I want to create a dedicated role for the devs to access to pgagent from pgadmin.
I did that:
CREATE ROLE pgagent_dev NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN;
COMMENT ON ROLE pgagent_dev IS 'Role dedicated to Developers access to pgagent';
GRANT USAGE ON SCHEMA pgagent TO pgagent_dev ;
-- GRANT ALL ON SCHEMA pgagent TO pgagent_dev;
GRANT SELECT ON ALL TABLES IN SCHEMA pgagent TO pgagent_dev;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA pgagent TO pgagent_dev;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pgagent TO pgagent_dev;
GRANT pgagent_dev TO toto;
GRANT pgagent_dev TO tutu;
From pgadmin, they can see the the pgagent folder but it can't be expand, and postgresql show this log.
2019-12-10 10:29:39.327 +07 [24784] ERROR: permission denied for schema pgagent
2019-12-10 10:29:39.327 +07 [24784] STATEMENT:
SELECT
has_table_privilege(
'pgagent.pga_job', 'INSERT, SELECT, UPDATE'
) has_priviledge
WHERE EXISTS(
SELECT has_schema_privilege('pgagent', 'USAGE')
WHERE EXISTS(
SELECT cl.oid FROM pg_class cl
LEFT JOIN pg_namespace ns ON ns.oid=relnamespace
WHERE relname='pga_job' AND nspname='pgagent'
)
)
what did i do wrong or forget ?
Thanks.
These statements works as expected and i can see proper rights on schema pgagent.
Please make sure that CREATE ROLE and all GRANT statements were run as the owner of the schema.
Also Run the below statement on Database to see the actual o/p. It should be as below.
postgres=# SELECT
has_table_privilege(
'pgagent.pga_job', 'INSERT, SELECT, UPDATE'
) has_priviledge
WHERE EXISTS(
SELECT has_schema_privilege('pgagent', 'USAGE')
WHERE EXISTS(
SELECT cl.oid FROM pg_class cl
LEFT JOIN pg_namespace ns ON ns.oid=relnamespace
WHERE relname='pga_job' AND nspname='pgagent'
)
);
has_priviledge
----------------
t
(1 row)
You can also try to execute the below query using user tutu/toto to see if these users have proper rights on schema pgagent.
[root#localhost bin]# ./psql -U tutu -d postgres -p 5432
psql (12.1)
Type "help" for help.
postgres=> select * from pgagent.pga_job;
jobid | jobjclid | jobname | jobdesc | jobhostagent | jobenabled | jobcreated | jobchanged | jobagentid | jobnext
run | joblastrun
-------+----------+---------+---------+--------------+------------+-------------------------------+-------------------------------+------------+--------
----+------------
1 | 1 | test | | | t | 2019-12-10 06:35:33.643407+00 | 2019-12-10 06:35:33.643407+00 | |
|
(1 row)
Related
I have an admin role/user and a developers role on postgres. The developers role enherits attributes from a 'readaccess' role which I created for convenience in the future. If I run \du I get:
Role name | Attributes | Member of
-----------------+------------------------------------------------------------+-------------------
developers | | {readaccess}
rds_replication | Cannot login | {}
rds_superuser | Cannot login | {rds_replication}
rdsadmin | Superuser, Create role, Create DB, Replication, Bypass RLS+| {}
| Password valid until infinity |
rdsrepladmin | No inheritance, Cannot login, Replication | {}
readaccess | Cannot login +| {}
| Password valid until infinity |
admin | Create role, Create DB +| {rds_superuser}
| Password valid until infinity |
I have granted read access to my developers account and my readaccess account via the following
GRANT SELECT ON ALL TABLES IN SCHEMA mySchema TO developers;
ALTER DEFAULT PRIVILEGES IN SCHEMA mySchema GRANT SELECT ON TABLES TO developers;
GRANT SELECT ON ALL TABLES IN SCHEMA mySchema TO readaccess;
ALTER DEFAULT PRIVILEGES IN SCHEMA mySchema GRANT SELECT ON TABLES TO readaccess;
If I run the command \z on one of my tables in mySchema
myDb=> \z mySchema.myTable;
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
---------+------------------------+-------+-------------------------+-------------------+----------
mySchema| myTable | table | admin=arwdDxt/admin+ | |
| | | developers=r/admin | |
(1 row)
However I can not run selects -- it says I have no permissions
myDB=> select * from mySchema.myTable;
ERROR: permission denied for schema mySchema
LINE 1: select * from mySchema.myTable;
Can anyone help out?
In addition to granting access to the tables, you must also grant access to the schema that contains them:
GRANT USAGE ON SCHEMA myschema TO readaccess, developers;
Somebody could tell me the difference between the views pg_users, users and \du+ command to display users in Postgresql 9.5.
select *
from users
display users that are not in pg_user views
"users" is not a catalog table - it is yours. to check waht happens when you use meta-command in psql - use -E switch, eg:
~]$ psql t -E
Timing is on.
psql (9.5.4)
Type "help" for help.
t=# \du+
********* QUERY **********
SELECT r.rolname, r.rolsuper, r.rolinherit,
r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
r.rolconnlimit, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, pg_catalog.shobj_description(r.oid, 'pg_authid') AS description
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
ORDER BY 1;
**************************
List of roles
Role name | Attributes | Member of | Description
------------------+------------------------------------------------------------+-------------+---------------------------------------------------------------------------------------------
vao | | {} |
If you dig further you will find out that in 9.5 at least both pg_user and pg_roles query from pg_authid
Is it possible in PostgreSQL to create a user that can only access a single schema?
