I am using Microsoft Azure Database for PostgreSQL with PostgreSQL 10 installed. As I'm trying to work on future tables together with other users I want to enable the other users to alter my tables as well.
I've created a role pgpublish and all users are members of the role. For a new table, which I created, I altered the table owner to the role pgpublish. Now everyone with the role pgpublish is able to alter the table:
ALTER TABLE "MYcoolSchema"."CoolNewTable" OWNER TO pgpublish;
To make this more automatic/generic, I created a trigger function and tried to create an event trigger as explained here.
Unfortunately I can't create the event trigger (The trigger function works fine), as it is stated:
ERROR: permission denied to create event trigger
"trg_create_set_owner" HINT: Must be superuser to create an event trigger.
SQL state: 42501
Is there a workaround for creating event triggers on Microsoft Azure Database for PostgreSQL? How can this look like?
I could run a cron job on another system to scan for new tables and alter the owner of these new tables to pgpublish but this is not cool at all.
Related
How to create user that can create only tables in database?
grant create on database sport to test1; is wrong because we can create triggers too
There is no way to do that except with an event trigger that throws an error whenever the wrong user creates certain objects.
Note that creating tables or triggers is not connected to permissions on the database, but to permissions on the schema. It seems strange and arbitrary to me to prevent a user that can create tables from adding triggers to these tables.
I have a user/role (lets call that role migration_assistant) in my DB that I want to grant exlusively DDL permissions within my schema.
specifically migration_assistant should be able to CREATE new tables and ALTER existing ones. But it should not be able to DELETE tables or DROP a database etc.
Any idea how to accomplish that?
Is it possible, to configure a Postgres database such, that a specific table may only be updated by a trigger. I have history table, updated by trigger, so I want to prevent this table from un unauthorised access. I want history table to be updated only from trigger.
Sure. Both the history table and the table with the trigger belong to a user that has no login rights. Then you grant privileges on the latter table to the application user.
To prevent unauthorized access to a table you can change the owner of the table to the user who should be accessing with the following query:
alter table yourschema.yourtable owner to youruser;
Now you can disable the trigger for all other users using the query:
alter table yourschema.yourtable disable trigger triggername all;
here all means that the trigger is disabled for all the users. Now only the owner will be able to use the trigger to update the table.
A trigger always fires on the event on it is defined. Thus, if an update trigger is defined for updates, no one can bypass the trigger during an update if the trigger is enabled.
If you have different user groups with different privileges accessing your database, then you should map this about users in the database. For instance you can disallow that a user can disable triggers on a table.
I have a database shared by many users, all the users are in a group "example" and the vast majority of objects in the database are owned by "example". Very occasionally a user will create a new table - that table gets assigned to the user who created it and so the other users are unable to alter the new table.
Is there a way to have the ownership of a table automatically set to the group "example" and not the user who created the table or a way to set up a trigger that happens after a CREATE TABALE or a way to set up group/permissions such that all users will be considered owners of objects regardless of who actually created them?
You could change the default privileges this way:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC;
or to give write access:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT,INSERT,UPDATE,DELETE ON TABLES TO PUBLIC;
https://www.postgresql.org/docs/9.0/static/sql-alterdefaultprivileges.html
You probably want to use an EVENT TRIGGER
This is doable in all versions of Pg from 9.3 forward but depending on your version might require different approaches since the structures for event triggers have improved significantly.
In earlier versions you could look through the table catalogs for items owned by the current user. In newer versions you can use pg_event_trigger_ddl_commands to get the information you need. you want to run the command at ddl end.
By default, PostgreSQL allows the owner and any SUPERUSER roles to drop tables. We're trying to create a role that can create tables in a schema, but not drop them once they're created.
More ideally, we'd actually like the created tables to be owned by postgres.
Is there any way to force created tables in a schema to automatically be owned by postgres, or at least prevent them from being dropped by the owner? We are using PostgreSQL 9.4.