On google cloud, with "postgres" user (which is not superuser), i do:
CREATE ROLE postgres_subuser1 LOGIN PASSWORD 'some_pass';
CREATE ROLE postgres_subuser2 LOGIN PASSWORD 'some_pass';
GRANT postgres TO postgres_subuser1;
GRANT postgres TO postgres_subuser2;
Above part wroks, though then I try to set users access on each other objects:
ALTER DEFAULT PRIVILEGES FOR ROLE postgres_subuser1 GRANT ALL PRIVILEGES ON TABLES TO postgres_subuser2;
ALTER DEFAULT PRIVILEGES FOR ROLE postgres_subuser2 GRANT ALL PRIVILEGES ON TABLES TO postgres_subuser1;
gives: must be member of role "postgres_subuser1"
How can solve that?
BTW, if try same on local instance, it works without any error, but this error raises on google cloud.
You need to explicitly grant the postgres user the role. Eg:
GRANT postgres_subuser1 TO postgres;
Related
I can't grant a new role on all tables. A table denies the query. How can I grant the user to be able run this command?
CREATE ROLE userrole123 WITH LOGIN PASSWORD 'userrole123' VALID UNTIL '2024-01-07 09:37:39.0' INHERIT;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO userrole123;
Output
SQL Error [42501]: ERROR: permission denied for table test
I run this command GRANT USAGE ON SCHEMA public to myusername but it did not solve it.
Thanks
The documentation is pretty outspoken there:
Ordinarily, only the object's owner (or a superuser) can grant or revoke privileges on an object. However, it is possible to grant a privilege “with grant option”, which gives the recipient the right to grant it in turn to others.
So obviously the user who is running the GRANT is neither a superuser, nor does it own test, nor has it been granted the SELECT privilege WITH GRANT OPTION.
Created a user/role via following method is Aurora Postgres:
CREATE ROLE rds_user_test;
GRANT rds_superuser to rds_user_test;
GRANT rds_iam TO rds_user_test;
When I login using IAM DB Auth as rds_user_test it appears that I can do all operations as needed except creating or altering roles (maybe other functionality is missing but haven't tested all operations yet). When I check role memberships of this new role against other roles that are able to create/alter roles, both are members of superuser.
I also followed the instructions here:
https://aws.amazon.com/premiumsupport/knowledge-center/rds-aurora-postgresql-clone-master-user/
Still get the same permissions error:
[42501] ERROR: permission denied to create role
Any thoughts on why this new role cannot create/alter other roles even though it seems to have the same privileges of superuser as other roles?
rds_superuser on Amazon Aurora is typically not a superuser. Check with:
SELECT rolsuper FROM pg_roles WHERE rolname = 'rds_superuser';
But to create a role, you don't need superuser privileges. All you need is the CREATEROLE privilege. Check if your user has that:
SELECT rolcreaterole FROM pg_roles WHERE rolname = 'rds_user_test';
Else you need to grant it (as a role that's allowed to do so):
ALTER ROLE rds_user_test CREATEROLE;
Any role with the CREATEROLE privilege can do that (typically including rds_superuser).
The manual:
Roles having CREATEROLE privilege can change any of these settings except SUPERUSER, REPLICATION, and BYPASSRLS; but only for non-superuser and non-replication roles.
The instructions you followed, explicitly instruct to add CREATEROLE, you seem to have skipped that bit:
CREATE ROLE new_master WITH PASSWORD 'password' CREATEDB CREATEROLE LOGIN;
I'm trying to give an entire database access to a user, but remove access for a specific table or a specific schema that has confidential data, but it's just not working out, tried multiple - grant and revoke statements but in vain.
This is what I've tested so far.
Initially, I had this role for the user
GRANT ALL ON DATABASE raw TO ROLE transformer;
checked the grants and removed that
SHOW GRANTS TO ROLE transformer;
revoke select on all tables in schema raw.<secret_schema> from role transformer;
revoke all on DATABASE raw from ROLE transformer;
Started giving access to individual schemas/tables, but the "grant usage on database" just gives every schema/table access to the user
grant usage on database raw to role transformer ; -- usage gives all tables access
grant usage on schema raw.<open_schema> to role transformer ;
grant all on schema raw.<open_schema> to role transformer ;
grant select on all tables raw.<open_schema> to role transformer ;
Lastly, tried these revoke too, but in vain
revoke select on table raw.<secret_schema>.s from ROLE transformer;
revoke usage on schema raw.<secret_schema> from role transformer;
For more information, this access is for a DBT user and an analyst user, who can hit/select/read the raw database , but just 1 schema/table should not be accessible, rest all should be with a "future tables" clause.
