I created a user on my DB following these steps:
CREATE USER user WITH PASSWORD 'password';
GRANT CONNECT ON DATABASE my-database TO user;
GRANT USAGE ON SCHEMA public to user;
GRANT SELECT ON ALL TABLES IN SCHEMA public to user;
Now I'm trying to delete it but I keep receiving errors:
I'm doing the following:
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM user;
For this I receive: ERROR: permission denied for relation accounts
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM user;
For this I receive: ERROR: permission denied for sequence accounts_user_id_seq
REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public FROM user;
For this I receive:
WARNING: no privileges could be revoked for "uuid_nil"
WARNING: no privileges could be revoked for "uuid_ns_dns"
WARNING: no privileges could be revoked for "uuid_ns_url"
WARNING: no privileges could be revoked for "uuid_ns_oid"
WARNING: no privileges could be revoked for "uuid_ns_x500"
WARNING: no privileges could be revoked for "uuid_generate_v1"
WARNING: no privileges could be revoked for "uuid_generate_v1mc"
WARNING: no privileges could be revoked for "uuid_generate_v3"
WARNING: no privileges could be revoked for "uuid_generate_v4"
WARNING: no privileges could be revoked for "uuid_generate_v5"
And if I try DROP USER user;
ERROR: role "user" cannot be dropped because some objects depend on it
DETAIL: owner of table accounts
owner of sequence accounts_user_id_seq
privileges for table migrations
privileges for table attributes
privileges for table system_flags
privileges for table entity_flags
privileges for table audits
privileges for table users
I am totally blocked. I'll appreciate the help.
Related
pgadmin shows the default privilege for a schema was granted to an individual user and I need to revoke privilege granted from individual users.
ALTER DEFAULT PRIVILEGES IN SCHEMA a_schema
GRANT ALL ON TABLES TO a_user;
I try the following command but can't revoke the privilege.
ALTER DEFAULT PRIVILEGES IN SCHEMA a_schema
REVOKE ALL ON TABLES FROM a_user;
Can someone show me how to revoke the default privilege schema from user?
I am struggling with dropping a ready only user I created on one of the database in the cluster. I created a read only user using following script:
CREATE USER is_user_readonly WITH ENCRYPTED PASSWORD 'test1';
GRANT CONNECT ON DATABASE db1 to is_user_readonly;
GRANT USAGE ON SCHEMA public to is_user_readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO is_user_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO is_user_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO is_user_readonly;
I logged in database db1 and created this user is_user_readonly. I logged in as admin. This user is created on all databases in the cluster.
Now, for dropping this user, I logged in db1 as admin and ran below scripts:
REVOKE ALL PRIVILEGES ON DATABASE db1 FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON SCHEMA public FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM is_user_readonly;
REVOKE USAGE ON SCHEMA public FROM is_user_readonly;
REVOKE CONNECT ON DATABASE db1 FROM is_user_readonly;
At this point I am really pulling out my hair that there is still some dependency.
SQL Error [2BP01]: ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public
ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public
ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public.
Do I need to run the revoke script on all database in this cluster?
Any help is highly appreciated.
Revoke the default privileges:
ALTER DEFAULT PRIVILEGES FOR ROLE whatever IN SCHEMA public
REVOKE SELECT ON TABLES FROM is_user_readonly;
The role whatever here is the user you were logged in as when you ran the ALTER DEFAULT PRIVILEGES statement.
I'm trying to create a user with read-only permission in Postgres on AWS.
CREATE USER readonly_username WITH PASSWORD 'password';
GRANT USAGE ON SCHEMA public to readonly_username;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_username;
After that i gave SELECT permission new tables:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_username;
But when i try to give permission to existing tables i got an error:
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_username;
ERROR: permission denied for relation admin_log
Can anyone help me?
After running
db=> GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
WARNING: no privileges were granted for "pg_stat_statements"
GRANT
I tried to
drop trigger t_table on tablex;
I got this result
[42501] ERROR: must be owner of relation tablex
This is everything I ran to change my privileges:
GRANT CONNECT ON DATABASE dbx to userx;
GRANT USAGE ON SCHEMA public to userx;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO userx;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON FUNCTIONS TO userx;
What could I be possibly be missing? could WARNING: no privileges were granted for "pg_stat_statements" mean something or is it stopping at that table and not adding the privileges?
Like the error message says, only the table owner (and a superuser) can do that.
The TRIGGER privilege allows you to create a trigger on the table, but not to drop one.
Ownership is not a privilege you can grant; you have to use ALTER TABLE ... OWNER TO ... for that.
We granted third-party software access to our postgresql database. After billing dispute we have now cut ties with this company but cannot delete the user. We need to delete this user soon but can't figure out how to do it. Here's some of what we're seeing when we try to do it:
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> REVOKE ALL ON ALL TABLES IN SCHEMA PUBLIC FROM evil_user;
REVOKE
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> REVOKE ALL ON SCHEMA public FROM evil_user;
REVOKE
prod=> REVOKE ALL ON DATABASE prod FROM evil_user;
REVOKE
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM evil_user;
ALTER DEFAULT PRIVILEGES
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
We need to get these people out of our database. For a number of reason we cannot easily move to a new Postgres instance.
There are unintuitive permission requirements when using REASSIGN without a supserusesr account, such as on RDS and Cloud SQL, but it is possible as long as your current_user has permission to GRANT evil_user TO prod. See this other post where I answered the same question: https://stackoverflow.com/a/62557497/79079
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
You must perform this action as a postgres superuser account, usually the user postgres.