对某些用户隐藏Amazon Redshift集群中的数据库 [英] Hide databases in Amazon Redshift cluster from certain users

问题描述

是否可以在Amazon Redshift 中隐藏某些用户的数据库的存在和访问权限(包括其模式，表等). 默认情况下，似乎每个用户都可以看到其他数据库，即使他没有选择数据的权限或任何其他(非默认)特权.

Is it possible to hide the existence of and access to databases (incl. their schemas, tables etc) from certain users within Amazon Redshift. By default, it seems like every user is able to see other DBs even though he doesnt have permission to select data nor any other (non-default) privileges.

我尝试了

REVOKE ALL PRIVILEGES ON DATABASE testdb FROM testdbuser;

和类似但仍然可以运行的testdbuser可以连接到testdb数据库，甚至可以通过SQL工具(在这里:Aginity Redshift Workbench)在其对象浏览器中查看所有其他对象.

and similar but still testdbuser can connect to the testdb DB and even see all other objects in his object browser in a SQL tool (here: Aginity Redshift Workbench).

理想情况下，除了他被明确授予访问权限的内容外，testdbuser将无法看到其他任何内容.

Ideally, testdbuser would not be able to see anything else except what he got explicitly granted access to.

请注意，testdbuser不是超级用户.

Note, testdbuser is not a superuser.

谢谢！

推荐答案

尝试从PUBLIC组撤消对特定用户的请求

Try to revoke from the PUBLIC group vs the specific user

REVOKE USAGE ON SCHEMA information_schema FROM PUBLIC;
REVOKE USAGE ON SCHEMA pg_catalog FROM PUBLIC;    -- This should suffice, but...
REVOKE SELECT ON TABLE pg_catalog.pg_database FROM PUBLIC;   -- just to be sure.

请注意，这可能会对所选数据库中的所有用户产生不良影响. 您将需要在所有数据库上执行此操作，因为用户可以猜测另一个数据库名称，并在那里查看pg_catalog信息.

Note that this could have an undesirable effect on all users within the selected database. You will need to do this on all databases, since the user can guess another database name and see pg_catalog information there.

仅通过尝试切换或连接到所有可能的字符串，用户仍然可以通过蛮力攻击找到所有数据库.

The user could still find all the databases via a brute force attack simply by trying to switch or connect to all possible strings.

这篇关于对某些用户隐藏Amazon Redshift集群中的数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！