As per the AWS documentation,
To run a Redshift Spectrum query, you need the following permissions:
Usage permission on the schema
Permission to create temporary tables in the current database
I have an External database, schema and a table created in that schema.
I created a new Redshift user to which I granted 'usage' privileges on the external schema:
grant usage on external_schema to new_user;
But I did not provided 'temp' privileges on external_database to my new_user.
Also, there are no default privileges, as I checked PG_DEFAULT_ACL using master user and there are no rows in it.
Can someone let me know why I am able to query the external table?
In Amazon Redshift, Database and Schema are different concepts. User objects (Redshift and external) are created in Schema and TEMP objects are created in "temp" schemas and are available at database level.
In some cases, where join between Spectrum tables and Redshift tables is applied, Redshift needs to create temporary tables and that's why it is mentioned in documentation to avoid any failure/error for users.
Here is what documentation says:
Grants the privilege to create temporary tables in the specified database. To run Amazon Redshift Spectrum queries, the database user must have permission to create temporary tables in the database.
Note
By default, users are granted permission to create temporary tables by their automatic membership in the PUBLIC group. To remove the privilege for any users to create temporary tables, revoke the TEMP permission from the PUBLIC group. Then explicitly grant the permission to create temporary tables to specific users or groups of users.
Related
I am the admin of a PostgreSQL 11 DB on Azure.
Some of the users only have access to specific views.
The users were created by:
CREATE USER M1234 WITH PASSWORD '1234!';
GRANT USAGE ON SCHEMA public TO M1234;
GRANT SELECT ON table v_xxx TO M1234;
GRANT SELECT ON table v_yyy TO M1234;
For some reason the grant for select on one or all the existing views is removed every so often and the users of course cannot access.
I would really appreciate it if anyone has any insight as to why and how this could happen and if there is a more long term solution.
You grant SELECT on existing tables, but for future tables, you need additional permissions
-- Grant access to future tables ALTER DEFAULT PRIVILEGES IN SCHEMA a_given_schema GRANT SELECT ON TABLES TO read access;
I have a Postgres database and a read-only user that I want to grant permissions to. I have two schemas currently but expect to make many more in the future. How do I grant select permissions to my read-only user so that they can read data from the tables that are currently created as well as tables that will be created in a new schema in the future?
I don't want to have to explicitly grant permissions for each new schema when they are created.
Use ALTER DEFAULT PRIVILEGES without specifying any schema:
The privileges can be set globally (i.e., for all objects created in the current database) […]
If IN SCHEMA is omitted, the global default privileges are altered.
So this should do it:
ALTER DEFAULT PRIVILEGES FOR whoever_will_create_the_tables
GRANT SELECT ON TABLES TO the_readonly_user;
ALTER DEFAULT PRIVILEGES FOR whoever_will_create_the_schemas
GRANT USAGE ON SCHEMAS TO the_readonly_user;
Granting the privilege on the tables that already are created needs a separate statement:
GRANT SELECT ON ALL TABLES IN SCHEMA schema_1, schema_2 TO the_readonly_user;
I have a postgres instance with a user root that has full admin privileges.
I have two databases db1 and db2.
For every database, I would like to have two users dbN_user and dbN_admin. dbN_user will be the used by my application, and dbN_admin will be used for migrations that change the table structure.
No rows are ever deleted by the application, and I would like to enforce that with user privileges.
db1_user should be able to connect to db1, and be able to SELECT, INSERT and UPDATE, but not DELETE.
db1_admin should have additional privileges to DELETE, CREATE TABLE, ALTER TABLE.
What are the SQL statements to set this up?
dbN_admin would be the owner of the objects, so that user would have all privileges automatically.
You need to GRANT the privileges for dbN_user on the tables and other objects themselves, not on the database.
Just add the correct GRANT statements after the CREATE TABLE statements in the SQL script that populates the database.
