Diseño de bases de datos

Anuncio
Security in SQL: GRANT & REVOKE
 PostgreSQL privileges allow us to configure the access
to the database for different uses: each user can have
specific privileges to specific relations .
 The important commands:
– Grant: adding privileges.
– Revoke: remove privileges
 Adding/removing privileges to:
– user
– group
– public
 \h GRANT or \h REVOKE
1
What can we do?
dropdb pruebas
createdb pruebas
----------CREATE TABLE test
(nombre char (30),
direccion char(30));
\dp test -- \dp check permisions
------------pruebas=> \dp test
create user otroyo;
psql)
-------------
(desde dentro de
Access privileges for database “pruebas"
Schema | Table | Access privileges
--------+-------+------------------public | test | {=,ruth=arwdRxt}
(1 row)
psql -U otroyo pruebas
INSERT INTO test VALUES ('cualquiercosa','Mayor'); -- 
2
1
What can we do?
pruebas=> \dp test
Access privileges for database “pruebas"
Schema | Table | Access privileges
--------+-------+---------------------------public | test |
{=,ruth=arwdRxt,otroyo=aw}
(1 row)
GRANT INSERT ON test TO otroyo;
psql -U otroyo pruebas --otroyo
INSERT INTO test VALUES (‘cualquiercosa’,'Mayor'); -- 
UPDATE test set direccion='qwerty';
DELETE FROM test;-- 
3
Adding privileges
 GRANT use:
grant <privilege/s>
on <relation/view> to <users>
 <users> :
– An specific user
– public, someone
– (role, groups, it is not implemented in PostgreSQL)
 When we are adding privileges to a view, we are not
adding privileges to their referenced relations
4
2
The privileges
 select: it is allowed to realise queries using the
mentioned relation or view
– Example: to allow to U1, U2, and U3 users to use select in
relation account:
grant select on account to U1, U2, U3






insert
update
delete
references
usage: it allow to create domains
all privileges
5
Removing privileges
 revoke use:
revoke<privilege/s>
on <relation/view> from <users> [restrict|cascade]
 Example:
revoke select on account from U1, U2, U3 cascade
 Deleting privileges to a user can force that other users
loose the privileges, too: revoke/restrict.
 When a privilege is assigned twice (by two users), they
have to be remove twice, too.
REVOKE INSERT ON test FROM otroyo;
REVOKE UPDATE ON test FROM otroyo;
6
3
Limitation
 SQL cannot give privileges to tuples.
 Mostly the security is managed by a program:
– OK: it is possible to have privileges to tuples
– Attention: the security depends on the code quality
7
4
Descargar