Cannot access foreign table using Postgres FDW - postgresql

I had a foreign table set up in Postgres 10. The role "role1" has been granted usage on the foreign server (fs) that was set up using the postgres superuser.
I imported the table using the import schema command:
IMPORT FOREIGN SCHEMA f_schema LIMIT TO (my_fdw_table) FROM fs INTO ls;
That worked fine.
However, when I try to query the table I get the following error:
SELECT * FROM my_fdw_table LIMIT 1;
ERROR: permission denied for view my_fdw_table
CONTEXT: remote SQL command: ...
My understanding is that FDW should treat views and tables the same.

It looks like the remote user that you used in the user mapping for your local user and the foreign server does not have the required permissions on the table (or the schema that contains it).

User "role1" should create user mapping for itself like:
CREATE USER MAPPING FOR role1 SERVER fs OPTIONS (USER 'role1', PASSWORD 'password1');
IMPORT FOREIGN SCHEMA f_schema LIMIT TO (my_fdw_table) FROM SERVER fs INTO ls;
Also, if "role1" is not an owner of the database, it should get access from its owner:
GRANT USAGE ON SCHEMA ls TO role1;
Assuming ls is local schema.

Related

GCLOUD Postgres, using foreign data wrapper extesion results permission denied for relation

I'm really stuck with the following problem.
At GCloud SQL I have a running postgres' instance.
That instance contains two databases. From one database (source_db) I want to access to another database's (another_db) table (foreign_table) using postgres_fdw extension. The recipe I'm employing currently is this:
1)
CREATE EXTENSION postgres_fdw;
CREATE SERVER foreign_db
FOREIGN DATA WRAPPER postgres_fdw
OPTIONS (dbname 'another_db', port '5432', host '<A_PRIVATE_IP>');
CREATE USER MAPPING for guest
SERVER foreign_db
OPTIONS (user 'guest', password 's3cr3t');
CREATE FOREIGN TABLE foreign_table
(
// columns descripions
)
SERVER foreign_db OPTIONS (table_name 'foreign_table');
-- Alternatively I also tried with
CREATE SCHEMA external;
IMPORT FOREIGN SCHEMA public from SERVER foreign_db into external;
GRANT SELECT ON TABLE foreign_table TO guest;
The above commands runs without error, but when I tried to actually access the table I got this:
If using "external" schema
source_db=> select 1 from external.foreign_table limit 1;
ERROR: permission denied for relation foreign_table
CONTEXT: Remote SQL command: SELECT NULL FROM public.foreign_table (*)
If not using "external" schema
source_db=> select 1 from foreign_table limit 1;
ERROR: permission denied for relation foreign_table
CONTEXT: Remote SQL command: SELECT NULL FROM public.foreign_table
The only thing that smells a little is that the error message (at *) displays "public.foreign_table" instead of "external.foreign_table" even when I'm using external schema... but i don't know is that actually means something :S
As far I researched there is no way to login into the posgres instance as a superuser as that is not allowed by the Gcloud's SQL services neither a way to edit the pg_hba.conf file in order to adjust client's authentication affairs.
I searched in a lot of places but without finding what i can do to sort this out. Among the sites and pages i looked are the below list
The official documentation
A personal blog's post
This other SO post having a related issue
This post and this other post regarding permissions and authorizations.
A Nice tutorial about authentication and authorization
P.S.
I was able to make this on a postgres' instance that i ran locally.
User guest on the remote server doesn't have permissions to SELECT from the table. Since the query on the remote server is executed as user guest, you get an error.
GRANT the SELECT privilege on the table on the remote server to the user.

How to login to postgreSQL at the top level?

I have Postgres 9.6 installed on mac os. When I enter the command:
$ psql (it takes me to below prompt)
bar=#
bar=# \conninfo
You are connected to database "bar" as user "bar" via socket in "/tmp" at port "5432".
How do I get out of database bar and be at the top level so that when I enter command:
CREATE DATABASE postgis_in_action;
CREATE SCHEMA ch07;
CREATE TABLE ch07.bag_o_rasters(rid serial primary key, rast_name text, rast raster);
database postgis_in_action will be created and within this database ch07 schema will be created and not nested inside database "bar" and the table will be created within ch07 schema under postgis_in_action database?
After creating the new database you need to switch to it. Otherwise the create schema will be run in the database to which you initially connected. In psql you can do that using \connect
bar=# CREATE DATABASE postgis_in_action;
bar=# \connect postgis_in_action
You are now connected to database "postgis_in_action" as user "postgres".
CREATE SCHEMA ch07;
CREATE TABLE ch07.bag_o_rasters(rid serial primary key, rast_name text, rast raster);
I would strongly recommend you create a regular user to do your work. Do not do everything as the superuser. E.g.:
bar=# create user ace password '*******';
bar=# create CREATE DATABASE postgis_in_action owner ace;
\connect postgis_in_action ace
Password for user ace:
You are now connected to database "postgis_in_action" as user "ace".
postgis_in_action=>
Maybe you have an experience with other databases, but this is the Postgres. Schemas are nested in databases, and you cannot to connect to schema (in Postgres). If you want create the database, then you use CREATE DATABASE ch07 instead CREATE SCHEMA ch06.
Instance (Postgres Cluster)
|
v
-------------------- ...
| |
v v
Database1 Database2
|
----------------------- ...
| | |
v v v
public schema1 schema2
|
----------------------- ...
| | |
v v v
table1 table2 table3
In this case the Postgres is similar to MS SQL, and very different to Oracle. Schema in Postgres and Oracle are different things.
When you connect to Postgres, then you have to specify target database. You cannot to connect just to server, or you cannot to connect to schema. Schemas (in Postgres) are like directories. You can specify an order of searching of schemas. You can set SEARCH_PATH per connect, per user or in an session (it is analogy of PATH in MS Win or UNIX).

