created a postgresql instance on AWS with the username ziggy. I restored a database to that instance. however I cannot even select any of the tables
select * FROM mac_childcare_parcels
gives me ERROR: permission denied for relation mac_childcare_parcels
********** Error **********
the owner of that table belongs to the postgres login.
so i tried running this: grant all privileges on all tables in schema public to ziggy but since I am not a superuser I cannot give myself privileges so that throws a permissions error. what do I have to do to get access to the tables?
this does not work either
grant select on mac_childcare_parcels to ziggy
this query returns successful but does not let the login ziggy access the tables
GRANT USAGE ON SCHEMA public TO ziggy;
First login with superuser and provide all rds superuser access to the newly created user using a command like below
GRANT rds_superuser TO ziggy;
replace rds_superuser with your rds superuser.
You need to also GRANT USAGE on the SCHEMA, e.g.
GRANT USAGE ON SCHEMA public TO ziggy;
The superuser access is needed to run the access level queries. But as you said that access is not present then i would say copy the replica of the db which you have restored from backup and grant yourself as superuser.
then provide all needed access to any users.
Related
I am running this command
gcloud sql import sql db1 gs://mybucket/sqldumpfile.gz --database=mydb1
to import a database snapshot into a new database. Before running it, I recreated the same users I had in the source database, using Cloud Console. However, I keep on getting this error:
ERROR: must be member of role "postgres"
STATEMENT: ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT SELECT ON TABLES TO user1;
I am not sure what to do and which user must be "member of role postgres".
Any advice is appreciated
To grant default privileges for user2, use the FOR ROLE clause:
ALTER DEFAULT PRIVILEGES FOR USER <user-1> IN SCHEMA <user-1> GRANT INSERT, UPDATE, DELETE ON TABLES TO <user-2>;
ALTER DEFAULT PRIVILEGES FOR USER <user-1> IN SCHEMA <user-1> GRANT SELECT ON TABLES TO <user-2>;
You need to grant the rights from the user-1 which is creating the table, So whenever the user-1 creates a table, it will grant the SELECT rights for the user-2.
For more information refer to this document.
I'm trying to achieve the following:
I have user1 which is created.
This user1 has databases user1_db1, user1_db2 , user1_db3
When I grant the owner of user1 to all the databases, I am able to do everything with them,except if I create user1_user1 , grant All access ( without the owner ) to user1_db. Then user1_user1 will throw errors like :
user1_user1=> ALTER DATABASE "user1_dbl" SET bytea_output = 'escape';
ERROR: must be owner of database user1_db1
What I need is a special user ( in this case user1_user1 ) to be able to do everything with the database that all access have been granted and is still visible in phppgadmin ( when $conf['owned_only'] = true; is set ) when logged with user1 , or if needed I can create a special user for PHPpgAdmin but must view the databases that are with prefix user1 only.
Maybe my approach is not proper so please let me know how can I achieve this.
The goal is to have 1 user , able to access/modify all those databases and in the same scenario , user1_user1 is able to do the same but not accessing phppgadmin. The limitation that I am seeing is the ownership only and I am not able to bypass it...
Thank you for your advices!
You can use the same user for all of the databases, but you will need to give that user access to each database. You can do that by running the following SQL:
GRANT ALL PRIVILEGES ON DATABASE user1_db1 TO user1_user1; GRANT ALL PRIVILEGES ON DATABASE user1_db2 TO user1_user1; GRANT ALL PRIVILEGES ON DATABASE user1_db3 TO user1_user1;
You can also give the user access to all databases by running the following SQL:
GRANT ALL PRIVILEGES ON ALL DATABASES TO user1_user1;
You can also give the user access to all tables in a database by running the following SQL:
GRANT ALL PRIVILEGES ON user1_db1.* TO user1_user1;
You can also give the user access to all tables in all databases by running the following SQL:
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO user1_user1;
You can also give the user access to all sequences in a database by running the following SQL:
GRANT ALL PRIVILEGES ON user1_db1 TO user1_user1;
You can also give the user access to all sequences in all databases by running the following SQL:
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO user1_user1;
You can also give the user access to all functions in a database by running the following SQL:
GRANT ALL PRIVILEGES ON user1_db1 TO user1_user1;
You can also give the user access to all functions in all databases by running the following SQL:
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO user1_user1;
You can also give the user access to all types in a database by running the following SQL:
GRANT ALL PRIVILEGES ON user1_db1 TO user1_user1;
You can also give the user access to all types in all databases by running the following SQL:
GRANT ALL PRIVILEGES ON ALL TYPES IN SCHEMA public TO user1_user1;
You can also give the user access to all operators in a database by running the following SQL:
GROMySQL: How to grant all privileges on all databases and tables to a user?
