I have a sample database containing two schemas and I have two roles in the database.
I need to grant rights in a way that
role can grant all permission within schema #1 (nowhere else)
role can grant all permission within schema #2 (nowhere else)
(essentially "schema-specific admins")
Would someone know a possible approach to this?
I can think of two ways:
the “administrator role” for each schema owns the objects in that schema – then the requirement is automatically fulfilled
all objects are owned by the same role, and that role uses GRANT ... WITH GRANT OPTION on all tables in each schema to the respective administrative role
I'd prefer the first option, because it is simpler.
Related
i'm new-ish to postgresql and wondering what are good patterns for securing objects in your databases.
i've been using MSFT SQL server for most of my career, and like the approach that they have taken to securing databases and objects. Some of the things that I'm missing in postgresql are pre-defined roles at the instance and database levels, such as db_reader and db_writer.
how do you handle security of new objects?
are you limiting peoples ability to create new objects within the database (of course you are, but i'm interested in an approach or patterns), and how are you doing that (using CICD, manually, event-based triggers)
Currently, i'm using a series of event-based triggers and roles to manage new object creation. I don't like it though, and feel like its overly complex, but here's the criteria that I used. I also wanted to avoid others (non-administrators) from having to "escalate their security context", and was hoping to use DEFAULT PRIVILEGES to do this. Unfortunately, that didn't work for me, which I believe is a result of using a hosted solution, and not having a true SUPERUSER role.
Overview
3 default roles
db_reader, read-only access to user-defined databases
db_writer, read-write access to user-defined databases
db_admin, full database access to user-defined databases
Each role inherits the privileges of its “parent”
db_writer inherits all privileges of db_reader
db_admin inherits all privileges of db_writer
Role-based Privileges
Reader role (db_reader)
CONNECT on all user-defined databases
USAGE on all user-defined schemas
SELECT on all user-defined tables, views, and sequences
Writer role (db_writer)
all privileges associated with db_reader
INSERT, UPDATE, DELETE on all user-defined tables and sequences
Admin role (db_admin)
all privileges associated with db_writer
CREATE on all user-defined databases
TRUNCATE on all user-defined tables
Two types of roles
Group Role (users and permissions)
User Role (generally personal or application names)
Privileges are assigned to group roles via GRANT and REVOKE.
User roles inherit privileges from associated group roles and have the LOGIN privilege.
This is probably a silly question and I'm sure it's a problem with my mental model.
Ultimately I want to set privileges on a role such that any other roles in that role have CRUD access to all the current tables and automatically all of the future tables in perpetuity for said database. but ONLY those roles that have been explicitly added to said 'group role'.
It's not clear how to do this.
There is no way to get exactly what you want, but you can get close enough.
Dealing with existing tables is simple enough: just revoke all privileges that have been granted on the tables and grant access to your group role. The command that makes this easy is
GRANT/REVOKE ALL
ON ALL TABLES IN SCHEMA ... TO/FROM ...;
To deal with future tables, you'll have to restrict the circle of users that may create tables to a few, and for each of them run
ALTER DEFAULT PRIVILEGES FOR ROLE creating_user
GRANT ALL ON TABLES TO ...;
If you cannot enumerate the users that can create tables, an event trigger running at the end of each CREATE statement may be an alternative.
I'm new on PostgreSQL. I created a user for to use a specific schema. I have done a table but I can't prevent on schema. I don't want to show all schema to the user. How can I prevent to access the schema?
Grant and Revoke to grant access and privileges on your database, including schema.
I am trying to revoke all permisions of an user on a database, but i can't get it to work.
I am doing:
REVOKE ALL PRIVILEGES ON DATABASE db1 FROM user1;
REVOKE ALL refers to all the permissions on one object, not on any related objects. In this case, you are saying "all permissions which apply to the database, as a single object". The only permission which exists at the database level is CONNECT, and by default, that is granted to the special role Public, of which all other roles are a member.
So to deny access to a user that way, you would have to revoke CONNECT privilege from Public, and then explicitly GRANT it to the roles you do want to give access to.
There are a few other options that come to mind:
Set a DENY rule for that combination of user and database in pg_hba.conf
Revoke USAGE on all schemas in the database, so that they can connect but not access anything. I believe the public schema has this granted to the public role, so you will need to revoke first as with CONNECT
Revoke all from the objects within the database. This requires multiple statements like REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA foo FROM somebody for different object types. You should also use ALTER DEFAULT PRIVILEGES to make sure objects you create from now on won't be accessible.
I want to give permissions to a user on all the tables existing in a database. Is there any way to grant a user on multiple tables?
It is not possible to grant permissions to multiple objects in a single statement, you need to grant per object.