Grant readaccess to all existing (and future) Postgres schematas - postgresql

I have a Postgres database (PostgreSQL-Version 11), which has a lot schematas. Each schemata has a lot of tables. So, now I've got a user xyz, which should have readaccess to all of those schematas and all future ones. I found this gist, which explains how to create a readaccess group and how to add a user to this group:
-- Create a group
CREATE ROLE readaccess;
-- Grant access to existing tables
GRANT USAGE ON SCHEMA public TO readaccess;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
-- Grant access to future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
-- Create a final user with password
CREATE USER tomek WITH PASSWORD 'secret';
GRANT readaccess TO xyz;
But this is only working for the public schemata. Lets assume, i create a new schemata called "new_schema", the user xyz don't have readaccess to this this schema.
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
is creating readaccess to all future tables inside a specific schemata, but not for future schematas.
Long story short: How can i give readaccess to all existing and future schematas for a specific user?

Related

Revoke all on schema

I try add audit trigger for table in BD. I find example on GitHub. But I dont understand why author use this construction after create schema and table
CREATE SCHEMA audit;
REVOKE ALL ON SCHEMA audit FROM public;
And for table:
REVOKE ALL ON audit.logged_actions FROM public;
What the aim of using REVOKE ?
Revoke removes access permissions to an object.
it means only specific users that you will grant permission to them can access the audit scheme / logged_actions table.
"The key word PUBLIC refers to the implicitly defined group of all roles."
The REVOKE is pointless, because the default permissions on a new schema only allow the owner (the user that ran CREATE SCHEMA) to use it. See the documentation:
No privileges are granted to PUBLIC by default on tables, table columns, sequences, foreign data wrappers, foreign servers, large objects, schemas, tablespaces, or configuration parameters.
I can only assume that the REVOKE is a safety measure, in case the user who runs CREATE SCHEMA has changed the default privileges as follows:
ALTER DEFAULT PRIVILEGES GRANT ... ON SCHEMAS TO PUBLIC;

Creating a role/user that only displays list of accessible tables

I'm trying to tighten up some roles/user privileges for my postgresql db. What I'm trying to achieve is a readonly user to ONLY be able to see the list of tables they have access to.
I've created a role:
CREATE ROLE readonly;
Granting readonly privileges to certain tables:
GRANT SELECT on TABLE table_1 to readonly;
GRANT SELECT on TABLE table_2 to readonly;
Created the user:
CREATE USER readonlyuser with password '<password>';
Assigned readonly role:
GRANT readonly on readonlyuser;
But still, when I run \d when I'm signed in as that user it still lists ALL tables (including tables that this user does not have access to)
And same goes for running \du, which lists ALL users and roles.
Is there anyway to only display the tables this user has access to and also not allowing to view the users/roles list?

Restrict create table privilege to newly created users in RDS PostgreSQL 9.6

I am facing an issue while creating a readonly users in RDS PostgreSQL 9.6. I am executing the following SQL commands:
---- ###### CREATE ROLE ################
CREATE ROLE readonlyrole_dev;
-- Grant access to existing tables
GRANT USAGE ON SCHEMA public TO readonlyrole_dev;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonlyrole_dev;
-- set the privileges that will be applied to objects created in the future.
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonlyrole_dev;
CREATE USER readonly_dev WITH PASSWORD 'welcome1';
GRANT readonlyrole_dev TO readonly_dev;
When I login with the readonly_dev user, it has privilege to create the new tables by default but I don't want to do that. I want to keep readonly_dev only a read only user.
Note: To revoke the access from the user I am executing
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
which revokes create objects privilege to all old users as well. I only want to revoke create privilege from newly created user.
How can I do that?
You cannot do that, and it is not necessary either.
Just deny the user the CREATE permission on all schemas. You should use user groups for that - put all users who should have the privilege to create tables in a group that has the required privilege on the schema and revoke CREATE from PUBLIC.
If you insist that you must have this, try creating an event trigger that throws an exception whenever a certain user tries to create a table.

create database specific user in redshift

We are trying to create a user in Amazon Redshift which should only access a specific database. We know how to assign user to specific schema, but I want use public schema.
Till now we tried following commands:
To create user:
create user tt password 'tttt';
To create group:
create group report_group with user tt;
To grant access of database
grant select on DATABASE demo TO tt;
but its not allowing running select query and fails with
access denied to schema public
any suggestion in this.
You need the below two grants to the user or the group
GRANT USAGE ON SCHEMA public TO tt;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO tt;
GRANT SELECT, INSERT, UPDATE, DELETE
ON ALL TABLES IN SCHEMA public
TO GROUP report_group;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO GROUP report_group;

Postgres create database user with grant access to schema only

I have a database with a template_schema.I cloned this template schema and created a database user with password. I need to provide access to cloned schema only, for the created user.
SELECT clone_schema('my_template_schema','john_smith_gmail_com');
CREATE USER john_smith_gmail_com WITH PASSWORD 'mypassword';
Upto this Ok. Then I need to grant access to this user for this cloned schema(john_smith_gmail_com) only
Method :1
I tried to revoke all privileges on all tables of cloned schema(john_smith_gmail_com) for the user and grant select to the user. But my question is, can this user get SELECT access on other schema tables?
REVOKE ALL ON ALL TABLES IN SCHEMA john_smith_gmail_com FROM john_smith_gmail_com;
GRANT SELECT ON ALL TABLES IN SCHEMA john_smith_gmail_com TO john_smith_gmail_com;
Method :2
Create a role with only SELECT access and assign or grant this role to newly created user. If I do this, for which schema I grant access,because I clone schema dynamically?
Which method is best one?
From postgresql version 9.0 and forward, the best way is probably to use ALTER DEFAULT PRIVILEGES.
...the default privileges for any object type normally grant all grantable permissions to the object owner, and may grant some privileges to PUBLIC as well. However, this behavior can be changed by altering the global default privileges with ALTER DEFAULT PRIVILEGES.
So if all users like "john_smith_gmail_com" should only have SELECT access to tables in "their own" schema, after creating the schema and user, you can run:
ALTER DEFAULT PRIVILEGES IN SCHEMA john_smith_gmail_com GRANT SELECT ON TABLES TO john_smith_gmail_com;