I have the following query to get the settings for max_running_jobs.
select *
from pg_settings
where name = 'cron.max_running_jobs';
I'm able to get the records from postgres user but not with the non-postgres user.
Any grant/permission I got missed?
by this REF: https://pgpedia.info/p/pg_settings.html
the permission should be:
GRANT SELECT, UPDATE ON pg_settings TO PUBLIC;
you can confirm it running:
SELECT grantee, string_agg(privilege_type, ', ') AS privileges
FROM information_schema.role_table_grants
WHERE table_name='pg_settings'
GROUP BY grantee;
Related
I am trying to grant permissions to a user within a role group, where are the steps that I did:
create the user: myuser
create the role group: read_only
grant read_only to myuser
grant select on all tables in schema public to read_only
alter default priviliges in schema public grant select on tables to read_only
after all the steps above, when I use myuser to query the tables, I got 'permission denied'. Anything I missed here?
Altering default privileges only affects new tables. You will want to grant the privileges on all existing tables by issuing the below in order for you to have permissions.
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only;
I am using PostgreSQL 11.8 in AWS RDS and I created a user as below:
CREATE USER test WITH LOGIN;
GRANT rds_iam TO test;
the code runs success but I can't find the user test from:
SELECT * FROM information_schema.table_privileges where grantee='test';
it returns an empty result to me.
I am able to see that user by running
SELECT *FROM pg_catalog.pg_user where usename='test';.
Why can't I grant access to the user?
Your GRANT statement didn't grant a privilege on a table, it added the user to the role (“group”) rds_iam.
User test itself doesn't have any privileges on tables, it only inherits them.
information_schema.table_privileges will only show the privileges that were granted to a user, not the privileges inherited via role membership.
Your SQL command is correct. The problem is on the given role_name. You can get all users by executing the below command
SELECT *FROM pg_catalog.pg_user
Make sure the given role_name is in the listed role name in the PostgreSQL server. Below the command, you can get users with role
SELECT usename AS role_name,
CASE
WHEN usesuper AND usecreatedb THEN
CAST('superuser, create database' AS pg_catalog.text)
WHEN usesuper THEN
CAST('superuser' AS pg_catalog.text)
WHEN usecreatedb THEN
CAST('create database' AS pg_catalog.text)
ELSE
CAST('' AS pg_catalog.text)
END role_attributes
FROM pg_catalog.pg_user
ORDER BY role_name desc;
In PostgreSQL RDS I seen this behavior, where "information_schema.table_privileges" is not getting updated with privileges which granted to any user or role If the table owner is not "dbuser".
So I changed the table owner to "dbuser" immediately it's started showing all the grants which I granted to different users and roles. Not sure how the "Table owner" impacting "table_privileges" view.
I am working on postgresql ver 9.4.5. I am adding users to super user role(master) as below:
grant testuser1 to master;
grant testuser2 to master;
Now how to find out the list of users added to this role "master".Is there any specific system tables/views to query this ? I need to pass the role name 'maser' in the where clause.
Many Thanks
I have tried this and belwo query shows result correctly. Could someone confirm whether this query is correct ?
testdb= #grant testuser1 to master;
GRANT ROLE
testdb= #grant testuser2 to master;
GRANT ROLE
testdb= #grant testuser3 to master;
GRANT ROLE
SELECT rolname FROM pg_roles WHERE
pg_has_role( 'master', oid, 'member')
and rolname not in ( 'master')
rolname
----------------
testuser1
testuser2
testuser3
(3 rows)
Many Thanks,
Postgresql 9.1
I have a multi-tenant solution where one or more database are owned by a role (tenant).
When logging in as a superuser this works:
SELECT datname FROM pg_database
JOIN pg_authid ON pg_database.datdba = pg_authid.oid
WHERE rolname = current_user
But logging in as a tenant I get an error: permission denied for pg_autid
The tenant is created as this:
CREATE ROLE 'tenant1' WITH PASSWORD '12345' LOGIN
Strange the tenant1 could however see all other databases:
SELECT datname FROM pg_database
My questions are:
How do I list all databases belonging to a certain tenant in a safe way?
Is there a better way to make this multi-tenant solution safer?
I know that I can login as superuser, list the database for a tenant and then logging in as tenant. But I am searching for a simpler solution. Some data is obviously accessible as a restricted tenant as I can list all pg_database.
I have searched all archives but not finding any applicable solution.
Thanks in advance for any clue!
The function pg_get_userbyid() should be accessible to every user:
SELECT datname
FROM pg_database
WHERE pg_get_userbyid(datdba) = current_user
I am working with Redshift (which is based on PostgreSQL) and need to create a user that is restricted to a particular database schema. They also need to be locked out of the system views. I ran the following on the database cluster:
revoke create on schema information_schema from public
revoke usage on schema information_schema from public
revoke create on schema pg_catalog from public
revoke usage on schema pg_catalog from public
revoke create on schema public from public
revoke usage on schema public from public
Next, I create a user and run as that user:
SET SESSION AUTHORIZATION someUser
Then I try to access some system views:
select * from information_schema.tables
An error occurred when executing the SQL command:
select * from information_schema.tables
ERROR: permission denied for schema information_schema [SQL State=42501]
select * from pg_catalog.pg_user
An error occurred when executing the SQL command:
select * from pg_catalog.pg_user
ERROR: permission denied for schema pg_catalog [SQL State=42501]
So far so good -- the user cannot poke around in the system views.
But for some reason when I run the following it succeeds:
select * from pg_user
In other words, if the user tries to query pg_user without specifying the pg_catalog schema, they are able to see the users in the system.
Any ideas on how to prevent this?