxIFLKLNWnSjf
         nX2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1714630328; x=1715235128;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=qJf9nx3BiSwwMimqGXSXnTMxmpEXHVZ0vYEHMgtTGIY=;
        b=VLsagfFizrWbmk26ElxWwqoxqIXbRhV0d72DCsA2D1JIrLDYZ/CqOkSQEggG3PUSj3
         rBpkIzdSLnVzOKt3iYvPugMHpYuGzcJMlmUY/JfXffJjROoA+VVV3hATbYYUp1z6nn+c
         Bk5Vv7JwXoFUHzafLMlz+9U3FV5l4LCCzOzTMbpK/lzyaEt8e+cPHvrM753OSF6Vvj4b
         /kruUMXl2zyK2ePcmqjahAXz7i7Zgp7o8AtlMo23Mro6dZhn4KmPVv1sfezMovhVg9PN
         zzUbdRPCTtEw8fOTog+u7PZglhHcNElkl7q3u7HOny+W3O9zNpvkdsx7ZUJkKwNQlLZl
         2Xqg==
X-Gm-Message-State: AOJu0YwTDgfODFD0c3OYhC2ciIPLh+TRM1USGv8yn6TKlFx1M4SeulRr
	zzLXzXF/K9nKqZk3IguuupPEoby5rxn9gXyCX0ZXwIIgE5YFSlmLr2uDHsi/JVTL9/qPyljAZpe
	k0iARyQvpL+22eQAW24uDwVYoffg=
X-Google-Smtp-Source: AGHT+IE/d1BaE7iPowzCd+mPUw9wVSE+ZxzN7MHjoNEeZ4DFfjqUbORpA5MfN82oUVNHazDo+RcrVlHw5NyvpJzyv4Y=
X-Received: by 2002:a05:6122:2224:b0:4d4:2398:51a2 with SMTP id
 bb36-20020a056122222400b004d4239851a2mr897700vkb.8.1714630326906; Wed, 01 May
 2024 23:12:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAFzdntvuzVvyj48V-bmo09ui8THtkMY-h5xaFqBOh5e_16nc3g@mail.gmail.com>
In-Reply-To: <CAFzdntvuzVvyj48V-bmo09ui8THtkMY-h5xaFqBOh5e_16nc3g@mail.gmail.com>
From: Kashif Zeeshan <kashi.zeeshan@gmail.com>
Date: Thu, 2 May 2024 11:11:55 +0500
Message-ID: <CAAPsdhcYUEnhx51Mq9DKkXve=Twg=n8cKMa95Lfjzy4H8_+jdQ@mail.gmail.com>
Subject: Re: Prevent users from executing pg_dump against tables
To: RAJAMOHAN <garajamohan@gmail.com>
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="0000000000008e78510617727b36"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAAPsdhcYUEnhx51Mq9DKkXve%3DTwg%3Dn8cKMa95Lfjzy4H8_%2BjdQ%40mail.gmail.com>
Precedence: bulk

--0000000000008e78510617727b36
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi RAJAMOHAN

There is not a direct way to restrict  a table not to be allowed to be
backed up by pg_dump.
But you can use the RLS (ROW LEVEL SECURITY) policy to restrict access.

Regards
Kashif Zeeshan
Bitnine Global

On Thu, May 2, 2024 at 10:47=E2=80=AFAM RAJAMOHAN <garajamohan@gmail.com> w=
rote:

> Hello all,
>
> In our production db infrastructure, we have one read_only role which has
> read privileges against all tables in schema A.
>
> We are planning to grant this role to some developers for viewing the
> data, but also I want to limit the users from executing statements like
> copy or using pg_dump. Main reason being I don't want the data to be copi=
ed
> from the database to their local machines.
>
> I tried by implementing triggers, but was not able to figure out a way to
> restrict the pg_dump and allow only select statements.
>
> Postgresql version - 12
> Ec2 based postgres database
>
> Is there a way to implement this? Please advise.
>
>
> Thanks & Regards,
> Rajamohan.J
> Devops Cloud Architect
> Email:garajamohan@gmail.com
>

--0000000000008e78510617727b36
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi=C2=A0RAJAMOHAN<div><br></div><div>There is not a direct=
=C2=A0way to restrict=C2=A0 a table not to be allowed to be backed up by pg=
_dump.</div><div>But you can use the RLS (ROW LEVEL SECURITY) policy to res=
trict=C2=A0access.</div><div><br></div><div>Regards</div><div>Kashif Zeesha=
n</div><div>Bitnine Global</div></div><br><div class=3D"gmail_quote"><div d=
ir=3D"ltr" class=3D"gmail_attr">On Thu, May 2, 2024 at 10:47=E2=80=AFAM RAJ=
AMOHAN &lt;<a href=3D"mailto:garajamohan@gmail.com">garajamohan@gmail.com</=
a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><d=
iv dir=3D"ltr"><div>Hello all,</div><div><br></div><div>In our production d=
b infrastructure, we have one read_only role which has read privileges agai=
nst all tables in schema A.</div><div><br></div><div>We are planning to gra=
nt this role to some developers for viewing the data, but also I want to li=
mit the users from executing statements like copy or using pg_dump. Main re=
ason being I don&#39;t want the data to be copied from the database to thei=
r local machines.</div><div><br></div><div>I tried by implementing triggers=
, but was not able to figure out a way to restrict the pg_dump and allow on=
ly select statements.</div><div><br></div><div>Postgresql version - 12</div=
><div>Ec2 based postgres database=C2=A0</div><div><br></div><div>Is there a=
 way to implement this? Please advise.</div><div><br></div><div><br></div><=
div><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div dir=3D=
"ltr"><div>Thanks &amp; Regards,</div><div>Rajamohan.J</div><div>Devops Clo=
ud Architect</div><div>Email:<a href=3D"mailto:garajamohan@gmail.com" targe=
t=3D"_blank">garajamohan@gmail.com</a><br></div></div></div></div></div></d=
iv>
</blockquote></div>

--0000000000008e78510617727b36--