Created a user/role via following method is Aurora Postgres:
CREATE ROLE rds_user_test;
GRANT rds_superuser to rds_user_test;
GRANT rds_iam TO rds_user_test;
When I login using IAM DB Auth as rds_user_test it appears that I can do all operations as needed except creating or altering roles (maybe other functionality is missing but haven't tested all operations yet). When I check role memberships of this new role against other roles that are able to create/alter roles, both are members of superuser.
I also followed the instructions here:
https://aws.amazon.com/premiumsupport/knowledge-center/rds-aurora-postgresql-clone-master-user/
Still get the same permissions error:
[42501] ERROR: permission denied to create role
Any thoughts on why this new role cannot create/alter other roles even though it seems to have the same privileges of superuser as other roles?
rds_superuser on Amazon Aurora is typically not a superuser. Check with:
SELECT rolsuper FROM pg_roles WHERE rolname = 'rds_superuser';
But to create a role, you don't need superuser privileges. All you need is the CREATEROLE privilege. Check if your user has that:
SELECT rolcreaterole FROM pg_roles WHERE rolname = 'rds_user_test';
Else you need to grant it (as a role that's allowed to do so):
ALTER ROLE rds_user_test CREATEROLE;
Any role with the CREATEROLE privilege can do that (typically including rds_superuser).
The manual:
Roles having CREATEROLE privilege can change any of these settings except SUPERUSER, REPLICATION, and BYPASSRLS; but only for non-superuser and non-replication roles.
The instructions you followed, explicitly instruct to add CREATEROLE, you seem to have skipped that bit:
CREATE ROLE new_master WITH PASSWORD 'password' CREATEDB CREATEROLE LOGIN;
Related
We have a scenario where some users would need super user permissions and other db users dont need it. So we have create the users and then created a role 'SuperRole' which has permissions to create role, db.
Let's say I have user 'User1' mapped to role 'User1' by default with INHERIT. After creating 'SuperRole' role I have ran
GRANT superrole to user1;
After this if I see \du output
postgres=# \du user1
List of roles
Role name | Attributes | Member of
--------------+------------------------+--------------
user1 | Create role, Create DB | {superrole}
As per the documentation https://www.postgresql.org/docs/11/role-membership.html the privileges of role 'member of' should also be inherited. But when i connect to psql with user1, I should be having the privileges of superrole also to create role and db. However when I try to create a db I am getting the below error.
postgres=> create database test;
ERROR: permission denied to create database
The similar error shows for creating role as well. What should be done to make the privileges set for superrole to be available for user1 as well.
The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute.
refer: https://www.postgresql.org/docs/current/role-membership.html
On google cloud, with "postgres" user (which is not superuser), i do:
CREATE ROLE postgres_subuser1 LOGIN PASSWORD 'some_pass';
CREATE ROLE postgres_subuser2 LOGIN PASSWORD 'some_pass';
GRANT postgres TO postgres_subuser1;
GRANT postgres TO postgres_subuser2;
Above part wroks, though then I try to set users access on each other objects:
ALTER DEFAULT PRIVILEGES FOR ROLE postgres_subuser1 GRANT ALL PRIVILEGES ON TABLES TO postgres_subuser2;
ALTER DEFAULT PRIVILEGES FOR ROLE postgres_subuser2 GRANT ALL PRIVILEGES ON TABLES TO postgres_subuser1;
gives: must be member of role "postgres_subuser1"
How can solve that?
BTW, if try same on local instance, it works without any error, but this error raises on google cloud.
You need to explicitly grant the postgres user the role. Eg:
GRANT postgres_subuser1 TO postgres;
I have created 3 databases in one RDS DB instance.
The owner of these databases is user postgres.
I'd like to create the new power user.
When I am trying to create it I receive:
"User 'postgres' has no privileges to edit users"
But it is the one user which I can use.
How I can create the new user?
It looks like you need to use CREATE ROLE and assign the rds_superuser role to the new user. It's documented here http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html#Appendix.PostgreSQL.CommonDBATasks.Roles
and I'll paste the instructions too:
postgres=> create role testuser with password 'testuser' login;
CREATE ROLE
postgres=> grant rds_superuser to testuser;
GRANT ROLE
postgres=>
I created several login and group roles in pgadmin. I then added these login roles to their respective group roles. Then I give these group roles login privileges to a database as well as other required privileges.
But connecting to the database fails with "User does not have CONNECT privilege".
Then I grant login privileges directly to the login roles in pgsql, because pgadmin does not let me add privileges to login roles, only group roles.
Now the user is able to connect to the database, but still gets various privilege errors until I give privileges directly to the login role.
Is this a bug in PostgreSQL (v 9.4.5 for Windows), or what is going on here? I also tried to add privileges to group roles using pgsql instead of pgadmin, with same results.
CREATE ROLE user_g
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
CREATE ROLE user_l LOGIN
ENCRYPTED PASSWORD 'md5...'
NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
GRANT user_g TO user_l;
GRANT ALL ON DATABASE db TO postgres;
GRANT CONNECT ON DATABASE db TO user_g;
REVOKE ALL ON DATABASE db FROM public;
Above statements do not give user_l privileges to connect to the database, but following does.
GRANT CONNECT ON DATABASE db TO user_l;
The problem then repeats for functions and everything else that requires privileges.
I ran into a very annoying role inheritance issue with PostgreSQL. It simply doesn't behave as it should according to the documentation.
I would like to have a master role, and grant its permissions to newly created users. These users should inherit the permissions without issuing SET ROLE manually.
CREATE ROLE testrole NOSUPERUSER INHERIT CREATEDB NOCREATEROLE;
CREATE ROLE testuser LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
GRANT testrole TO testuser;
Now after I connect as testuser, I get the following:
postgres=> CREATE DATABASE foobar;
ERROR: permission denied to create database
postgres=> SET ROLE testrole;
SET
postgres=> CREATE DATABASE foobar;
CREATE DATABASE
According to the docs linked above (because of the INHERIT option), the SET ROLE shouldn't be required.
What am I missing here?
A bit further down the same page:
"The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute."