not able to perform any operation on existing table in postgresql - postgresql

I have created RO user and it's working fine but only thing is that it is not able to perform any operation on already created table.
I am using below query:
CREATE ROLE rw LOGIN PASSWORD '123';
GRANT CONNECT ON DATABASE test to rw;
GRANT USAGE ON SCHEMA public TO rw;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO rw;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO rw;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON tables TO PUBLIC;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO PUBLIC;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO PUBLIC;
GRANT ALL PRIVILEGES ON DATABASE "test" to rw;
This table is created before RW user creation:
insert into mobile(device_name,model_no) values('poco','4');
getting below error:
ERROR: permission denied for table mobile
SQL state: 42501
need suggestion...

Related

Create PostgreSQL user with read-only permission on AWS

I'm trying to create a user with read-only permission in Postgres on AWS.
CREATE USER readonly_username WITH PASSWORD 'password';
GRANT USAGE ON SCHEMA public to readonly_username;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_username;
After that i gave SELECT permission new tables:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_username;
But when i try to give permission to existing tables i got an error:
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_username;
ERROR: permission denied for relation admin_log
Can anyone help me?

Quesition about permissions on Postgres

I know it should be easy question but still facing an issue with permissions.
I need to have 3 users in postgres:
Fully Admin like default "postgres" user
Should have access to insert, select and update with delete but no admin access
Should have access to all tables only with read only permissions
I did this in this way:
CREATE role program_schema_role_ro ;
CREATE role program_schema_role_normal ;
CREATE role program_schema_role_admin ;
CREATE USER user_ro WITH PASSWORD 'user_ro';
CREATE USER user_app WITH PASSWORD 'user_app';
CREATE USER user_admin WITH PASSWORD 'user_admin';
GRANT program_schema_role_ro to user_ro;
GRANT program_schema_role_normal TO user_app;
GRANT program_schema_role_admin TO user_admin;
GRANT program_schema_role_admin TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_admin IN SCHEMA public GRANT ALL ON TABLES TO program_schema_role_admin;
GRANT ALL ON ALL TABLES IN SCHEMA public TO program_schema_role_admin;
GRANT posgtres TO program_schema_role_admin;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_admin GRANT ALL ON SEQUENCES TO program_schema_role_admin;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_admin;
REVOKE program_schema_role_admin FROM postgres;
GRANT program_schema_role_normal TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_normal IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON TABLES TO program_schema_role_normal;
GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON ALL TABLES IN SCHEMA public TO program_schema_role_normal;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_normal GRANT USAGE, SELECT ON SEQUENCES TO program_schema_role_normal;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_normal;
REVOKE program_schema_role_normal FROM postgres;
GRANT program_schema_role_ro TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_ro IN SCHEMA public GRANT SELECT ON TABLES TO program_schema_role_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO program_schema_role_ro;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_ro GRANT SELECT ON SEQUENCES TO program_schema_role_ro;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_ro;
REVOKE program_schema_role_ro FROM postgres;
But still after all of this I facing a lot of issues.
Like after new table which created by admin, no read access to other
Or app user or ro user have permissions to alter.
Where is my mistake?
The ALTER DEFAULT PRIVILEGES statements you run will only affect objects created by program_schema_role_ro itself, not objects created by members of that role.
You'd have to run
ALTER DEFAULT PRIVILEGES FOR ROLE user_admin ...

Postgresql readonly role and user

I couldn't find an answer to this question: why does selecting from the table fail after the privileges were granted?
-- create new role
CREATE ROLE readonly;
-- grant access to all existing tables
GRANT CONNECT ON DATABASE shop TO readonly;
GRANT USAGE ON SCHEMA public TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO readonly;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readonly;
-- grant access to all table which will be created in the future
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO readonly;
-- create user and grant role to this user
CREATE USER b_readonly WITH PASSWORD 'reAdOnLy123';
GRANT readonly TO b_readonly;
My error message from db is following:
ERROR: permission denied for relation customer_search_query SQL
state: 42501
Is there some new trick in Postgresql 9.6.5?
If pg version < 14
try as:
postgres=# CREATE ROLE readaccess;
postgres=# CREATE USER read_user WITH PASSWORD 'read_password';
postgres=# GRANT readaccess TO read_user;
--- INPORTANT (select needed db)---
postgres=# \с your_db;
your_db=# GRANT CONNECT ON DATABASE your_db TO readaccess;
your_db=# GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
if pg version >= 14
GRANT pg_read_all_data TO readaccess;
It is likely that the table you're querying from, customer_search_query is not in the public schema. Try running this command.
GRANT SELECT ON customer_search_query TO readonly;

Grant access to views in postgresql

I have a view called testview in postgresql.
I created a new user called testuser.
I would like testuser to have all privileges on all tables and views in the database.
To do this I ran the following commands:
GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser;
GRANT USAGE ON SCHEMA public TO testuser;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO testuser;
testuser now has access to all tables in the database, but if I try to run SELECT * FROM testview I get the following error: permission denied for relation testview.
What is wrong? How do testuser get access to testview?
I agree it should work. With permissions GRANT ... ON ALL TABLES should include views too.
Did you create the view after granting the privileges to testuser? If so then it doesn't have the same privileges as the other tables. That's because GRANT ... ON ALL TABLES means "on all tables that currently exist". To include tables/views you create in the future, you can say:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO testuser;
Or if you want to give more than SELECT, you can say ALL PRIVILEGES instead.
I think this behavior of ON ALL TABLES is one of the most misunderstood bits about Postgres permissions, and it isn't really called out in the standard documentation, so I tried to emphasize it in my own Postgres permissions overview.
postgres=# GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser;
postgres=# GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO testuser;
GRANT USAGE on schema:
GRANT USAGE ON SCHEMA schema_name TO username;
Grant SELECT for a specific table:
GRANT SELECT ON tbl_loans_new TO oloffm;
Grant SELECT for multiple tables:
GRANT SELECT ON ALL TABLES IN SCHEMA schema_name TO username;

Create a User for Select Only on Postgresql. Restrict "ALTER TABLE"

I am using fallowing scripts for Create a user.
CREATE ROLE readonly LOGIN PASSWORD 'thePwd';
-- Existing objects
GRANT CONNECT ON DATABASE the_db TO readonly;
GRANT USAGE ON SCHEMA public TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO readonly;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readonly;
After Create User & Role; the "readonly" user have "SELECT" permission. No Drop or Truncate rights. But "readonly" user have right "Alter Table" command.
How can I restrict for a specific user "Alter Table" rights?
Is there a simple example?
The solution is at the following script;
create user dummy_user with nosuperuser encrypted password 'dummy_password';
GRANT CONNECT ON DATABASE the_db TO dummy_user;
GRANT USAGE ON SCHEMA public TO dummy_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO dummy_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO dummy_user;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO dummy_user;