I'm using AWS RDS (PostgreSQL) for our databases. I connected to the RDS instance with the master account. Created a new role for the databases.
CREATE USER myuser with password 'xxxx'
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO myuser WITH GRANT OPTION
However, it still shows that this new role do not have permissions on the tables under the public schema.
I also tried the "Grant All" bottom on the right hand side and save. It ran successfully but still show empty boxes.
Does anyone can tell me what's wrong on my settings?
Related
In Cloud SQL Postgres, where superuser permissions are not accessible, how can I prevent a new user from creating tables?
I know that REVOKE CREATE ON SCHEMA public FROM public works, but this seem to require superuser permissions, as I get a WARNING: no privileges could be revoked for "public" error.
You have to run that statement as the user who owns public.
I have a postgres (11.7) instance on EC2 that I'm replicating to Postgres 11 on RDS. I started this yesterday but am noticing that no records seem to show up. I looked through the tables but none seem to have any data in them after 14hrs of replication.
I started replication like this:
On source:
CREATE ROLE replrds;
ALTER ROLE replrds WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN REPLICATION NOBYPASSRLS CONNECT PASSWORD 'xxxxx';
GRANT ALL PRIVILEGES ON DATABASE db_name to replrds;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO replrds;
CREATE PUBLICATION rds_pub FOR ALL TABLES;
On target: CREATE SUBSCRIPTION rds_subscription CONNECTION 'host=10.x.x.x port=5432 password=pw user=us dbname=db_name' PUBLICATION rds_pub;
On the master I see this in the logs:
2020-03-22 17:21:20.264 UTC,"replrds","db_name",4539,"10.x.x.x:40648",5e779e90.11bb,4,"COPY",2020-03-22 17:21:20 UTC,3/2292853,0,ERROR,42501,"permission denied for schema public",,,,,,"COPY public.tablea TO STDOUT",,,"rds_subscription_40974_sync_30288"
I feel like I've set up the permission correctly but not sure why I keep seeing this...
---------------EDIT--------------
So I got this to work by assigning superuser to the replrds user on the source, but I'm guessing this is way to permissive and not the right answer...I can't seem to figure out what permissions to grant this user...
I think the error message here is pretty diagnostic:
permission denied for schema public
By default your user should already have those permissions. Either you went out of your way to revoke them, or Aurora has departed from community PostgreSQL (If the later, the made it pretty hard to find it in the docs). In db_name, you could do:
GRANT USAGE on schema public to replrds;
I'm using CloudSQL Postgres 11 on GCP, and I've got a few questions around permissions and grants. I'm just not getting it at the moment, being very new to postgres.
I have a user, pgadmin which is a superuser. With this user I can connect to the instance and create a database called 'sandbox' for example.
I then have an app role which is defined as follows:
CREATE ROLE app;
GRANT CONNECT ON DATABASE <database name> TO app;
GRANT USAGE, CREATE ON SCHEMA public TO app;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO app;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO app;
I create a user called app_sandbox which I grant this role.
The app user then makes a db migration using flyway which creates 2 tables. That side of things is fine.
But with my superuser, pgadmin, I can't see these tables or query them even though this user owns the database and is a superuser. I've tried all sorts of grants. Feels like I'm missing something important because even if I true to create a readonly role with the pgadmin user I am unable to grant access to the underlying tables in the public schema of the database.
What am I missing?
Just because one user (=pgadmin) owns the database, does not mean that user also owns the tables created in that database. And because pgadmin doesn't own those tables, you can't access them when logged in as pgadmin
If the app user created the tables, they belong to that user, and only the app user can grant privileges on those tables to other users.
created a postgresql instance on AWS with the username ziggy. I restored a database to that instance. however I cannot even select any of the tables
select * FROM mac_childcare_parcels
gives me ERROR: permission denied for relation mac_childcare_parcels
********** Error **********
the owner of that table belongs to the postgres login.
so i tried running this: grant all privileges on all tables in schema public to ziggy but since I am not a superuser I cannot give myself privileges so that throws a permissions error. what do I have to do to get access to the tables?
this does not work either
grant select on mac_childcare_parcels to ziggy
this query returns successful but does not let the login ziggy access the tables
GRANT USAGE ON SCHEMA public TO ziggy;
First login with superuser and provide all rds superuser access to the newly created user using a command like below
GRANT rds_superuser TO ziggy;
replace rds_superuser with your rds superuser.
You need to also GRANT USAGE on the SCHEMA, e.g.
GRANT USAGE ON SCHEMA public TO ziggy;
The superuser access is needed to run the access level queries. But as you said that access is not present then i would say copy the replica of the db which you have restored from backup and grant yourself as superuser.
then provide all needed access to any users.
I'm still getting used to the concept of roles in Postgres.
I'm trying to create a role, migrator, that will have the ability to read from a production db and use it as a template to make stage and dev databases.
I've created this role migrator originally like so:
CREATE ROLE migrator LOGIN ENCRYPTED PASSWORD '<password>'
and proceeded to restrict access to the prod database:
REVOKE ALL ON DATABASE prod FROM PUBLIC;
GRANT CONNECT ON DATABASE prod TO migrator;
/* switch to prod database */
GRANT USAGE ON SCHEMA public TO migrator;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO migrator;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO migrator;
After trying a CREATE DATABASE stage TEMPLATE prod; and getting an error, I had to alter the role to create a db:
ALTER ROLE migrator CREATEDB;
and tried again. This time I got the error:
ERROR: permission denied to copy database "prod"
And again, I tried to add the replication permission to the migrator role (not sure if this is correct, as the manual says this is a very elevated permission)
ALTER ROLE migrator REPLICATION;
however, I still get the same error.
UPDATE: I've figured out that this has something to do with who owns the database; however, my problem remains. How can I allow another role with just READ privileges the ability to copy a database as well? I looked at role inheritance, but at first glance it looks like the inheriting role will just get the same permissions as the parent role.
It's not possible to copy a database unless the logged-in role is an owner or the database is flagged as a template:
datistemplate can be set to indicate that a database is intended as a template for CREATE DATABASE. If this flag is set, the database can be cloned by any user with CREATEDB privileges; if it is not set, only superusers and the owner of the database can clone it.