Can't create postgis extension on Google Cloud SQL - postgresql

I've got a Postgres database and user I've created on Google Cloud SQL.
I'm trying to install the postgis extension for that user:
myuser=> CREATE EXTENSION postgis;
ERROR: permission denied to create extension "postgis"
HINT: Must be superuser to create this extension.
as you can see, it won't allow me to create the extension for this user, so I attempted to make this user a superuser from the postgres role:
postgres=> ALTER USER myuser WITH SUPERUSER;
ERROR: must be superuser to alter superusers
and I get the following error. This is because Google Cloud SQL does not allow the SUPERUSER role for any postgres accounts according to: https://cloud.google.com/sql/docs/postgres/users.
So I'm in this weird state of purgatory that I need to add this extension, but can't.
Any tips on how to proceed?

It looks like creating a new user through the API (or the console) will give it the proper permissions, at least according to the prompt when trying to add additional users through the console:

Related

Enabling pg_cron extension on postgres database without rds_superuser

I'm trying to follow this article to enable the pg_cron extension on my postgres RDS instance on AWS:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html
it says to run on the rds_superuser
CREATE EXTENSION pg_cron;
However, I'm logged in under a different user, I don't currently have access to the rds_superuser account. The message I get is:
SQL Error [42501]: ERROR: permission denied to create extension "pg_cron"
Hint: Must be superuser to create this extension.
Can anyone please tell me a work-around for this without having to contact a DBA? Can I grant superuser or create a new user with superuser to get around this?
it looks like the current user I have access to only shows on the pg_tables access to:
rolinherit - X
rolcanlogin - X
Ok I found out that if you go to your RDS database instance on AWS, you can "Modify" the RDS instance, and change the master password for the sysadmin user. I was then able sign in with this user and do what I needed to do.

Postgrex.Error ERROR 42501 insufficient_privilege to create extension citext

I am trying to create a migration. this is the output
MIX_ENV=prod DATABASE_URL="URL" mix ecto.migrate
[info] execute "CREATE EXTENSION citext;"
** (Postgrex.Error) ERROR 42501 (insufficient_privilege): permission denied to create extension "citext"
however until now it has been working in dev mode.
I did try
ALTER USER user WITH SUPERUSER
and installed postgresql-contrib package
but nothing works.
I had a similar issue and doing:
psql -d postgres, ALTER USER my_user_name WITH SUPERUSER and
setting the username in the Repo config to my_user_name
has resolved the issue.
So I think that the answer to the question might be doing 2. so making sure the DB user used by our application is the one that has SUPERUSER. Obviously you could also figure out without doing 2. what DB user name is used by default and then do 1. for that user.

Using Postgres PGCrypto encryption requires superuser to run view queries

Using: Postgres 9, CentOS 7,
Postgres Data directory not in default location but used RSync to make sure permissions were correct. And yes appropriate .config files were changed.
When I try to query a view containing an encrypted item as a NON superuser (Testuser), I get this error:
ERROR: must be superuser to read files CONTEXT: PL/pgSQL function
decrypt_data(bytea) line 13 at assignment
If I run that same query using POSTGRES superuser, the query completes fine.
This seems to be a file system read permission error when trying to read the Key files. Everything I see using encryption seem to not mention how to run without being superuser.
I have already run the following grants for Testuser:
GRANT ALL PRIVILEGES ON DATABASE xxx_db to Testuser;
GRANT SELECT ON ALL TABLES IN SCHEMA xxxxx TO Testuser;
GRANT ALL ON ALL TABLES IN SCHEMA xxxxx TO Testuser;
The test user can create tables, views, basically anything within that db.. just not read encryption keys.
The permissions on the keys are 775 right now, I even tried 777 without luck.
Any Ideas?
pgcrypto is a PostgreSQL extension described here:
https://www.postgresql.org/docs/current/static/pgcrypto.html
but it doesn't provide a decrypt_data(bytea) function.
This function seems to be custom code that happens to open a server-side file, with pg_read_file() or a similar method.
These methods are restricted to superusers to avoid normal users to read on the server's filesystem, no matter what are the Unix rights of the particular file they want to read.
You can verify this in the source of decrypt_data(bytea), which can be obtained with:
select pg_get_functiondef('decrypt_data(bytea)'::regprocedure);
or \df+ decrypt_data(bytea) from within psql.
I found the issue. I need to grant the user with function permissions.
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA xxxxx TO yyyyyyyyy;

Why can only a superuser CREATE EXTENSION hstore, but not on Heroku?

