i have this user in the database, this user only needs read permissions, here the permissions that has right now:
GRANT USAGE ON SCHEMA myschema TO "user";
GRANT SELECT ON TABLES TO "user";
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA myschema to "user";
If the runs this query didn't show results, but if I use an admin-user show me results:
SELECT "tableA"."tableA_id", "tableA"."first_name", "tableA"."last_name", "brands"."brand_id" AS "brands.brand_id",
"brands->tableB"."door_id" AS "brands.tableB.door_id", "brands->tableB"."agent_id" AS "brands.tableB.agent_id",
"brands->tableB"."tableA_id" AS "brands.tableB.tableA_id", "brands->tableB"."brand_id" AS "brands.tableB.brand_id",
"brands->tableB"."relationship_type" AS "brands.tableB.relationship_type", "agents"."agent_id" AS "agents.agent_id",
"agents"."relationship_type" AS "agents.relationship_type"
FROM "myschema"."tableA" AS "tableA"
INNER JOIN ( "myschema"."tableB" AS "brands->tableB" INNER JOIN "myschema"."brand" AS "brands" ON "brands"."brand_id" = "brands->tableB"."brand_id") ON "tableA"."tableA_id" = "brands->tableB"."tableA_id" AND "brands"."brand_id" = 1
INNER JOIN "myschema"."tableB" AS "agents" ON "tableA"."tableA_id" = "agents"."tableA_id" AND "agents"."relationship_type" = 'Employee'
WHERE "tableA"."active" = true ORDER BY "tableA"."first_name" ASC;
Any idea which privileges are need it to check this data?
Regards
Missing permissions don't influence the query result, they cause "permission denied" errors. The exceptions I know are
queries on information_schema views, which only show objects on which you have permissions
row-level security
If anything, your question suggests that row-level security is at play here.
If you need a more detailed answer, you have to add details to the question.
Related
I am creating a permissions report that includes displaying the grantor.
For table level permission, I am using relacl field from pg_class.
However, some anomalies that are confusing me ....
I have 2 super users : sadmin & suser.
suser initially granted SELECT on a table to a group; the result in pg_class was thus :
{sadmin=arwdRxtD/sadmin,"group mygroup=r/suser"}
sadmin then granted INSERT on the table to the same group.
sadmin then became the 'grantor' in pg_class:
{sadmin=arwdRxtD/sadmin,"group mygroup=ar/sadmin"}
At this stage I thought that I'd confirm to myself that Redshift does not maintain the grantor of each permission, but does log the last acting.
However, something unexpected then happened....
I revoked all the above permissions,
checked this was reflected in relacl,
while logged in as suser, granted select again.
But Pg_class is showing the grantor as sadmin, not the logged in suser !?
{sadmin=arwdRxtD/sadmin,"group mygroup=r/sadmin"}
Double checked by using "Select current_user", and I am logged in as suser.
Can anyone shed light on what's going on please??
Thanks
Can a list of postgresql roles be generated that includes the role's timezone?
I've learned, and tested, that a psql session will take on the timezone of the role used at login. Of course we can alter a role to a particular time zone with:
# ALTER ROLE testUser SET timezone TO 'America/Chicago';
But exactly how can that information be accessed to produce a list so that all the roles can be checked? I've tried \du+, but that returns very limited information. Surprisingly (to me anyway) the information_schema doesn't seem to include the timezone values. Internet searches have so far not helped in this quest.
Where else can I try?
The settings of a role can be retrieved from pg_db_role_setting, it's an text[] array of <setting name>=<setting value>. So this needs an unnest() and a split_part() to get to the individual components. Furthermore, as a setting can be set for a specific database (see the IN DATABASE option for the ALTER ROLE command), we need to involve the databases from pg_database. We cross join them with all the roles from pg_authid. To also include settings that aren't bound to a database but are valid for all databases we UNION ALL an empty database with a zero OID to the list of databases. From that we can left join the role settings.
So the following will give you the value set for timezone for all databases (including the "all" or "none" database) and all roles or null if the timezone isn't set for a user in a database.
SELECT rol.rolname,
dat.datname,
split_part(kvp.kvp, '=', 2) timezone
FROM pg_authid rol
CROSS JOIN (SELECT dat.oid,
dat.datname
FROM pg_database dat
UNION ALL
SELECT 0::oid oid,
'' datname) dat
LEFT JOIN pg_db_role_setting set
ON set.setdatabase = dat.oid
AND set.setrole = rol.oid
LEFT JOIN LATERAL unnest(set.setconfig) kvp (kvp)
ON lower(split_part(kvp.kvp, '=', 1)) = 'timezone'
ORDER BY 1,
2;
Am trying to fetch information in Postgres equivalent to Oracle's user_role_privs.
select username,granted_role,admin_option from user_role_privs
I tried all the below views in Postgres but couldn't find the desired one
information_schema.role_table_grants
pg_roles;
pg_class;
pg_user
pg_catalog.pg_auth_members;
Can anyone suggest which view should be used to get username, granted_role and admin_option in Postgres?