You need to GRANT the USAGE privilege on the schema that contains the objects to dbN_user as well.
There is the possibility to define default privileges in a database:
ALTER DEFAULT PRIVILEGES FOR dbN_admin
GRANT SELECT, INSERT, UPDATE ON TABLES
TO dbN_user;
This will grant the privileges automatically whenever dbN_admin creates a new table (but it does not affect tables created before the ALTER DEFAULT PRIVILEGES command).
admin:
create user db1_admin;
create schema app_relations;
alter schema app_relations owner to db1_admin;
app:
create user db1_user;
grant CONNECT ON DATABASE db1 to db1_user; --only if you have restricted connections on db previously
grant usage on schema app_relations to db1_user;
grant select,insert,update on all tables in schema app_relations to db1_user;
I am working around a workaround to a "feature" in IBM DB2.
This fancy database has a "feature" in it which if I try to use a CREATE TABLE statement and it doesn't find the schema, it will create this schema for me, even if I don't want it to. This bug has caused me a lot of hours in debugging, because my code right now exists with the expectation that it won't create the schema if it doesn't exist
My question is -- how do I change the permissions of a particular schema (or even during the create schema phase) which a particular user does not have access to view?
I checked out this doc..
It seems with GRANT, there are the following three permissions:
ALTERIN
Grants the privilege to alter or comment on all objects in the
schema. The owner of an explicitly created schema automatically
receives ALTERIN privilege.
CREATEIN
Grants the privilege to create
objects in the schema. Other authorities or privileges required to
create the object (such as CREATETAB) are still required. The owner of
an explicitly created schema automatically receives CREATEIN
privilege. An implicitly created schema has CREATEIN privilege
automatically granted to PUBLIC.
DROPIN
Grants the privilege to drop
all objects in the schema. The owner of an explicitly created schema
automatically receives DROPIN privilege
With only ALTERIN, CREATEIN, and DROPIN, I don't see anything relevant to view access permissions :/
EDIT:
I checked out our Dash DB database for this particular table which has these special permissions for particular users using the following SQL:
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE OBJECTSCHEMA = 'FAKE_SCRATCH';
This is the result:
EDIT 2:
I tried the following to emulate Dash DB's permissions for that user for that schema:
GRANT ALTERIN, CREATEIN, DROPIN ON SCHEMA FAKE_SCRATCH TO USER TEST_USER;
Still doesn't work :/
The following SQL query executed in DB2 fixed the problem:
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC
I have a bit of a funny situation in Amazon Redshift where I have a user X who has grant select on all tables in schema public, but once a new table is created, this grant doesn't seem to apply to the new table. Is this normal behaviour? If yes, how does one deal with it such that the schema level grants are maintained. Thank you.
Executing the following command as super user (master):
alter default privileges
for user staging_user
in schema staging
grant select on tables
to reporting_user;
will allow reporting_user to select data from all future tables created by staging_user in schema staging.
In Redshift tables and views do not automatically inherit the permissions of their parent schema. Your newly created tables are only accessible to the user who created them, and the superuser.
In a recent patch to Redshift a new feature to grant default privileges was implemented that addresses this issue.
Alter Default Privileges
The following code snippet will grant select privileges only for all future tables in the sales schema to the sales_admin group. If you want this to apply to existing tables in a schema you will need to combine it with a second grant statement.
alter default privileges in schema sales grant select on tables to group sales_admin;
This is a normal behavior. Only the object owner/superuser have permission to use the object by default.
http://docs.aws.amazon.com/redshift/latest/dg/r_Privileges.html
You can add grant command to your create table statement and grant needed privileges for the user.
When we first spotted new tables not appearing in our reporting tool, I discovered a quick workaround is to re-execute the following SQL statement for the groups/users impacted:
ALTER DEFAULT PRIVILEGES IN SCHEMA <SCHEMANAME> GRANT SELECT ON TABLES TO GROUP <USER/GROUPNAME>;