When I attempt to enable hstore on my database:
=> CREATE EXTENSION IF NOT EXISTS hstore;
ERROR: permission denied to create extension "hstore"
HINT: Must be superuser to create this extension.
My user is not a superuser, but is the owner of the database.
According to the CREATE EXTENSION docs:
Loading an extension requires the same privileges that would be required to create its component objects. For most extensions this means superuser or database owner privileges are needed. The user who runs CREATE EXTENSION becomes the owner of the extension for purposes of later privilege checks, as well as the owner of any objects created by the extension's script.
What is hstore doing that requires superuser privileges? Is it affecting parts of the cluster outside the database I'm adding it to?
Further confundity:
The DB user Heroku Postgres provides is not a superuser:
Heroku Postgres users are granted all non-superuser permissions on their database. These include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.
However, that user is able to CREATE EXTENSION hstore:
To create any supported extension, open a session with heroku pg:psql and run the appropriate command:
$ heroku pg:psql
Pager usage is off.
psql (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
ad27m1eao6kqb1=> CREATE EXTENSION hstore;
CREATE EXTENSION
ad27m1eao6kqb1=>
(For context, I'm attempting to set up a Dokku deployment, so the comparison to Heroku is especially important.)
The hstore extension creates functions that call code from an external dynamic object, which requires superuser privilege. That's why creating the hstore extension requires superuser privilege.
As for Heroku, it is my understanding that they are running with a special extension whitelisting module, which allows users to create certain extensions even though they are not superusers. I believe it is based on this code: https://github.com/dimitri/pgextwlist. You can try to install that code yourself if you want the same functionality in your databases.
ALTER USER myuser WITH SUPERUSER;
If you run this command from a superuser, this solves your CREATE EXTENSION issue. You may check your available users with \du to find a superuser.
This is not related to heroku.
This is how I solved this issue in ubuntu 18.04.
Provide postgres super user access.
sudo su postgres
Then I run:
psql -U postgres your_database_name -c 'create extension hstore;'
Now I can alter table your_database_name and add hstore type columns in it.
Connect to your database
psql -d your_database_name -U your_user_role
And
alter table your_table_name add your_column_name HSTORE;
Though there might be saveral different ways to do it, but I solve it in this way.
Hope this will help novice users like me.

Why can I not set permissions on fresh install of PostgreSQL

A fresh installation of PostgreSQL 9.3 (according to the YUM Installation manual on the PostgreSQL wiki) on CentOS 6 (64-bit) will not grant permissions to any users.
I log in to the postgres user and open psql, then I create a role for my default user:
CREATE ROLE <name> WITH PASSWORD '<password>';
and then try to grant it privileges on the default postgres database:
GRANT ALL ON DATABASE postgres TO <user>;
which gives the expected output, but the user does not have any permissions on postgres.
The output of \dp <user> is quizically empty as well. Additional testing shows that I cannot give any users permissions. However, when I try to drop a role that has been granted these nonexistent permissions, it says
ERROR: role "<user>" cannot be dropped because some objects depend on it
DETAIL: privileges for database postgres
I am at a loss. I did also check to make sure the postgres Linux user has the appropriate file permissions on the PostgreSQL data directory.
Presumably you're expecting too much of GRANT ALL ON DATABASE postgres TO <user>;
ALL in this context means that the command is equivalent to:
GRANT CREATE,CONNECT,TEMPORARY ON DATABASE postgres TO <user>;
And the way you create the ROLE, it cannot login to any database anyway (you can check this with \du).
It could if it was created with:
CREATE ROLE name WITH LOGIN PASSWORD 'pass';
or use ALTER ROLE name WITH LOGIN later on.
Starting from this, to give the user permissions to create objects in the database, other forms of GRANT should be used.