In Redshift I have a data_reader db group defined like this
CREATE GROUP data_reader;
GRANT USAGE ON SCHEMA reports TO GROUP data_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA reports TO GROUP data_reader;
And I've noticed that whenever I create a new table, group members can't automatically query from the table. They get a Permission Denied error. Re-running
GRANT SELECT ON ALL TABLES IN SCHEMA reports TO GROUP data_reader;
Fixes the permission.
Is this just a quirk of Redshift or is there another way I should be defining my db groups?
This statement grants access only to already created tables:
GRANT SELECT ON ALL TABLES IN SCHEMA reports TO GROUP data_reader;
In order to grant access by default, you must setup default privileges:
GRANT USAGE ON SCHEMA reports TO group data_reader; --Most probably already granted
ALTER DEFAULT PRIVILEGES IN SCHEMA reports GRANT SELECT ON TABLES to group data_reader;
Now all new created tables will be granted to group for select.
Any GRANTS you provide are only for the existing tables/views. Anytime a new table is created, you need to explicitly provide the required permissions to users/groups. My suggestion is to probably include the appropriate grants statements in the DDL file.
Related
I am the admin of a PostgreSQL 11 DB on Azure.
Some of the users only have access to specific views.
The users were created by:
CREATE USER M1234 WITH PASSWORD '1234!';
GRANT USAGE ON SCHEMA public TO M1234;
GRANT SELECT ON table v_xxx TO M1234;
GRANT SELECT ON table v_yyy TO M1234;
For some reason the grant for select on one or all the existing views is removed every so often and the users of course cannot access.
I would really appreciate it if anyone has any insight as to why and how this could happen and if there is a more long term solution.
You grant SELECT on existing tables, but for future tables, you need additional permissions
-- Grant access to future tables ALTER DEFAULT PRIVILEGES IN SCHEMA a_given_schema GRANT SELECT ON TABLES TO read access;
grant usage on schema apps to group group_name;
grant SELECT ON ALL TABLES IN schema apps to group group_name;
alter default privileges in schema apps grant select on tables to group group_name;
Comments used by gave access to group
I created the user or group in redshift. Initially, they have a access to the tables. When the table recreates the access automatically declined. Can anyone help to fix the issue?
I hope I can help. The users need to have default ACLs set which give all tables that user creates a set of grants. See:
https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_DEFAULT_PRIVILEGES.html
The creator of the object needs to grant to others but this can be done automatically by setting their default pricileges.
Hope this helps
As per the AWS documentation,
To run a Redshift Spectrum query, you need the following permissions:
Usage permission on the schema
Permission to create temporary tables in the current database
I have an External database, schema and a table created in that schema.
I created a new Redshift user to which I granted 'usage' privileges on the external schema:
grant usage on external_schema to new_user;
But I did not provided 'temp' privileges on external_database to my new_user.
Also, there are no default privileges, as I checked PG_DEFAULT_ACL using master user and there are no rows in it.
Can someone let me know why I am able to query the external table?
In Amazon Redshift, Database and Schema are different concepts. User objects (Redshift and external) are created in Schema and TEMP objects are created in "temp" schemas and are available at database level.
In some cases, where join between Spectrum tables and Redshift tables is applied, Redshift needs to create temporary tables and that's why it is mentioned in documentation to avoid any failure/error for users.
Here is what documentation says:
Grants the privilege to create temporary tables in the specified database. To run Amazon Redshift Spectrum queries, the database user must have permission to create temporary tables in the database.
Note
By default, users are granted permission to create temporary tables by their automatic membership in the PUBLIC group. To remove the privilege for any users to create temporary tables, revoke the TEMP permission from the PUBLIC group. Then explicitly grant the permission to create temporary tables to specific users or groups of users.
I have a Postgres database and a read-only user that I want to grant permissions to. I have two schemas currently but expect to make many more in the future. How do I grant select permissions to my read-only user so that they can read data from the tables that are currently created as well as tables that will be created in a new schema in the future?
I don't want to have to explicitly grant permissions for each new schema when they are created.
Use ALTER DEFAULT PRIVILEGES without specifying any schema:
The privileges can be set globally (i.e., for all objects created in the current database) […]
If IN SCHEMA is omitted, the global default privileges are altered.
So this should do it:
ALTER DEFAULT PRIVILEGES FOR whoever_will_create_the_tables
GRANT SELECT ON TABLES TO the_readonly_user;
ALTER DEFAULT PRIVILEGES FOR whoever_will_create_the_schemas
GRANT USAGE ON SCHEMAS TO the_readonly_user;
Granting the privilege on the tables that already are created needs a separate statement:
GRANT SELECT ON ALL TABLES IN SCHEMA schema_1, schema_2 TO the_readonly_user;
I have a bit of a funny situation in Amazon Redshift where I have a user X who has grant select on all tables in schema public, but once a new table is created, this grant doesn't seem to apply to the new table. Is this normal behaviour? If yes, how does one deal with it such that the schema level grants are maintained. Thank you.
Executing the following command as super user (master):
alter default privileges
for user staging_user
in schema staging
grant select on tables
to reporting_user;
will allow reporting_user to select data from all future tables created by staging_user in schema staging.
In Redshift tables and views do not automatically inherit the permissions of their parent schema. Your newly created tables are only accessible to the user who created them, and the superuser.
In a recent patch to Redshift a new feature to grant default privileges was implemented that addresses this issue.
Alter Default Privileges
The following code snippet will grant select privileges only for all future tables in the sales schema to the sales_admin group. If you want this to apply to existing tables in a schema you will need to combine it with a second grant statement.
alter default privileges in schema sales grant select on tables to group sales_admin;
This is a normal behavior. Only the object owner/superuser have permission to use the object by default.
http://docs.aws.amazon.com/redshift/latest/dg/r_Privileges.html
You can add grant command to your create table statement and grant needed privileges for the user.
When we first spotted new tables not appearing in our reporting tool, I discovered a quick workaround is to re-execute the following SQL statement for the groups/users impacted:
ALTER DEFAULT PRIVILEGES IN SCHEMA <SCHEMANAME> GRANT SELECT ON TABLES TO GROUP <USER/GROUPNAME>;