public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: Dominique Devienne <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Adrian Klaver <[email protected]>
Cc: Igor Korot <[email protected]>
Cc: pgsql-generallists.postgresql.org <[email protected]>
Subject: Re: Fwd: Identify system databases
Date: Wed, 16 Apr 2025 08:25:12 -0700
Message-ID: <CAKFQuwZA7YRtHTdkLCVrVCQr2bns_p2C2rC558DyGYC49OQy+g@mail.gmail.com> (raw)
In-Reply-To: <CAFCRh--z-BzUJ3C9qj=YPHQYA-zwNdTm2wGC7D74-j2vdK1mOA@mail.gmail.com>
References: <CA+FnnTxab=JyE0DZkfL4Z2MK8RvvTud9MZiNenD45AoV_t2Mxg@mail.gmail.com>
<CAKFQuwYaDXuuDoEaad5sYW97pRS_FJnmfZCwY3FojnDOdfXc9Q@mail.gmail.com>
<CA+FnnTzwmMTNymgPuiF4CLfa6YO+HBRx4Qy5_B_KDw1oNpiukw@mail.gmail.com>
<CA+FnnTyWMXPEVAwNNDnCVDfmTFNHdDfffiF5vLioxyTv8Jmq0A@mail.gmail.com>
<[email protected]>
<CAKFQuwbkQTbUwA4c6LFOMUWX5ojQY8DpKPQRh+xoe4VZABPWfw@mail.gmail.com>
<[email protected]>
<CAKFQuwYpY7urAHuns26cw=9TKTZJU4JdVBrXWoSH_nHfZ_s3Ww@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAFCRh-_uEazAHjSz1WvL2STbR857V7E9YtkdwRO5xNNHLy2Ykw@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAFCRh--z-BzUJ3C9qj=YPHQYA-zwNdTm2wGC7D74-j2vdK1mOA@mail.gmail.com>
On Wed, Apr 16, 2025 at 8:07 AM Dominique Devienne <[email protected]>
wrote:
> On Wed, Apr 16, 2025 at 4:39 PM Tom Lane <[email protected]> wrote:
> > Laurenz Albe <[email protected]> writes:
> > > On Wed, 2025-04-16 at 10:09 +0200, Dominique Devienne wrote:
>
> So in a way, you guys are saying one should never REVOKE CONNECT ON
> DATABASE FROM PUBLIC?
>
> All my DBs are not PUBLIC-accessible.
> And inside my DBs, I try to revoke everything from PUBLIC
> (USAGE ON TYPES, EXECUTE ON ROUTINES).
> Nor do I use the public schema.
> And I never use the "built-in" postgres database.
> Basically I want all GRANTs to be explicit.
>
> Given the above, I'd want to not provide access to the postgres DB too.
>
> Yet have a way to discover which DBs I can connect to, from the "cluster
> only".
>
Kinda surprised you don't consider this a feature...give all of your
databases UUID names and ensure that non-superusers must be told the
databases they are allowed to connect to.
But feel free to work out a design and add it to the ToDo list for the v4
protocol. The use case seems reasonable and doable (on the basis of the
replication protocol works).
https://wiki.postgresql.org/wiki/Todo#Wire_Protocol_Changes_.2F_v4_Protocol
David J.
view thread (6+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Fwd: Identify system databases
In-Reply-To: <CAKFQuwZA7YRtHTdkLCVrVCQr2bns_p2C2rC558DyGYC49OQy+g@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox