I want to give access to multiple users to create tables in external schema in Redshift. I can make a user owner of the schema and he can create it, but how do I grant other user same access without altering schema ownership. I tried to make a role as the owner of the schema which doesn't work.
As per documentation -
To create external tables, you must be the owner of the external schema or a superuser.
Is there any workaround?
Related
I am new to Postgres and want to know if there is a way to CREATE a DB USER in such a way that it will have access to ALL the SCHEMA's including those which are not created yet, I mean access to all the current and future schema's.I have multiple Schema's in my Postgres DB which have the same Tables.If the above is possible I want this user to have SELECT,INSERT,UPDATE on only 2 Tables in the existing and future created Schemas.
You can use ALTER DEFAULT PRIVILEGES to give a user permissions on future schemas and tables, but you cannot restrict that to certain table names.
You may be able to do that with an event trigger.
Personally, I would put GRANT statements into the code that creates the tables.
I'm new on PostgreSQL. I created a user for to use a specific schema. I have done a table but I can't prevent on schema. I don't want to show all schema to the user. How can I prevent to access the schema?
Grant and Revoke to grant access and privileges on your database, including schema.
I have a database called funnycode. I also have a user called funnycode_user.
How do I grant default privileges to funnycode_user so that the user can:
Create a database under the name funnycode.
User can connect to any future database with the name funnycode, but not other databases.
User can select from all tables and has access to all sequences on any future database under the name funnycode but not other databases.
Is this possible in Postgres? If so, how? I read the documentation here, but I don't see how this:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT ON TABLES TO funnycode_user;
Is tied to a specific database, in my case that would be the funnycode database?
The user that creates a database automatically owns that database (unless a different owner is specified) and thus automatically has all privileges on the database. You don't need any additional grants to enable that user creating and using tables in the database.
So if you give funnycode_user the create database privilege, he can create any database he wants, not just funnycode. There is no way to prevent that.
Every new database that is created automatically grants the connect privilege to the role public. If you don't want funnycode_user to connect to other database, you need to revoke that privilege from the public role for every database.
Another way of limiting access to a specific database for a specific user, is through pg_hba.conf
You would need an entry like that:
# TYPE DATABASE USER ADDRESS METHOD
host funnycode funnycode_user 0.0.0.0/0 md5
The entry 0.0.0.0/0 means that funnycode_user can connect from any IP address. Even if funnycode_user created other databases, he wouldn't be able to connect to them.
I think the better (cleaner) way is to not give that user the privilege to create database. Just create that database once, make funnycode_user the owner and that's it.
E.g. as the superuser run:
create user funnycode_user password 'VerySecret';
create database funnycode owner = funnycode_user;
You only need to do that once (or after funnycode_user decides to drop the database) and you don't need to give funnycode_user the privilege to create databases.
How can we restrict Redshift user/group to a single database in multiple databases in a single cluster environment.
For example the user test1_user is in test1_group1 created in a database called test1_DB and later we created another database test2_DB and when we query in test2_DB the pg_group or pg_user tables,we can see test1_user and test1_group.
The ability to access databases and database objects (tables and views) within a redshift cluster is controlled by user/group accounts. As you have mentioned that you are trying to control database access you need to review your user account permissions. You can manage and create these using the create user/group and grant/revoke statements.
The easiest way might be to execute a revoke statement using your super user account and revoke access to test1_user/group for test2_DB.
e.g.
revoke all on all tables in test2_db from test1_group1
Somethings to check might be who created the database object. By default whoever created the database object is the owner. So if your test1_group1 created the new DB you should go back and create it with your superuser account.
I want to create a postgres user that can access only one database on the postgres server at all.
Currently my flow is:
create database database1;
create user user1 with password 'pass';
grant all privileges on database database1 to user1;
but user1 can still see a list of dbs, users, tables etc. Is there a way to prevent that user from seeing that info? The user needs to be able to write to and read from that db.
Thanks a lot.
Each user can see other databases and roles listed, but should not be able to see tables in other databases, ever.
If you revoke CONNECT privilege on all databases except the allotted one, the user will not be able to access the contents of other databases.
Roles and database names are global, and not readily blockable. You can try Frank Heikens suggestion of selective revocations on the system tables, but you take risks to do that. PostgreSQL developers on the usenet mailing lists have discouraged tampering with access to the system catalogs.
Psql, among other tools, assumes they will be available and functions poorly without them.
Why is knowing the names of other databases and roles so bad?
REVOKE the SELECT permissions on the information_schema and some sections in the system catalog.
By default any objects you create are created in the public schema. Also, any users that you create have CREATE and USAGE privileges on the public schema. You should revoke CREATE and USAGE to the public schema for this user, or you should change the default access level. You'll also need to move the database to which this user has access into the user's schema, or a schema accessible to the user. See DDL Schemas in the Postgres manual.