Reputation: 1539
Allow only postgres user list roles
How to forbid non superusers to see other users in postgresql server?
ex. If currently logged in user is not a superuser then the result from
SELECT * from pg_roles;
or
\du
should be only rows with his role
Upvotes: 2
Views: 2279
Answers (2)
Reputation: 324721
You can revoke access to the authentication IDs table in the system catalogs:
REVOKE SELECT ON pg_catalog.pg_authid FROM public;
REVOKE SELECT ON pg_catalog.pg_auth_members FROM public;
Note that revoking access to pg_roles is not sufficient, as pg_roles is just a view over pg_authid and it's trivial to run the view query manually or define a new view with the same query. The information_schema views also use pg_authid directly and are unaffected by revoking access to pg_roles. It is not necessary to revoke access to pg_roles if you've revoked access to pg_authid.
Be aware that revoking access to global tables is still a per-database operation.
Revoking access to system catalogs may have side effects, including:
- Some system functions not working as expected
- Some metadata operations in tools like the JDBC driver failing
- ... etc
and is not generally considered supported.
Upvotes: 4
Related Questions
- Create roles and users only in a certain database and not in the default postgres database
- Restrict user privileges to one particular database only
- Restrict access to creating users on PostgreSQL
- postgreSQL: How to use ROLE to allow full access to all users part of a given role (without using SET ROLE prior accessing a table for instance)
- Need help to strictly specify an ingester role with PostgreSQL
- postgres 9.6 set give user privileges to database
- Is it possible to completely disable PostgreSQL roles, users, permissions etc
- Locking down Public Group Role in PostgreSQL
- Revoke access to postgres database for a role
- Disable all operations (inluding listing with psql -l) on not owned databases for a role?