Hi Im trying to set the client_min_messages = error to a role using the postgres user, but when I login in the role I check current_setting('client_min_messages') and I get DEFAULT VALUE (notice). Ive already tried restarting config and also done some tests.
To summarize I did:
Login with postgres role.
check default values of client_min_messages(notice) and log_min_messages(warning).
ALTER ROLE anne SET client_min_messages = error;
ALTER ROLE anne SET log_min_messages = panic;
SELECT pg_reload_conf();
Logout postgres.
Login anne.
check SELECT current_setting('client_min_messages'), returning NOTICE(default value).
check SELECT current_setting('log_min_messages'), returning panic(non default value).
Test the code below
begin;
do $$
begin
raise info ' client_min_messages: %',current_setting('client_min_messages'); -- i get "notice"
raise debug ' time : %', NOW();
raise notice ' time : %', NOW();
raise warning ' time : %', NOW();
end $$;
I mean, I have to set client_min_messages every time I log with an user? So the Alter Role/User SET client_min_messages is useless?
I've tried changing login_min_messages to an specific role and when I login with the role the configuration remains ok(not default value).
The method should work. It worked for me.
Do you have any environment variables (like PGOPTIONS) set or explicit call out of the set client_min_messages command in the session?
Related
I am trying to drop a user from redshift:
DROP USER xx;
I get:
[2021-03-01 14:00:39] [2BP01][500310] [Amazon](500310) Invalid operation: user "xx" cannot be dropped because some objects depend on it
[2021-03-01 14:00:39] Details:
[2021-03-01 14:00:39] owner of default privileges on new relations belonging to user xx;
I already removed it from the group:
ALTER GROUP a DROP USER xx;
I run:
select *
from pg_user
LEFT JOIN pg_group ON pg_user.usesysid = ANY(pg_group.grolist)
order by 1;
And it returns: xx,109,false,false,false,********,,,,,
Also run:
revoke create,usage on schema public from xx;
revoke all privileges on schema public from xx;
Then run this:
SELECT
distinct s.schemaname,
u.usename,
--'REVOKE ALL ON ALL TABLES IN SCHEMA '+s.schemaname+' FROM ronnylopez;',
has_schema_privilege(u.usename,s.schemaname,'create') AS user_has_select_permission,
has_schema_privilege(u.usename,s.schemaname,'usage') AS user_has_usage_permission
FROM
pg_user u
CROSS JOIN
(SELECT DISTINCT schemaname FROM pg_tables) s
WHERE
user_has_select_permission=True
and u.usename = 'xx';
And it returns only one row:
public,xx,true,true
If i run the default acl:
select * from pg_default_acl where defacluser= 109;
109,0,r,"{group admins=arwdRxt/xx,xx=arwdRxt/xx}"
To drop these i pretend to use \ddp using psql but i get:
The server (version 8.0) does not support altering default privileges.
So i'm stuck on here and not able to drop the user....
You can use the view v_generate_user_grant_revoke_ddl provided on GitHub to generate all of the REVOKE statements needed to allow the DROP USER to complete.
The ddl column provides the generated SQL
SELECT ddl
FROM v_generate_user_grant_revoke_ddl
WHERE grantee = 'useriwanttodrop';
Run the generated SQL and then drop the user. May require superuser permission.
--Generated
SET SESSION AUTHORIZATION master;
REVOKE ALL ON DATABASE mydb FROM useriwanttodrop;
RESET SESSION AUTHORIZATION;
--Drop
DROP USER useriwanttodrop;
I am new to Oracle APEX. i am trying to create the rest web services from Oracle APEX 20.2 application, but i am facing HTTP failure error which is in the screenshot
Try to create an ACL to APEX. Run the select statement to verify the username that need permissions and then create the acl to that user.
-- Verify the APEX Schema
SELECT TABLE_OWNER FROM all_synonyms
WHERE SYNONYM_NAME = 'WWV_FLOW' and OWNER = 'PUBLIC'
-- Execute as sysdba
DECLARE
l_acl VARCHAR2(100) := 'aclname.xml';
l_desc VARCHAR2(100) := 'description';
l_principal VARCHAR2(30) := 'APEX_200200'; -- EXAMPLE APEX 20.2
l_host VARCHAR2(100) := 'localhost'; --hostname
BEGIN
dbms_network_acl_admin.create_acl(l_acl, l_desc, l_principal, TRUE, 'connect');
dbms_network_acl_admin.add_privilege(l_acl, l_principal, TRUE, 'resolve');
dbms_network_acl_admin.assign_acl(l_acl, l_host);
COMMIT;
END;
I want only DDL statements in postgresql logs.