The best way to do this is to use the GRANT ALL PRIVILEGES ON . TO 'user'#'localhost' syntax.
GRANT ALL PRIVILEGES ON *.* TO 'user'#'localhost' IDENTIFIED BY 'password';
This will give the user all privileges on all databases and tables.
I finally made it work with the memberships :
postgres=# \du
List of roles
Role name | Attributes | Member of
-------------------+------------------------------------------------------------+---------------------
user1 | | {user1_pgsqluser}
user1_pgsqluser | | {}
This can be granted as follow :
psql -U postgres -c 'grant $dbuser to $user;'
In Cloud SQL Postgres, where superuser permissions are not accessible, how can I prevent a new user from creating tables?
I know that REVOKE CREATE ON SCHEMA public FROM public works, but this seem to require superuser permissions, as I get a WARNING: no privileges could be revoked for "public" error.
You have to run that statement as the user who owns public.
I'm using CloudSQL Postgres 11 on GCP, and I've got a few questions around permissions and grants. I'm just not getting it at the moment, being very new to postgres.
I have a user, pgadmin which is a superuser. With this user I can connect to the instance and create a database called 'sandbox' for example.
I then have an app role which is defined as follows:
CREATE ROLE app;
GRANT CONNECT ON DATABASE <database name> TO app;
GRANT USAGE, CREATE ON SCHEMA public TO app;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO app;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO app;
I create a user called app_sandbox which I grant this role.
The app user then makes a db migration using flyway which creates 2 tables. That side of things is fine.
But with my superuser, pgadmin, I can't see these tables or query them even though this user owns the database and is a superuser. I've tried all sorts of grants. Feels like I'm missing something important because even if I true to create a readonly role with the pgadmin user I am unable to grant access to the underlying tables in the public schema of the database.
What am I missing?
Just because one user (=pgadmin) owns the database, does not mean that user also owns the tables created in that database. And because pgadmin doesn't own those tables, you can't access them when logged in as pgadmin
If the app user created the tables, they belong to that user, and only the app user can grant privileges on those tables to other users.
I need to restrict a user, access only on a particualr schema tables only.So I tried following query and login as user1_gmail_com. But I got following error when I try to browse any schema table.
My Query:
SELECT clone_schema('my_application_template_schema','user1_gmail_com');
CREATE USER user1_gmail_com WITH PASSWORD 'myloginpassword';
REVOKE ALL ON ALL TABLES IN SCHEMA user1_gmail_com FROM PUBLIC;
GRANT SELECT ON ALL TABLES IN SCHEMA user1_gmail_com TO user1_gmail_com;
SQL error:
ERROR: permission denied for schema user1_gmail_com at character 46
In statement:
SELECT COUNT(*) AS total FROM (SELECT * FROM "user1_gmail_com"."organisations_table") AS sub
Updated Working Query:
SELECT clone_schema('my_application_template_schema','user1_gmail_com');
CREATE USER user1_gmail_com WITH PASSWORD 'myloginpassword';
REVOKE ALL ON ALL TABLES IN SCHEMA user1_gmail_com FROM PUBLIC;
GRANT USAGE ON SCHEMA user1_gmail_com TO user1_gmail_com;
GRANT SELECT ON ALL TABLES IN SCHEMA user1_gmail_com TO user1_gmail_com;
You need to grant access not only to the tables in the schema, but also to the schema itself.
From the manual:
By default, users cannot access any objects in schemas they do not own. To allow that, the owner of the schema must grant the USAGE privilege on the schema.
So either make your created user the owner of the schema, or grant USAGE on the schema to this user.
This confused me. Still not sure I'm handling it correctly. Run \h grant for the syntax within psql. Here is how I managed to get my other users and groups to work as I needed:
GRANT ALL PRIVILEGES ON SCHEMA foo TO GROUP bar;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA foo TO GROUP bar;
I kept getting this error when using flyway to deploy database changes. I do some manual setup first, such as creating the database, so flyway wouldn't need those super-admin permissions.
My Fix
I had to ensure that the database user that flyway job used had ownership rights to the public schema, so that the flyway user could then assign the right to use the schema to other roles.
Additional setup Details
I am using AWS RDS (both regular and Aurora), and they don't allow super users in the databases. RDS reserves super users for use by AWS, only, so that consumers are unable to break the replication stuff that is built in. However, there's a catch-22 that you must be an owner in postgres to be able to modify it.
My solution was to create a role that acts as the owner ('owner role'), and then assign both my admin user and the flyway user to the owner role, and use ALTER scripts for each object to assign the object's owner to the owner role.
I missed the public schema, since that was auto-created when I created the database script manually. The public schema defaulted to my admin role rather than the shared owner role. So when the flyway user tried to assign public schema permissions to other roles, it didn't have the authority to do that. An error was not thrown during flyway execution, however.