I am struggling with dropping a ready only user I created on one of the database in the cluster. I created a read only user using following script:
CREATE USER is_user_readonly WITH ENCRYPTED PASSWORD 'test1';
GRANT CONNECT ON DATABASE db1 to is_user_readonly;
GRANT USAGE ON SCHEMA public to is_user_readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO is_user_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO is_user_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO is_user_readonly;
I logged in database db1 and created this user is_user_readonly. I logged in as admin. This user is created on all databases in the cluster.
Now, for dropping this user, I logged in db1 as admin and ran below scripts:
REVOKE ALL PRIVILEGES ON DATABASE db1 FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON SCHEMA public FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM is_user_readonly;
REVOKE USAGE ON SCHEMA public FROM is_user_readonly;
REVOKE CONNECT ON DATABASE db1 FROM is_user_readonly;
At this point I am really pulling out my hair that there is still some dependency.
SQL Error [2BP01]: ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public
ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public
ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public.
Do I need to run the revoke script on all database in this cluster?
Any help is highly appreciated.
Revoke the default privileges:
ALTER DEFAULT PRIVILEGES FOR ROLE whatever IN SCHEMA public
REVOKE SELECT ON TABLES FROM is_user_readonly;
The role whatever here is the user you were logged in as when you ran the ALTER DEFAULT PRIVILEGES statement.
Related
We have an existing postgres database in production with a superuser adm that is being used to do everything. Our web application connects to the database using the same user and also the administrators(for patching/updating etc.) use the same credentials.
We have to fix this to have roles so that we can have read-write, readonly and admin roles.
We don't want our web application and admin to connect to the database as superuser.
With that being said, I have created the following sql script to make the appropriate roles.
I am not a database expert(not yet) so wanted to know the issues or better ways to solve this.
ALTER ROLE adm NOLOGIN;
CREATE role user_role NOINHERIT;
CREATE role readonlyuser_role NOINHERIT;
CREATE role admin_role CREATEDB CREATEROLE NOINHERIT;
CREATE ROLE u_service LOGIN PASSWORD '<some password>' INHERIT;
CREATE ROLE u_admin LOGIN PASSWORD '<some password>' INHERIT;
CREATE ROLE u_reader LOGIN PASSWORD '<some password>' INHERIT;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonlyuser_role;
GRANT ALL PRIVILEGES ON SCHEMA public TO admin_role;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL ROUTINES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL ROUTINES IN SCHEMA audit TO admin_role;
GRANT admin_role TO u_admin;
GRANT user_role TO u_service;
GRANT readonlyuser_role TO u_reader;
A few things to consider.
Spell out what user_role and readonlyuser_role can do
Start by revoking all privileges from both these roles, then add them back only as needed. This makes it both clearer in your intentions about what the roles should do, and safer in practice because higher privileges than intended won't accidentally sneak in.
REVOKE ALL ON SCHEMA public FROM public; --only authorized roles can do anything here.
REVOKE ALL ON SCHEMA public FROM user_role;
REVOKE ALL ON SCHEMA public FROM readonlyuser_role;
GRANT ...
The Database Owner is a local Superuser
We usually make the db owner an additional role; one who only logs in to create or alter the schema, then gracefully exits. If your admin_role does more than this, consider adding an owner_role.
Does a public role need to connect?
Consider adding
REVOKE CONNECT ON DATABASE yourdb FROM public;
This blocks the loophole where any role created on the same DB server could log into this database.
Do all this in a transaction block
Stopping privilege assignment half-way through the job can lead to all sorts of trouble, much akin to locking your keys in your car. Make the privilege assignments a single transaction where possible, so a missed semicolon doesn't lock you out.
I know it should be easy question but still facing an issue with permissions.
