HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Only allow access to a table via a function, not directly via queries

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
functionallowviaaccessdirectlyqueriesnotonlytable

Problem

I have a table t and some functions which access t. For example:

create function list_t() returns setof t as $
    select * from t;
$ language sql stable;


Is it possible to define role permissions to only allow the execution of list_t(), while not allowing plain SELECT, UPDATE, DELETE and INSERT queries on t?

I tried the following:

grant execute on all functions in schema public to my_user;
revoke all on t from my_user;


While this indeed disallows SELECT * FROM t, it also disallows SELECT list_t().

Solution

You need to create the function as a user that has (select) access to the underlying table. Then define the function with the option security defined which means when the function is called, it operates with the privileges of the function owner, not the caller:

create function list_t() returns setof t 
  security definer
as $
    select * from t;
$ language sql stable;


Another way of doing this is to create a view, then grant SELECT privileges to the view (not the table):

create view v_t
as
select *
from t;

grant select on v_t to my_user;


Note that a set returning function should be used in the FROM clause like a table:

select *
from list_t();

Code Snippets

create function list_t() returns setof t 
  security definer
as $$
    select * from t;
$$ language sql stable;
create view v_t
as
select *
from t;

grant select on v_t to my_user;
select *
from list_t();

Context

StackExchange Database Administrators Q#218242, answer score: 6

Revisions (0)

No revisions yet.