I have set log_statement to ddl, and changed log_min_messages to 'log',but I still got log like this:
< 2018-05-15 05:10:25.078 EDT > LOG: MultiXact member wraparound protections are now enabled
< 2018-05-15 05:10:25.079 EDT > LOG: database system is ready to accept connections
< 2018-05-15 05:10:25.085 EDT > LOG: autovacuum launcher started
I want only DDL statements because I want to generate DDL patch from log to synchronize database in production environment.
Is there any better way?
look into https://github.com/pgaudit/pgaudit
or if you ant to code it, consider using https://www.postgresql.org/docs/current/static/event-triggers.html
eg:
so=# create or replace function notice_ddl() returns event_trigger as $$
begin
raise info '%', session_user || ' ran '||tg_tag||' '||current_query();
end;
$$ language plpgsql;
CREATE FUNCTION
so=# create or replace function notice_ddl() returns event_trigger as $$
begin
raise info '%', session_user || ':: ran "'||tg_tag||'" ('||current_query()||')';
end;
$$ language plpgsql;
CREATE FUNCTION
so=# create event trigger etg on ddl_command_start execute procedure notice_ddl();
CREATE EVENT TRIGGER
so=# create table so(i int);
INFO: vao:: ran "CREATE TABLE" (create table so(i int);)
CREATE TABLE
surely you can save statement to table of notify channel instead of rasing info...
also if you want to use postgres logs, look into csv logs
I added the postgis_topology extension, which added the topology schema to my database. However, my root user does not have sufficient privileges to use the functions in that schema in the AWS RDS instance. The topology schema was created with the following (as seen in pgAdmin):
CREATE SCHEMA topology
AUTHORIZATION rdsadmin;
When I try to run the statement SELECT topology.CreateTopology('element_topo', 4326); I get an error "permission denied for schema topology". When I try to drop the schema and start over, the error is "must be the owner of schema topology".
I also tried just granting permissions to my root user with
GRANT ALL ON ALL FUNCTIONS IN SCHEMA topology TO my_root_user;
but that just gives "permission denied for schema topology".
How can I grant privileges on this schema to my root user?
I have not found the reason that the CREATE EXTENSION postgis_topology; statement creates the topology schema and all its functions and tables with the rds admin user. However, that prevents other users from executing functions.
The following DO statement resolves the issues by updating the owner of the tables and functions to the role given to the database's root user.
DO
$BODY$
DECLARE
_sql text;
BEGIN
EXECUTE 'SET search_path = topology,public;';
EXECUTE 'ALTER SCHEMA topology OWNER TO rds_superuser;';
EXECUTE 'ALTER TABLE topology.topology OWNER TO rds_superuser;';
EXECUTE 'ALTER TABLE topology.topology_id_seq OWNER TO rds_superuser;';
EXECUTE 'ALTER SEQUENCE topology.topology_id_seq OWNER TO rds_superuser;';
EXECUTE 'ALTER TABLE topology.layer OWNER TO rds_superuser;';
SELECT INTO _sql
string_agg('ALTER FUNCTION '
|| nsp.nspname || '.'
|| p.proname || '('
|| pg_get_function_identity_arguments(p.oid)
|| ') OWNER TO rds_superuser;', E'\n'
)
FROM pg_catalog.pg_proc p
JOIN pg_catalog.pg_namespace nsp ON p.pronamespace = nsp.oid
WHERE nsp.nspname = 'topology';
EXECUTE _sql;
END
$BODY$;
The behavior is under going in postgresql version 9.5.
I'm trying to use the has_database_privilege function to check whether a user is allowed to connect to the database, but it always returns true. Even after running a revoke all privileges.
select * from has_database_privilege('tests', 'db_test', 'connect');
-- expected: true
-- return: true
-- Removing connection permission only.
revoke connect on database db_test from tests;
select * from has_database_privilege('tests', 'db_test', 'connect');
-- expected: false
-- return: true
-- Removing all permissions.
revoke all privileges on database db_test from tests;
select * from has_database_privilege('tests', 'db_test', 'connect');
-- expected: false
-- return: true
I am doing something wrong or is this a bug?