Create a VIEW
as superuser or some trusted role:
CREATE VIEW onerow AS SELECT 'bar' AS foo; -- defaults to type text
GRANT SELECT ON onerow TO public;
The creator is the owner. Or:
ALTER VIEW onerow OWNER TO postgres; -- or to a trusted role
Everybody can SELECT
from it like from any other table.
Nobody can add or remove rows from a VIEW
- or even change anything at all with DDL commands.
Only DML commands can change it, and only the owner or superusers are allowed to do so:
CREATE OR REPLACE VIEW onerow AS
SELECT 'bar1' AS foo;
Remember that, ultimately, a motivated superuser can do anything.
On an extremely busy system, the exclusive lock taken by CREATE OR REPLACE VIEW
might be a problem. That's the only possible problem with this solution I can think of.
Alternatively, consider this closely related answer to allow at most one row:
You might do that and (as superuser):
ALTER TABLE onerow OWNER TO postgres;
REVOKE ALL ON onerow FROM public;
GRANT SELECT ON onerow TO public;
Superusers can still DELETE
or TRUNCATE
. You can prevent that, too, with a TRIGGER
or RULE
...
Or you could add a general TRIGGER
with RETURN NULL
or a RULE
with DO INSTEAD NOTHING
for INSERT
and DELETE
...
One single value might alternatively be provided by a function or by a "global variable". See: