[Babase] creating tables in sandbox

Karl O. Pinc kop at meme.com
Fri Oct 19 12:03:14 EDT 2007


Ugh.  Sorry for the delay.

On 10/17/2007 09:41:06 AM, kfenn wrote:
> Hi Karl,
> 
> Laurence and I need to exchange some tables build from queries tables  
> with undergrads.  These undergrads have their own schemas and are  
> babase users.  Laurence has tried to put tables into the sandbox but  
> she can't because babase_readers aren't allowed to create in the  
> sandbox.  Is there a reason the privileges were set this way?

The idea was that the babase_editors would have control over
the sandbox so that we always knew what was in it, so that it did
not grow out of control.  So, you guys would create tables in
the sandbox and grant privileges on an as-needed basis, either
to particular users or to groups.	 

For this to work the user needs to grant you (or better yet,
the babase_editors group) SELECT privileges to the particular
table they want moved into the sandbox schema.
(GRANT SELECT ON TABLE foo TO babase_editors;)
Then you can do a SELECT INTO to move the table and it's contents
into the sandbox schema.

The user's going to have to do a GRANT anyway, because otherwise
only the user who creates the table will be able to use it.
(For that reason after you move the table into the sandbox
you'll need to grant appropriate permissions, but the theory is
that you know more about who should have what permissions than
the regular users do.)

Security is a pain, but is better than no security.

> 
> I talked to Lacey about this.  We thought the sandbox was a place to  
> exchange information so any babase user should be able to create a  
> table in the sandbox and export a table from the sandbox to their own  
> schema for further manipulation.  Is this correct and can we change  
> the privileges to make this happen?

We can change it.  I'd still be worried that cruft would accumulate
until we don't know what's what and we can't get rid of anything.
(See the temp directory in foxpro.)

> 
> Also is there a way to set editing priviledges in the sandbox, or can  
> we only specify CREATE and USAGE...?

Read and write privileges must be granted on a per-table basis.
http://www.postgresql.org/docs/8.1/static/sql-grant.html

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein



More information about the Babase mailing list