Granting local user permissions to a foreign db table in postgres

I set up a connection to a foreign db using dblink_connect according to the docs:
CREATE SERVER fdtest FOREIGN DATA WRAPPER dblink_fdw OPTIONS (hostaddr '127.0.0.1', dbname 'foreign_test_db');
CREATE USER test_user WITH PASSWORD 'secret';
CREATE USER MAPPING FOR test_user SERVER fdtest OPTIONS (user 'test_user', password 'secret');
GRANT USAGE ON FOREIGN SERVER fdtest TO regress_dblink_user;
GRANT SELECT ON TABLE foo TO test_user;
\c - regress_dblink_user
SELECT dblink_connect('myconn', 'fdtest');
SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[]);
The final 'GRANT SELECT' appears to infer that if it is meant to grant select permissions to local user test_user to the table foo on the fdtest foreign data wrapper. However, how I would interpret this command is that it is granting permissions to test_user to select on local table foo (which does not exist). As expected, when I run this command I get an error:
ERROR: relation "foo" does not exist
I would love to know how to actually accomplish this. I would like to be able to restrict local users to only access certain tables from a foreign data wrapper.
You'll have to connect to the remote database and run the GRANT statement there.
Of course you could do that via dblink, but then you'd have to connect with a superuser or the owner of the table.
The connection they show is a loop back connection, it just connects back to the same server and (apparently) database you are already in. This is useful for testing purposes. So granting the permission on the local server is the same thing as granting it on the remote server, as they are the same server.
They do not show the creation of the table, you can find it in the regression test contrib/dblink/sql/dblink.sql (from which the example in the doc derives) as:
CREATE TABLE foo(f1 int, f2 text, f3 text[], primary key (f1,f2));

postgres foreign data wrapper for non admin user

I created a foreign data wrapper and created the user mappings for 2 users one is admin and the other only has readonly access to the tables.
When I try to query using the readonly user I get an error:
ERROR: permission denied for schema testing LINE 1: SELECT * FROM testing.bldg ^ ********** Error ********** ERROR: permission denied for schema testing SQL state: 42501 Character: 15
Here is my setup:
Postgres 9.6.1 in Amazon RDS, both DBs are part of same AWS RDS instance.
When I connect to remote database directly using the readonly user I am able to query the table, problem only happens when using the fdw.
As the readonly use when I query this "select * from pg_foreign_table;"
I see all the foreign tables.
I have tried the following:
grant usage on schema ...
grant select on table...
GRANT USAGE ON FOREIGN SERVER ...
Any ideas.
I was able to resolve the issue, here are the steps:
create readonly user on local DB
create readonly user on remote DB
create fdw and user mapping for readonly user
grant usage privs on remote and local db (I was missing this on local)
grant select privs on local and remote db to readonly user.

Schema created in Docker by postgres user does not exist

I am building a Docker container for my PostgresSQL 9.4.5 database and I'd like to create the table structures when the container starts. In the script included in my /docker-entrypoint-initdb.d/ directory is this series of commands:
#!/usr/bin/env bash
export PGUSER=postgres
echo "***CREATING DATABASE, USERS, AND ROLES***"
psql <<-EOSQL
CREATE USER vpager WITH PASSWORD '<pass>';
CREATE DATABASE vpager;
GRANT ALL PRIVILEGES ON DATABASE vpager TO vpager;
REVOKE ALL ON DATABASE vpager FROM PUBLIC;
CREATE ROLE standarduser;
CREATE USER vpageruser WITH PASSWORD '<pass>';
\connect vpager
CREATE SCHEMA ticketing;
GRANT ALL PRIVILEGES ON SCHEMA ticketing TO vpager;
GRANT CONNECT ON DATABASE vpager TO standarduser;
GRANT SELECT, UPDATE, INSERT, DELETE ON ALL TABLES IN SCHEMA ticketing TO standarduser;
GRANT standarduser TO vpageruser;
EOSQL
echo "***CREATING TABLE STRUCTURES***"
psql -U vpager vpager < /docker-entrypoint-initdb.d/create-vpager-tables.sql
The SQL script:
CREATE TABLE ticketing.merchant
(
merchant_id SERIAL PRIMARY KEY,
now_serving INT
);
CREATE TABLE ticketing.ticket
(
ticket_id SERIAL,
merchant_id INT REFERENCES ticketing.merchant(merchant_id),
create_ts TIMESTAMP,
PRIMARY KEY (ticket_id, merchant_id)
);
As you can see, the idea is to create a non-privileged user for doing CRUD operations. The problem is that when the create-vpager-tables.sql command runs, it can't see the schema that postgres created:
ERROR: schema "ticketing" does not exist
STATEMENT: CREATE TABLE ticketing.merchant
(
merchant_id SERIAL PRIMARY KEY,
now_serving INT
);
ERROR: schema "ticketing" does not exist
ERROR: schema "ticketing" does not exist
Yet, if I add a CREATE SCHEMA statement to the top of create-vpager-tables.sql, it says it already exists:
ERROR: schema "ticketing" already exists
How do I resolve these errors? I tried setting my search path at the top of the SQL file, but the same thing happened; it's like a "Schrodinger" schema.
I figured it out. I put the create-vpager-tables.sql in the /docker-entrypoint-initdb.d directory, and apparently the image also tries to source SQL files there. Moving it to /tmp (and granting USAGE on the schema to standarduser) fixed the problem.