Here is what I tried:
REVOKE ALL ON DATABASE testdb FROM public;
GRANT CONNECT ON DATABASE testdb TO testuser;
When I connect as testuser indeed I cannot access the actual data:
> SELECT * FROM some_table;
ERROR: permission denied for relation some_table
However, I can still list all the tables, etc. in all the other schemas:
SELECT * FROM pg_tables;
schemaname | tablename | tableowner | tablespace | hasindexes | hasrules | hastriggers | rowsecurity
--------------------+-------------------------------------------+------------+------------+------------+----------+-------------+-------------
test2 | foo | postgres | | t | f | f | f
test2 | bar | postgres | | t | f | f | f
...
It is impossible to configure PostgreSQL so that a user can only see those objects in the system catalogs for which he or she has permissions.
If you need such a setup, you should create a database per user.
I was able to do this like so:
GRANT USAGE ON SCHEMA schema_name TO user_name;
ALTER USER user_name SET search_path = schema_name;
The ALTER USER statement like this is a way of permanently setting the search path for schemas the way you would set the schema search path of an individual sessions with
SET SEARCH_PATH= schema_name_1, schema_name_2;
Please explain the output of the \z command in PostgreSQL. I understand the permission, I read the documentation, but somehow I missed the interpretation of the output of \z.
datastore_default=> \z
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+-----------------+-------+-----------------------------------+--------------------------
public | _table_metadata | view | ckan_default=arwdDxt/ckan_default+|
| | | datastore_default=r/ckan_default +|
| | | readonlyuser=r/ckan_default +|
public | foo | table | ckan_default=arwdDxt/ckan_default+|
| | | datastore_default=r/ckan_default +|
| | | readonlyuser=r/ckan_default +|
Somehow readonlyuser seems to be able to read tables foo and _foo but in practice it cannot. Both commands return an error:
sudo -u postgres psql -d datastore_default -U readonlyuser -c 'SELECT * FROM foo'
sudo -u postgres psql -d datastore_default -U readonlyuser -c 'SELECT * FROM public.foo'
ERROR: permission denied for schema public
LINE 1: SELECT * FROM public.foo
Edit: apparently I had a poor understanding of how database and schema permissions work. First of all only the db admin (user postgres) or the owner of the database (in my case user ckan_default) can grant other users privileges on a specific database. The schema is only at a database level, so it's ok that I added readonlyuser the permission to see the public schema, it cannot select from other databases anyway.
The error says permission denied for schema public (emphasis mine)
You need to give readonlyuser rights on schema public:
GRANT USAGE ON SCHEMA public TO readonlyuser;
The contents of the ACL is explained on this page. The most relevant part quoted here:
rolename=xxxx -- privileges granted to a role
=xxxx -- privileges granted to PUBLIC
r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
* -- grant option for preceding privilege
/yyyy -- role that granted this privilege
The + are part of the way psql formats the result, they are not part of the value.
I'd like to update pg_catalog.pg_cast from the restricted user (on Postgres 9.3).
However running the query I need:
update pg_cast set castcontext = 'i' where oid in ( select c.oid from pg_cast c inner join pg_type src on src.oid = c.castsource inner join pg_type tgt on tgt.oid = c.casttarget where src.typname like 'int%' and tgt.typname like 'bool%');
ends up with error:
ERROR: permission denied for relation pg_cast
However permissions seems to be correctly set. See the steps I made since DB and USER creation till query:
psql -c "create database test1 WITH ENCODING 'UTF8' LC_COLLATE='en_GB.UTF8' LC_CTYPE='en_GB.UTF8' TEMPLATE=template0;" -U postgres
psql -U postgres test1;
test1=# CREATE USER test1 PASSWORD 'test1';
test1=# GRANT ALL ON SCHEMA public TO test1;
test1=# GRANT ALL ON ALL TABLES IN SCHEMA public TO test1;
test1=# GRANT SELECT ON TABLE pg_catalog.pg_cast TO test1;
test1=# GRANT SELECT ON TABLE pg_catalog.pg_type TO test1;
test1=# GRANT UPDATE ON TABLE pg_catalog.pg_cast TO test1;
test1=# \q
sudo service postgresql-9.3 restart
PGPASSWORD=test1;psql -U test1 test1
test1=> \z pg_catalog.pg_cast
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
------------+---------+-------+-------------------+--------------------------
pg_catalog | pg_cast | table | =r/postgres +|
| | | test1=rw/postgres |
(1 row)
test1=> \z pg_catalog.pg_type
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
------------+---------+-------+-------------------+--------------------------
pg_catalog | pg_type | table | =r/postgres +|
| | | test1=r/postgres |
(1 row)
test1=> SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='pg_cast';
grantee | privilege_type
---------+----------------
test1 | SELECT
test1 | UPDATE
(2 rows)
test1=> update pg_cast set castcontext = 'i' where oid in ( select c.oid from pg_cast c inner join pg_type src on src.oid = c.castsource inner join pg_type tgt on tgt.oid = c.casttarget where src.typname like 'int%' and tgt.typname like 'bool%');
ERROR: permission denied for relation pg_cast
What more should I do, to enable query execution with the test1 user?
Thanks.
You really should not be updating system catalogs directly. The "permission denied" error is Postgres trying to protect you from shooting yourself in the foot.
If You really want that (and if you break something, you get to keep both pieces...) start here: https://serverfault.com/questions/300123/how-to-edit-system-catalogs-in-postgresql-8-1
I have had similar problem updating Greenplum system catalog, the cue is:
ERROR: permission denied: "pg_filespace_entry" is a system catalog,
the solution was using the following command before I tried to modify system table:
set allow_system_table_mods='dml';