I am the owner of a partitioned table (table_name) and I have granted the privileges to another user (user2).
GRANT All ON table_name TO user2
But whenn user2 want to create a partition of table_name :
create table table_name_1 partition of table_name for values from (0) to (10)
the next error appears:
must be owner of table table_name
Is there any way to allow this user to create a partition without making him the owner of this table?
Only the table owner (that extends to members of that role) or a superuser can create a partition. You cannot grant the privilege to anyone else unless you make them a member of the table owner:
GRANT my_user TO user2;
Related
Logged in as the superuser, how can I grant user access to a specific table under a specific schema.
I tried this
GRANT SELECT on TABLE this_schema.my_table TO my_user
But when I login as my_user I can't select from the table. I don't want my_user to have access to any other tables in this_schema.
Is this possible?
Yes its possible.
You can use following command, to give select access of specific table to specific user.
GRANT SELECT on SCHEMA_NAME.TABLE_NAME TO USER_NAME;
NOTE: user still list and describe other tables in the given schema.
You need to grant usage on the schema as well
GRANT USAGE ON SCHEMA this_schema TO GROUP my_user;
Without creating user group, you can do:
GRANT SELECT ON TABLE my_table IN SCHEMA this_schema TO my_user;
DBA_USER: create role test_2
DBA_user: grant create session, create any table, create any procedure to test_2;
grant succeeded.....
grant test_2 to new_user
now new_user:
create table items (item_number number(3) primary key,
item_name varchar2(40),
item_desp varchar2(20),
item_qty number(3));
Error: you have insufficient privilege
Exact Oracle error code would help, but first guess would be that new_user does not have privilege on SYSTEM (or other tablespace). It is not recommended to use SYSTEM tablespace in general, so let's create tablespace first.
Create separate tablespace for user :
create tablespace tbs_for_new_user
datafile 'tbs_nu.dbf' size 50m;
Then assign newly created tablespace to user as default
alter user "NEW_USER"
default tablespace "TBS_FOR_NEW_USER"
temporaty tablespace "TEMP"
account unlock; // if you did not unlock new_user account yet
alter user "NEW_USER" quota 50000m on TBS_FOR_NEW_USER;
alter user "NEW_USER" DEFAULT ROLE "TEST_2";
Then try to create table.
I try to grant specific privileges to my table "MEMBERS" in postgresql but nothing changes. More specifically I do this (through pgadmin console):
CREATE DATABASE login;
CREATE USER loginUser WITH PASSWORD 'xxxxxxxxxxxxx';
CREATE TABLE members (
id serial NOT NULL,
username varchar(30) NOT NULL
PRIMARY KEY(id)
)
ALTER USER loginuser WITH SUPERUSER;
ALTER TABLE members OWNER TO loginuser;
GRANT SELECT, UPDATE, INSERT, DELETE ON members TO loginuser;
The query is returned successfully but when I check the table's privileges through the pgadmin gui all of them are selected.
What am I missing?
By default, a table's owner has full privileges on it. If you want "loginuser" to have only select, update, insert, and delete privileges, you would normally revoke all privileges first, then grant just those four.
revoke all on members from loginuser;
grant select, update, insert, delete on members to loginuser;
This will appear to work for you, but it really won't. A database superuser can revoke privileges from a table's owner. But you've made "loginuser" a superuser. Whatever privileges you revoke, "loginuser" can just grant to herself.
You need to think more carefully about what you're trying to accomplish here.
I have a PostgreSQL database. I create new READ-ONLY users as follows:
$ sudo -upostgres psql postgres
postgres=# CREATE ROLE readonly;
postgres=# GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
postgres=# BEGIN;
postgres=# CREATE ROLE "<PUT_READONLY_USERNAME_HERE>" WITH LOGIN ENCRYPTED PASSWORD '<USE_A_NICE_STRONG_PASSWORD_PLEASE' IN ROLE readonly;
postgres=# COMMIT;
Also I have a table "is_admin" where I manually add new users (it happens really rarely). If it is read-only user users.is_admin = false and if it is user with all priveleges users.is_admin = true.
users.oid users.is_admin (bool)
1 true
2 false
3 false
... ...
Then in code I check if user is admin or not with this query:
SELECT users.is_admin
FROM users.users
JOIN pg_authid ON pg_authid.oid = users.oid::oid
WHERE rolname = "PUT_ROLNAME";
So, the main question is how to automatically add new users to "is_admin" table? I read that trigger or smth like that can help me (for example, trigger ON CREATE ROLE).
You can't create triggers on administrative change, like create role.
But I think you don't need is_admin column at all. You can simply use
select pg_has_role('username', 'rolename', 'MEMBER');
to determine if user has some role or not.
I have created two group roles in Postgres 9.2: one is called admins and the other is called readers.
The idea is very simple: admins create tables and readers have read access to these tables.
After granting privileges to both group roles everything worked as expected for exisintg objects. But now what about new objects?
So after reading this post I altered the default privileges to grant SELECT privileges to readers for any new table that admins create:
ALTER DEFAULT PRIVILEGES FOR ROLE admins IN SCHEMA public GRANT SELECT ON TABLES TO readers;
ALTER DEFAULT PRIVILEGES FOR ROLE admins IN SCHEMA public GRANT SELECT ON SEQUENCES TO readers;
But apparently, ALTER DEFAULT PRIVILEGES only affects the role itself but not the members of the role. Let me show you.
If I login as userX (a member of admins) and create a new table, no default privileges are granted (and therefore, readers cannot access this table):
test=# CREATE TABLE table1 (name VARCHAR(10)); -- Creating table as userX
test=# \dp table1
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+--------+-------+-------------------+--------------------------
public | table1 | table | |
However, the default privileges are granted if I create the table as admins (readers can access this table):
test=# SET ROLE admins;
test=# CREATE TABLE table2 (name VARCHAR(10)); -- Creating table as admins
test=# \dp table2
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+--------+-------+-----------------------+--------------------------
public | table2 | table | readers=r/admins +|
| | | admins=arwdDxt/admins |
Is there a way to alter the default privileges for ALL members of a group role? Or should I just alter default privileges for each user?
UPDATE: In this PostgreSQL forum someone asked a very similar question and the answer was:
Unfortunately I can't see a way to achieve what you want without granting default privileges to everybody involved.
However this question was asked 2 years ago. Is there a solution now?
If a user creates a table then this user becomes the owner of the table. So in your case any default privileges for userX apply, not those of admins. the solution is to SET ROLE admins before creating your table:
SET ROLE admins;
CREATE TABLE ... -- This now applies default privileges of admins
;
RESET ROLE;
More in general, you would want to do this always: Create all tables and views through a group role or some other role not used in daily operations and grant access to the relations to another group role whose privileges are inherited by regular login roles (users). This greatly facilitates security management.
Cheers,
Patrick