Design deep-dive: https://blog.getdbt.com/how-we-configure-snowflake/
As Greg, already mentioned (and demonstrated), "GRANT ALL ON DATABASE raw TO ROLE x" does not grant permission to access the objects in the database. It grants permission to modify the database object (in your case, it's not needed and I would suggest you not grant it according to the "Principle of least privilege").
https://docs.snowflake.com/en/user-guide/security-access-control-privileges.html#database-privileges
I think, the confusing thing is, "revoke from" command does not return any error if you try to revoke permission that was not granted:
create role r2;
revoke all on database gokhan_db from role r2;
So your revoke commands do not fail, but in fact, they do not revoke anything, as this permission were assigned to the role public:
revoke select on table raw.<secret_schema>.s from ROLE transformer;
revoke usage on schema raw.<secret_schema> from role transformer;
Could you check the permissions of the role public, again?
show grants to role public;
grant usage on database raw to role transformer ; -- usage gives all
tables access
This is not what's granting access to the tables; something else is. You can confirm that running a simple script like this one:
use role securityadmin;
create role new_role_1;
grant role new_role_1 to user my_user;
use role sysadmin;
grant usage on database test to role new_role_1;
use role new_role_1;
select * from test.public.foo; --SQL compilation error: Object 'TEST.PUBLIC.FOO' does not exist or not authorized.
use role sysadmin;
select * from test.public.foo; -- Works
Roles inherit from other roles. All roles inherit from the PUBLIC role by default. Could someone have granted the PUBLIC roles the privileges that this role is inheriting? Does it inherit from a role that has more permissions than PUBLIC?
created a postgresql instance on AWS with the username ziggy. I restored a database to that instance. however I cannot even select any of the tables
select * FROM mac_childcare_parcels
gives me ERROR: permission denied for relation mac_childcare_parcels
********** Error **********
the owner of that table belongs to the postgres login.
so i tried running this: grant all privileges on all tables in schema public to ziggy but since I am not a superuser I cannot give myself privileges so that throws a permissions error. what do I have to do to get access to the tables?
this does not work either
grant select on mac_childcare_parcels to ziggy
this query returns successful but does not let the login ziggy access the tables
GRANT USAGE ON SCHEMA public TO ziggy;
First login with superuser and provide all rds superuser access to the newly created user using a command like below
GRANT rds_superuser TO ziggy;
replace rds_superuser with your rds superuser.
You need to also GRANT USAGE on the SCHEMA, e.g.
GRANT USAGE ON SCHEMA public TO ziggy;
The superuser access is needed to run the access level queries. But as you said that access is not present then i would say copy the replica of the db which you have restored from backup and grant yourself as superuser.
then provide all needed access to any users.
I created several login and group roles in pgadmin. I then added these login roles to their respective group roles. Then I give these group roles login privileges to a database as well as other required privileges.
But connecting to the database fails with "User does not have CONNECT privilege".
Then I grant login privileges directly to the login roles in pgsql, because pgadmin does not let me add privileges to login roles, only group roles.
Now the user is able to connect to the database, but still gets various privilege errors until I give privileges directly to the login role.
Is this a bug in PostgreSQL (v 9.4.5 for Windows), or what is going on here? I also tried to add privileges to group roles using pgsql instead of pgadmin, with same results.
CREATE ROLE user_g
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
CREATE ROLE user_l LOGIN
ENCRYPTED PASSWORD 'md5...'
NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
GRANT user_g TO user_l;
GRANT ALL ON DATABASE db TO postgres;
GRANT CONNECT ON DATABASE db TO user_g;
REVOKE ALL ON DATABASE db FROM public;
Above statements do not give user_l privileges to connect to the database, but following does.
GRANT CONNECT ON DATABASE db TO user_l;
The problem then repeats for functions and everything else that requires privileges.