I have created a user as
create user dummy_role;
REVOKE SELECT ON "dispute_data" FROM dummy_role;
But when I am trying to query with select, it is working perfectly fine
set role dummy_role;
select * from dispute_data;
what am I missing here?
You cannot explicitly deny a user a privilege.
The user is newly created, so it does not yet have any privileges on the table. The attempt to revoke the privileges that were never granted is a no-operation. Since your user is not yet a member of any role, the privilege must have been granted to PUBLIC. To revoke that, try
REVOKE SELECT ON dispute_data FROM PUBLIC;
That will deny the privilege from all other users as well, unless they were explicitly granted that privilege.
Related
I created a new user and gave read-only access to the user for all the schemas with:
alter default privileges grant select on tables to the user;
Initially, the user had access but when the table was recreated the access automatically declined.
Why is this happening?
How you are giving permission? Group level or User level.
Try below GRANT USAGE
For Group level
GRANT USAGE ON SCHEMA 'SCHEMA_NAMES' TO GROUP Group_name;
For User level
GRANT USAGE ON SCHEMA 'SCHEMA_NAMES' TO USER User_name;
I'm coming to postgreSQL with a SQL Server background and was naively applying the same concepts to postgreSQL in order to allow different users to share 'by default' some objects within a database.
This is what I did:
CREATE DATABASE testdb;
CREATE ROLE testdb_role_full INHERIT;
GRANT ALL PRIVILEGES ON DATABASE testdb TO testdb_role_full;
CREATE USER user1 INHERIT;
GRANT testdb_role_full TO user1;
CREATE USER user2 INHERIT;
GRANT testdb_role_full TO user2;
Once done, I created a table t1 using the user1.
Then, I tried, as user2, to read the t1 table and I received a "permission denied error"... :-(
By reading the documentation, it seems that I have to issue a SET ROLE testdb_role_full first so as to act as the testdb_role_full.
However, this is not really that I want. I do not want the user to be aware of this.
So my question:
Is there any way to make this work?
Thanks a lot,
José
You've granted some privileges on the database, but that doesn't mean any user with the role testdb_role_full would have all privileges on all objects inside that database. To quote from the documentation:
When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement. For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To allow other roles to use it, privileges must be granted.
So after the user1 created the table t1, he is the owner and only he has the privileges on it. He would need to run
GRANT ALL PRIVILEGES ON TABLE t1 TO testdb_role_full;
then user2 would be able to access it as well (without having to switch any roles - that's only necessary when it has the NOINHERIT attribute on the role).
If you don't want your users to have to execute GRANT each time they create a new object in the database, you can alter the default privileges that will be applied whenever an object is created by user2:
ALTER DEFAULT PRIVILEGES FOR user2
GRANT ALL PRIVILEGES ON TABLES TO testdb_role_full;
Notice these specify the initial value only, and user2 could revoke the privileges on his tables if he wanted to prevent others from seeing them.
I have a database with a template_schema.I cloned this template schema and created a database user with password. I need to provide access to cloned schema only, for the created user.
SELECT clone_schema('my_template_schema','john_smith_gmail_com');
CREATE USER john_smith_gmail_com WITH PASSWORD 'mypassword';
Upto this Ok. Then I need to grant access to this user for this cloned schema(john_smith_gmail_com) only
Method :1
I tried to revoke all privileges on all tables of cloned schema(john_smith_gmail_com) for the user and grant select to the user. But my question is, can this user get SELECT access on other schema tables?
REVOKE ALL ON ALL TABLES IN SCHEMA john_smith_gmail_com FROM john_smith_gmail_com;
GRANT SELECT ON ALL TABLES IN SCHEMA john_smith_gmail_com TO john_smith_gmail_com;
Method :2
Create a role with only SELECT access and assign or grant this role to newly created user. If I do this, for which schema I grant access,because I clone schema dynamically?
Which method is best one?
From postgresql version 9.0 and forward, the best way is probably to use ALTER DEFAULT PRIVILEGES.
...the default privileges for any object type normally grant all grantable permissions to the object owner, and may grant some privileges to PUBLIC as well. However, this behavior can be changed by altering the global default privileges with ALTER DEFAULT PRIVILEGES.
So if all users like "john_smith_gmail_com" should only have SELECT access to tables in "their own" schema, after creating the schema and user, you can run:
ALTER DEFAULT PRIVILEGES IN SCHEMA john_smith_gmail_com GRANT SELECT ON TABLES TO john_smith_gmail_com;
How to forbid non superusers to see other users in postgresql server?
ex. If currently logged in user is not a superuser then the result from
SELECT * from pg_roles;
or
\du
should be only rows with his role
You can revoke access to the authentication IDs table in the system catalogs:
REVOKE SELECT ON pg_catalog.pg_authid FROM public;
REVOKE SELECT ON pg_catalog.pg_auth_members FROM public;
Note that revoking access to pg_roles is not sufficient, as pg_roles is just a view over pg_authid and it's trivial to run the view query manually or define a new view with the same query. The information_schema views also use pg_authid directly and are unaffected by revoking access to pg_roles. It is not necessary to revoke access to pg_roles if you've revoked access to pg_authid.
Be aware that revoking access to global tables is still a per-database operation.
Revoking access to system catalogs may have side effects, including:
Some system functions not working as expected
Some metadata operations in tools like the JDBC driver failing
... etc
and is not generally considered supported.
revoke select on pg_roles from public;
I have been looking for this for years and I have tried everything on the web with no success.
I am able to do it in MSSQL, but I didn´t find a way to do it in PostgreSQL.
What I want to achieve is just create a role with login that cannot create, drop or alter databases, functions, tables or anything else. Just select specific functions.
For example, if I have a table called costumer and two functions called return_customers() and return_time() I just want a role with login that are able to select return_customers() and select return_time(). Nothing more than that.
Thank you very much for supporting this useful web site!
Execute this connected to the database you want to configure.
-- Create the user.
CREATE ROLE somebody WITH LOGIN PASSWORD '...';
-- Prevent all authenticated users from being able to use the database,
-- unless they have been explicitly granted permission.
REVOKE ALL PRIVILEGES ON DATABASE foo FROM PUBLIC;
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM PUBLIC;
REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public FROM PUBLIC;
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM PUBLIC;
-- Allow the user to only use the specified functions.
GRANT CONNECT ON DATABASE foo TO somebody;
GRANT EXECUTE ON FUNCTION return_customers(), return_time() TO somebody;
If you have more schemas than "public" then you will need to add those to the two REVOKE ALL PRIVILEGES ON ALL ... statements.
Do not forget that the functions must have been created with SECURITY DEFINER or this user will still be unable to execute them, as the contents of the function will be executed with the permissions of this user, instead of the user who created the function.
See:
CREATE FUNCTION particularly SECURITY DEFINER
GRANT both for adding users to roles and for assigning access rights to tables, sequences, etc
REVOKE
CREATE ROLE