You are looking for the pg_auth_members system catalog that contains relationships between roles (which feature as both users and groups in PostgreSQL).
To get the names of the users and roles, join with the pg_roles system catalog.
I have DB "test" in PostgreSql. I want to write sql to get owner my database.
You can find such things in the system catalog
SELECT d.datname as "Name",
pg_catalog.pg_get_userbyid(d.datdba) as "Owner"
FROM pg_catalog.pg_database d
WHERE d.datname = 'database_name'
ORDER BY 1;
If you use the psql command-line tool, you can simply use \l
You can use the combination of pg_database, pg_users system tables and current_database() function in this way:
SELECT u.usename
FROM pg_database d
JOIN pg_user u ON (d.datdba = u.usesysid)
WHERE d.datname = (SELECT current_database());
can just cast the role OID with magic ::regrole to give the role name of owner:
SELECT datdba::regrole FROM pg_database WHERE datname = 'test' ;
This work with database owned by group role:
SELECT
U.rolname
,D.datname
FROM
pg_roles AS U JOIN pg_database AS D ON (D.datdba = U.oid)
WHERE
D.datname = current_database();
Using pg_authid (as I did in my previous version) instead of pg_roles is limited to SuperUser because it holds password (see documentation):
Since this catalog contains passwords, it must not be publicly
readable. pg_roles is a publicly readable view on pg_authid that
blanks out the password field.
The follwing query displays info for all tables in the public schema:
select t.table_name, t.table_type, c.relname, c.relowner, u.usename
from information_schema.tables t
join pg_catalog.pg_class c on (t.table_name = c.relname)
join pg_catalog.pg_user u on (c.relowner = u.usesysid)
where t.table_schema='public';
source :http://cully.biz/2013/12/11/postgresql-getting-the-owner-of-tables/
Remember in SQL including postgres that you have a heirarchy within a given sql server instance: catalog/db > schema > tables
When looking for perms/metadata for within a catalog you want to look at information_schema
Example: information_schema.role_table_grants for table perms
Example: information_schema.role_usage_grants for SEQUENCE/schema perms
https://www.postgresql.org/docs/current/information-schema.html
For catalog/db-level config/meta, you need to look another level up in pg_catalog.
https://www.postgresql.org/docs/current/catalogs.html
Example:
SELECT dbs.datname, roles.rolname
FROM pg_catalog.pg_database dbs, pg_catalog.pg_roles roles
WHERE dbs.datdba = roles.oid;
pg_catalog.pg_database.datdba has ID of owner role.
pg_catalog.pg_roles.oid has ID of owner role (join)
pg_catalog.pg_roles.rolname has name/string of owner role
I am trying to revoke a database user's permissions and it seems that permissions can only be revoked by the user who granted them. There is thread here discussing the issue.
http://archives.postgresql.org/pgsql-bugs/2007-05/msg00234.php
The thread dates back to 2007 and I am not quite sure whether it is viewed as bug and whether that problem is still present in PostgreSQL 8.4 which I am using.
Is there a query or a view that can display that information? That way I can use set session authorization and revoke it.
PostgreSQL 8.4 is outdated. Check out the versioning policy for details. But since it is the standard behavior of SQL (as Tom Lane states in the linked discussion you provided), it's not likely to have changed.
Privileges are stored in the system catalog with the respective object. For instance, for a table:
SELECT n.nspname, c.relname, c.relacl
FROM pg_catalog.pg_class c
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
WHERE c.oid = 'myschema.mytbl'::regclass -- your tablename here
Would produce something like:
nspname | relname | relacl
----------+---------+---------------------------------------------
myschema | mytbl | {postgres=arwdDxt/postgres,fuser=r/fadmin}
The rolename after the slash is the grantor. To revoke, as user fadmin (or any superuser):
REVOKE SELECT ON TABLE myschema.mytbl FROM fuser;
There are similar *acl columns in other system tables. pg_namespace for schemas etc. See the list of system tables in the manual.
A simpler way would be to use pgAdmin and select an object in the object browser to the left. The ACL will be displayed in the properties pane, top right.