All geek questions in one place

Hide databases in an Amazon Redshift cluster from specific users

Is it possible to hide the existence and access to databases (including their schemas, tables, etc.) from certain users in Amazon Redshift . By default, it seems that each user can see other databases, even if he does not have permission to select data or any other (non-standard) privileges.

I tried

REVOKE ALL PRIVILEGES ON DATABASE testdb FROM testdbuser;

and a similar, but still testdbuser can connect to the testdb database and even see all other objects in its object browser in the SQL tool (here: Aginity Redshift Workbench).

Ideally, testdbuser will not be able to see anything else, except that it received explicitly granted access.

Note. testdbuser is not superuser.

Thanks!

+4
source share
2 answers

Try to revoke the PUBLIC group and specific user

REVOKE USAGE ON SCHEMA information_schema FROM PUBLIC;
REVOKE USAGE ON SCHEMA pg_catalog FROM PUBLIC;    -- This should suffice, but...
REVOKE SELECT ON TABLE pg_catalog.pg_database FROM PUBLIC;   -- just to be sure.

Please note that this may have an undesirable effect for all users in the selected database. You will need to do this in all databases, as the user can guess a different database name and see pg_catalog information there.

The user can still find all the databases using a brute force attack, simply by trying to switch or connect to all possible lines.

+4
source

Unfortunately, this is not possible today. Redshift does not support the REVOKE CONNECT FROM DATABASE command, so users can connect to any database.

Redshift PostgreSQL, , , , REVOKE... FROM SCHEMA REVOKE... FROM TABLE.

+3

Source: https://habr.com/ru/post/1525205/

More articles:


All Articles