I have 2 schemas here,schema1 and schema2. I have created a view in schema2 from table in schema1. Now i have granted access to the group for schema2 but they are not able to access the view.
here is the query that i used to grant access.
grant select on all tables in schema schema2 to group viewusers_ro;
view:
create view schema2.view as select col1, col2,col3 from schema1.table;
users try accessing
select * from schema2.view
error is: permission denied for schema schema1
Note: We are not allowed to grant users access to that table as we created view with only few columns from that table.
Please help me to get desired access
You also need to grant usage on schema2
grant usage on schema schema2 to group viewusers_ro;
You need to grand access on schema1. Even though the view is in schema2, because it references schema1 Redshift also wants usage on the schema that the underlying object is in. Unfortunately that makes things the case where there is one misplaced select grant away from opening schema1 up to your viewusers_ro group but that is how Redshift operates.
Related
I am the admin of a PostgreSQL 11 DB on Azure.
Some of the users only have access to specific views.
The users were created by:
CREATE USER M1234 WITH PASSWORD '1234!';
GRANT USAGE ON SCHEMA public TO M1234;
GRANT SELECT ON table v_xxx TO M1234;
GRANT SELECT ON table v_yyy TO M1234;
For some reason the grant for select on one or all the existing views is removed every so often and the users of course cannot access.
I would really appreciate it if anyone has any insight as to why and how this could happen and if there is a more long term solution.
You grant SELECT on existing tables, but for future tables, you need additional permissions
-- Grant access to future tables ALTER DEFAULT PRIVILEGES IN SCHEMA a_given_schema GRANT SELECT ON TABLES TO read access;
In Redshift I have a data_reader db group defined like this
CREATE GROUP data_reader;
GRANT USAGE ON SCHEMA reports TO GROUP data_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA reports TO GROUP data_reader;
And I've noticed that whenever I create a new table, group members can't automatically query from the table. They get a Permission Denied error. Re-running
GRANT SELECT ON ALL TABLES IN SCHEMA reports TO GROUP data_reader;
Fixes the permission.
Is this just a quirk of Redshift or is there another way I should be defining my db groups?
This statement grants access only to already created tables:
GRANT SELECT ON ALL TABLES IN SCHEMA reports TO GROUP data_reader;
In order to grant access by default, you must setup default privileges:
GRANT USAGE ON SCHEMA reports TO group data_reader; --Most probably already granted
ALTER DEFAULT PRIVILEGES IN SCHEMA reports GRANT SELECT ON TABLES to group data_reader;
Now all new created tables will be granted to group for select.
Any GRANTS you provide are only for the existing tables/views. Anytime a new table is created, you need to explicitly provide the required permissions to users/groups. My suggestion is to probably include the appropriate grants statements in the DDL file.
Logged in as the superuser, how can I grant user access to a specific table under a specific schema.
I tried this
GRANT SELECT on TABLE this_schema.my_table TO my_user
But when I login as my_user I can't select from the table. I don't want my_user to have access to any other tables in this_schema.
Is this possible?
Yes its possible.
You can use following command, to give select access of specific table to specific user.
GRANT SELECT on SCHEMA_NAME.TABLE_NAME TO USER_NAME;
NOTE: user still list and describe other tables in the given schema.
You need to grant usage on the schema as well
GRANT USAGE ON SCHEMA this_schema TO GROUP my_user;
Without creating user group, you can do:
GRANT SELECT ON TABLE my_table IN SCHEMA this_schema TO my_user;
I have a bit of a funny situation in Amazon Redshift where I have a user X who has grant select on all tables in schema public, but once a new table is created, this grant doesn't seem to apply to the new table. Is this normal behaviour? If yes, how does one deal with it such that the schema level grants are maintained. Thank you.
Executing the following command as super user (master):
alter default privileges
for user staging_user
in schema staging
grant select on tables
to reporting_user;
will allow reporting_user to select data from all future tables created by staging_user in schema staging.
In Redshift tables and views do not automatically inherit the permissions of their parent schema. Your newly created tables are only accessible to the user who created them, and the superuser.
In a recent patch to Redshift a new feature to grant default privileges was implemented that addresses this issue.
Alter Default Privileges
The following code snippet will grant select privileges only for all future tables in the sales schema to the sales_admin group. If you want this to apply to existing tables in a schema you will need to combine it with a second grant statement.
alter default privileges in schema sales grant select on tables to group sales_admin;
This is a normal behavior. Only the object owner/superuser have permission to use the object by default.
http://docs.aws.amazon.com/redshift/latest/dg/r_Privileges.html
You can add grant command to your create table statement and grant needed privileges for the user.
When we first spotted new tables not appearing in our reporting tool, I discovered a quick workaround is to re-execute the following SQL statement for the groups/users impacted:
ALTER DEFAULT PRIVILEGES IN SCHEMA <SCHEMANAME> GRANT SELECT ON TABLES TO GROUP <USER/GROUPNAME>;
I have multiple databases, each one with multiple schemas. Something like this:
db1
schema1
schema2
db2
schema1
schema2
db3
schema1
schema2
I need to grant access to someuser *only to* db1.schema2.
In the pg_hba.conf I can restrict which user connects to wich database. And in the schema1 I can revoke usage and create privileges.
At this moment someuser can connect only to db1 and only can create tables in schema2 not in schema1.
However, the user can view the structure of the tables in schema1.
Is it posible to avoid someuser to view the structure of the tables in schema1?
First, schemas aren't used in the hba.conf flie. What you're looking for are simply grants and revokes. You're wanting to revoke "usage" of the schema from the role or perhaps the public role. According to the documentation, there are still other ways (ie, the system tables) to query this information, but it'll hide it from the front end. In short, there's no way to absolutely deny all ways of seeing the table description, and apparently the designers don't see a need to implement such a feature.
See discussion here
Revoking usage of the schema:
revoke usage on schema myschema from myrole