I need to have 3 users in postgres:
Fully Admin like default "postgres" user
Should have access to insert, select and update with delete but no admin access
Should have access to all tables only with read only permissions
I did this in this way:
CREATE role program_schema_role_ro ;
CREATE role program_schema_role_normal ;
CREATE role program_schema_role_admin ;
CREATE USER user_ro WITH PASSWORD 'user_ro';
CREATE USER user_app WITH PASSWORD 'user_app';
CREATE USER user_admin WITH PASSWORD 'user_admin';
GRANT program_schema_role_ro to user_ro;
GRANT program_schema_role_normal TO user_app;
GRANT program_schema_role_admin TO user_admin;
GRANT program_schema_role_admin TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_admin IN SCHEMA public GRANT ALL ON TABLES TO program_schema_role_admin;
GRANT ALL ON ALL TABLES IN SCHEMA public TO program_schema_role_admin;
GRANT posgtres TO program_schema_role_admin;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_admin GRANT ALL ON SEQUENCES TO program_schema_role_admin;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_admin;
REVOKE program_schema_role_admin FROM postgres;
GRANT program_schema_role_normal TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_normal IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON TABLES TO program_schema_role_normal;
GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON ALL TABLES IN SCHEMA public TO program_schema_role_normal;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_normal GRANT USAGE, SELECT ON SEQUENCES TO program_schema_role_normal;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_normal;
REVOKE program_schema_role_normal FROM postgres;
GRANT program_schema_role_ro TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_ro IN SCHEMA public GRANT SELECT ON TABLES TO program_schema_role_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO program_schema_role_ro;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_ro GRANT SELECT ON SEQUENCES TO program_schema_role_ro;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_ro;
REVOKE program_schema_role_ro FROM postgres;
But still after all of this I facing a lot of issues.
Like after new table which created by admin, no read access to other
Or app user or ro user have permissions to alter.
Where is my mistake?
The ALTER DEFAULT PRIVILEGES statements you run will only affect objects created by program_schema_role_ro itself, not objects created by members of that role.
You'd have to run
ALTER DEFAULT PRIVILEGES FOR ROLE user_admin ...
I am trying to create an admin role/user in PostgreSQL which should fulfil the following requirements:
Should be able to do backup for the particular database (and not
others)
Should be able to create usernames which can access the
particular database (and not others).
Should be able to create/delete tables in the specific database and not other database
Should not be able to create other data bases.
This is what I have so far:
create role dba with nosuperuser createdb createrole nologin replication bypassrls;
grant usage on schema public to dba;
alter default privileges in schema public grant all on tables to dba;
alter default privileges in schema public grant all on sequences to dba;
grant connect on database myDatabase to dba;
grant usage on schema public to dba;
grant select on all tables in schema public to dba;
grant select on all sequences in schema public to dba;
grant all privileges on all tables in schema public to dba;
create user dba_user login inherit encrypted password 'password' in role dba;
Please advise how to modify the above code to fulfill the requirements.
To achieve that, perform the following modifications:
Transfer ownership of the database and all schemas and objects in it to the new user.
Give the user CREATEROLE.
Make sure to REVOKE CONNECT ON all databases FROM PUBLIC. Grant the new user the CONNECT privilege on the database in question.
Don't give the new user any permissions on other databases or objects therein.
After running
db=> GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
WARNING: no privileges were granted for "pg_stat_statements"
GRANT
I tried to
drop trigger t_table on tablex;
I got this result
[42501] ERROR: must be owner of relation tablex
This is everything I ran to change my privileges:
GRANT CONNECT ON DATABASE dbx to userx;
GRANT USAGE ON SCHEMA public to userx;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO userx;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON FUNCTIONS TO userx;
What could I be possibly be missing? could WARNING: no privileges were granted for "pg_stat_statements" mean something or is it stopping at that table and not adding the privileges?
Like the error message says, only the table owner (and a superuser) can do that.
The TRIGGER privilege allows you to create a trigger on the table, but not to drop one.
Ownership is not a privilege you can grant; you have to use ALTER TABLE ... OWNER TO ... for that.
I have a view called testview in postgresql.
I created a new user called testuser.
I would like testuser to have all privileges on all tables and views in the database.
To do this I ran the following commands:
GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser;
GRANT USAGE ON SCHEMA public TO testuser;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO testuser;
testuser now has access to all tables in the database, but if I try to run SELECT * FROM testview I get the following error: permission denied for relation testview.
What is wrong? How do testuser get access to testview?
I agree it should work. With permissions GRANT ... ON ALL TABLES should include views too.
Did you create the view after granting the privileges to testuser? If so then it doesn't have the same privileges as the other tables. That's because GRANT ... ON ALL TABLES means "on all tables that currently exist". To include tables/views you create in the future, you can say:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO testuser;
Or if you want to give more than SELECT, you can say ALL PRIVILEGES instead.
I think this behavior of ON ALL TABLES is one of the most misunderstood bits about Postgres permissions, and it isn't really called out in the standard documentation, so I tried to emphasize it in my own Postgres permissions overview.
postgres=# GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser;
postgres=# GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO testuser;
GRANT USAGE on schema:
GRANT USAGE ON SCHEMA schema_name TO username;
Grant SELECT for a specific table:
GRANT SELECT ON tbl_loans_new TO oloffm;
Grant SELECT for multiple tables:
GRANT SELECT ON ALL TABLES IN SCHEMA schema_name TO username;