I start to use dblink on my postgreSQL 11 db and I have a problem with grant. I can create server and user mapping as superuser , but also I can delete this user mapping and server as usual user. I try to revoke grant from usual user by
revoke grant option for all on foreign server my_server from not_my_role;
but it didn't help. How can I do it right?
As it turned out, my colleague created user mapping for usual role when he researched postgres_fdw. Probably dblink and postgres_fdw have bond.
Related
what's the recommended way to provide readonly access to all databases in postgresql version 12.
I am using this found at How do you create a read-only user in PostgreSQL?
CREATE ROLE readaccess;
CREATE USER my_user_test WITH PASSWORD 'my_user_test';
GRANT readaccess TO my_user_test;
\c database_name;
-- need to connect to the database first on which we need to execute the below commands
GRANT CONNECT ON DATABASE database_name TO readaccess;
GRANT USAGE ON SCHEMA public TO readaccess;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
-- Assign permissions to read all newly tables created in the future
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
But using this approach I need to individually connect to each database and provide the role read only access.
Is there a better approach to provide a read only access all existing databases at once?
Thanks.
is it possible to create PostgreSQL user so that he can connect and see only one specific database? So that he could only see one database (he couldn't see the others). Ideally, I could also set the visibility of the tables in the database.
I create user like this:
create user user with encrypted password 'password';
GRANT CONNECT ON DATABASE db TO user;
although I have given the user connect privilege to only one database, he can see all other databases :(
By default the connect privilege to every database is granted to the role public, so you need to run:
revoke connect on database ... from public;
for all other databases. Make sure you grant connect back to existing users.
Another option is to restrict connections for this specific user through pg_hba.conf
I have a postgres (11.7) instance on EC2 that I'm replicating to Postgres 11 on RDS. I started this yesterday but am noticing that no records seem to show up. I looked through the tables but none seem to have any data in them after 14hrs of replication.
I started replication like this:
On source:
CREATE ROLE replrds;
ALTER ROLE replrds WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN REPLICATION NOBYPASSRLS CONNECT PASSWORD 'xxxxx';
GRANT ALL PRIVILEGES ON DATABASE db_name to replrds;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO replrds;
CREATE PUBLICATION rds_pub FOR ALL TABLES;
On target: CREATE SUBSCRIPTION rds_subscription CONNECTION 'host=10.x.x.x port=5432 password=pw user=us dbname=db_name' PUBLICATION rds_pub;
On the master I see this in the logs:
2020-03-22 17:21:20.264 UTC,"replrds","db_name",4539,"10.x.x.x:40648",5e779e90.11bb,4,"COPY",2020-03-22 17:21:20 UTC,3/2292853,0,ERROR,42501,"permission denied for schema public",,,,,,"COPY public.tablea TO STDOUT",,,"rds_subscription_40974_sync_30288"
I feel like I've set up the permission correctly but not sure why I keep seeing this...
---------------EDIT--------------
So I got this to work by assigning superuser to the replrds user on the source, but I'm guessing this is way to permissive and not the right answer...I can't seem to figure out what permissions to grant this user...
I think the error message here is pretty diagnostic:
permission denied for schema public
By default your user should already have those permissions. Either you went out of your way to revoke them, or Aurora has departed from community PostgreSQL (If the later, the made it pretty hard to find it in the docs). In db_name, you could do:
GRANT USAGE on schema public to replrds;
created a postgresql instance on AWS with the username ziggy. I restored a database to that instance. however I cannot even select any of the tables
select * FROM mac_childcare_parcels
gives me ERROR: permission denied for relation mac_childcare_parcels
********** Error **********
the owner of that table belongs to the postgres login.
so i tried running this: grant all privileges on all tables in schema public to ziggy but since I am not a superuser I cannot give myself privileges so that throws a permissions error. what do I have to do to get access to the tables?
this does not work either
grant select on mac_childcare_parcels to ziggy
this query returns successful but does not let the login ziggy access the tables
GRANT USAGE ON SCHEMA public TO ziggy;
First login with superuser and provide all rds superuser access to the newly created user using a command like below
GRANT rds_superuser TO ziggy;
replace rds_superuser with your rds superuser.
You need to also GRANT USAGE on the SCHEMA, e.g.
GRANT USAGE ON SCHEMA public TO ziggy;
The superuser access is needed to run the access level queries. But as you said that access is not present then i would say copy the replica of the db which you have restored from backup and grant yourself as superuser.
then provide all needed access to any users.
I've just set up Postgres for use by different users on my network. Every user has his own username/password/database, but when I connect to Pg I can also see a 'postgres' database (and even create tables etc). I tried to REVOKE access to that database from public but then it won't let me connect. What exactly is the postgres database and why is it needed? Can I disable it so that users only see the database(s) I've created for them?
The postgres database is created by default when you run initdb.
Quote from the manual:
Creating a database cluster consists of creating the directories in which the database data will live (...) creating the template1 and postgres databases. When you later create a new database, everything in the template1 database is copied. (...) The postgres database is a default database meant for use by users, utilities and third party applications.
There is nothing special about it, and if you don't need it, you can drop it:
drop database postgres;
You need to do that as a superuser of course. The only downside of this is that when you run psql as the postgres operating system user, you need to explicitly provide a database name to connect to
If you drop the postgres database you'll find a few things to be confusing. Most tools default to using it as the default database to connect to, for one thing. Also, anything run under the postgres user will by default expect to connect to the postgres database.
Rather than dropping it, REVOKE the default connect right to it.
REVOKE connect ON DATABASE postgres FROM public;
The superuser (usually postgres), and any users you explicitly grant rights to access the database can still use it as a convenience DB to connect to. But others can't.
To grant connect rights to a user, simply:
GRANT connect ON DATABASE postgres TO myuser;