So I'm new at Django development and I haven't figured out how models and postgresql privileges work together.
I have a postgreql database with a schema called AUTH with all the models that Django auth creates(auth_user, auth_permission, etc). The user that I passed on DATABASES on settings.py is a user that has no SELECT, UPDATE, DELETE, etc privileges on any table on that SCHEMA (I was making some tests) but when I create any user it gets written on auth_user table on SCHEMA AUTH.
So how does postgresql privileges and Django models are put together?
Thanks
Related
I'm building a spring boot application. Flyway database migrations are executed at the application startup.
I decided to use two different roles: role__app (read/write rights on tables, sequences in app schema) and role__migration (advanced rights in app/migration schemas).
Flyway migrations are executed under role__migration so it becomes the owner of the created objects. I thought that the following statements would help:
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO role__app;
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT USAGE ON SEQUENCES TO role__app;
But when the new tables are added to the app schema the user__app (belongs to the role__app) doesn't have access to the tables.
Is it possible to maintain such a flow (with app, migrattion users/roles) by Postgres or by any other means?
As a side note I should mention that I run the following statements on the target database:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE myDb FROM PUBLIC;
Update 1
I added the FOR ROLE clause, yet I'm still getting the permission denied message for a created table (app.property) in app schema for user user__app. The owner of the table is user__mig.
Update 2
After logging in as postgres user in dbeaver we can see that user__mig has all necessary permissions ticked whereas the user__app has no permissions on the app.property table at all:
Here is a gist to reproduce the problem: https://gist.github.com/happygrizzly/849a6a791f028ba5b191f73180ae35d1
You should write
ALTER DEFAULT PRIVILEGES FOR USER role__migration ...
If you omit the FOR USER clause, the privileges are only granted on objects created by the user who ran ALTER DEFAULT PRIVILEGES.
With the above statement, the privileges are granted when role__migration creates an object. That does not extend to members of the role role__migration.
I'm using CloudSQL Postgres 11 on GCP, and I've got a few questions around permissions and grants. I'm just not getting it at the moment, being very new to postgres.
I have a user, pgadmin which is a superuser. With this user I can connect to the instance and create a database called 'sandbox' for example.
I then have an app role which is defined as follows:
CREATE ROLE app;
GRANT CONNECT ON DATABASE <database name> TO app;
GRANT USAGE, CREATE ON SCHEMA public TO app;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO app;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO app;
I create a user called app_sandbox which I grant this role.
The app user then makes a db migration using flyway which creates 2 tables. That side of things is fine.
But with my superuser, pgadmin, I can't see these tables or query them even though this user owns the database and is a superuser. I've tried all sorts of grants. Feels like I'm missing something important because even if I true to create a readonly role with the pgadmin user I am unable to grant access to the underlying tables in the public schema of the database.
What am I missing?
Just because one user (=pgadmin) owns the database, does not mean that user also owns the tables created in that database. And because pgadmin doesn't own those tables, you can't access them when logged in as pgadmin
If the app user created the tables, they belong to that user, and only the app user can grant privileges on those tables to other users.
I'm building a spring boot application. Flyway database migrations are executed at the application startup.
I decided to use two different roles: role__app (read/write rights on tables, sequences in app schema) and role__migration (advanced rights in app/migration schemas).
Flyway migrations are executed under role__migration so it becomes the owner of the created objects. I thought that the following statements would help:
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO role__app;
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT USAGE ON SEQUENCES TO role__app;
But when the new tables are added to the app schema the user__app (belongs to the role__app) doesn't have access to the tables.
Is it possible to maintain such a flow (with app, migrattion users/roles) by Postgres or by any other means?
As a side note I should mention that I run the following statements on the target database:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE myDb FROM PUBLIC;
Update 1
I added the FOR ROLE clause, yet I'm still getting the permission denied message for a created table (app.property) in app schema for user user__app. The owner of the table is user__mig.
Update 2
After logging in as postgres user in dbeaver we can see that user__mig has all necessary permissions ticked whereas the user__app has no permissions on the app.property table at all:
Here is a gist to reproduce the problem: https://gist.github.com/happygrizzly/849a6a791f028ba5b191f73180ae35d1
You should write
ALTER DEFAULT PRIVILEGES FOR USER role__migration ...
If you omit the FOR USER clause, the privileges are only granted on objects created by the user who ran ALTER DEFAULT PRIVILEGES.
With the above statement, the privileges are granted when role__migration creates an object. That does not extend to members of the role role__migration.
I just created a database with an additional application schema.
And for our Java Spring Boot applications I created a new role with the following SQL scripts for setting up the privileges:
CREATE USER app_role WITH ENCRYPTED PASSWORD '#########';
GRANT ALL ON SCHEMA application TO app_role;
Now my expectation was that I could only create and delete tables within the schema application when logging in with this role.
However, I am also able to create and modify tables in the schema public.
Are there any default privileges for the public schema?
Why can I create tables in schemas I did not grant any privileges to?
The public schema has a special role in PostgreSQL, as the documentation describes.
If you don't want that (and it can be a security problem), you can either REVOKE the CREATE privilege or even drop the schema alogether.
In my Rails 4 multi-tenant application, I create new schemas in Postgresql with the gem Apartment.
It works very well but I have a problem with the privileges for new schemas.
In Postgresql, I created a "backup" user to backup my database.
I defined the default privileges with :
ALTER DEFAULT PRIVILEGES FOR USER foo GRANT SELECT ON TABLES TO backup;
ALTER DEFAULT PRIVILEGES FOR USER <nom_user_ks-xxx_dbuser> GRANT SELECT ON SEQUENCES TO backup;
This works for new tables and sequences (as it's explained in Postgresql documentation) in existing schemas but it doesn't work for new schemas.
After googling hours, I can't find a solution.
What is the best way to apply default privileges for new schemas ?
Thanks