I'm new on PostgreSQL. I created a user for to use a specific schema. I have done a table but I can't prevent on schema. I don't want to show all schema to the user. How can I prevent to access the schema?
Grant and Revoke to grant access and privileges on your database, including schema.
Related
I want to give access to multiple users to create tables in external schema in Redshift. I can make a user owner of the schema and he can create it, but how do I grant other user same access without altering schema ownership. I tried to make a role as the owner of the schema which doesn't work.
As per documentation -
To create external tables, you must be the owner of the external schema or a superuser.
Is there any workaround?
In postgres, you can GRANT or REVOKE privileges like:
REVOKE ALL ON SCHEMA public FROM PUBLIC;
GRANT USAGE ON SCHEMA public TO <myuser>;
My question; If each database has a schema PUBLIC, then are you revoking or granting for this all databases? If so, what if you only want to alter the schema permissions of one database?
The context: I want to GRANT SELECT, INSERT, DELETE to one user for only one scheme in one database. I want to do this without being connected to the DB. Or is the way to do this simply by also handling CONNECT permissions to actual databases. So if they can only connect to one database, it doesn't matter if you say "all" PUBLIC schemas?
There are a lot of questions here; I'll try to restore order.
It is a good idea to revoke CREATE from the public schema in all databases.
But you absolutely have to connect to each database in turn to do that.
A beautiful solution might be that you do it on database template1. Then every new database will automatically be set up correctly, since CREATE DATABASE copies the template database.
To give users permission to a schema in all databases, you again have to connect to all databases in turn.
It is also a good idea to REVOKE ALL on all databases from PUBLIC and grant the CONNECT privilege selectively.
This time, you can do it without connecting to each database, because databases are shared objects — the pg_database catalog is accessible from each database.
I am trying to revoke all permisions of an user on a database, but i can't get it to work.
I am doing:
REVOKE ALL PRIVILEGES ON DATABASE db1 FROM user1;
REVOKE ALL refers to all the permissions on one object, not on any related objects. In this case, you are saying "all permissions which apply to the database, as a single object". The only permission which exists at the database level is CONNECT, and by default, that is granted to the special role Public, of which all other roles are a member.
So to deny access to a user that way, you would have to revoke CONNECT privilege from Public, and then explicitly GRANT it to the roles you do want to give access to.
There are a few other options that come to mind:
Set a DENY rule for that combination of user and database in pg_hba.conf
Revoke USAGE on all schemas in the database, so that they can connect but not access anything. I believe the public schema has this granted to the public role, so you will need to revoke first as with CONNECT
Revoke all from the objects within the database. This requires multiple statements like REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA foo FROM somebody for different object types. You should also use ALTER DEFAULT PRIVILEGES to make sure objects you create from now on won't be accessible.
I installed PostgreSQL 9 database (migration from Oracle10g) and I am realy confused by user/role management. When I create new user using SQL command like CREATE USER or CREATE ROLE, or by Navicat tool, created user can see all databases! He realy can connect them! Although he can't select any data from table, he can see table objects and sequences and so on. I was trying revoke connect privilegia but no effect. I was expected the new user has no privilegia and cant see anything. I really don't know why he can.
From http://www.postgresql.org/docs/9.2/static/sql-grant.html#SQL-GRANT-DESCRIPTION-OBJECTS (emphasis mine):
PostgreSQL grants default privileges on some types of objects to PUBLIC. No privileges are granted to PUBLIC by default on tables, columns, schemas or tablespaces. For other types, the default privileges granted to PUBLIC are as follows: CONNECT and CREATE TEMP TABLE for databases; EXECUTE privilege for functions; and USAGE privilege for languages. The object owner can, of course, REVOKE both default and expressly granted privileges. (For maximum security, issue the REVOKE in the same transaction that creates the object; then there is no window in which another user can use the object.) Also, these initial default privilege settings can be changed using the ALTER DEFAULT PRIVILEGES command.
In order to remove all privileges (including CONNECT) for all unspecified users on a database, use:
REVOKE ALL PRIVILEGES ON DATABASE <database> FROM public;
See also:
PostgreSQL: View database connect permissions
http://wiki.postgresql.org/wiki/Shared_Database_Hosting
You probably also need to modify the pg_hba.conf file. By default, a local installation doesn't do authorization checks.
I want to create a postgres user that can access only one database on the postgres server at all.
Currently my flow is:
create database database1;
create user user1 with password 'pass';
grant all privileges on database database1 to user1;
but user1 can still see a list of dbs, users, tables etc. Is there a way to prevent that user from seeing that info? The user needs to be able to write to and read from that db.
Thanks a lot.
Each user can see other databases and roles listed, but should not be able to see tables in other databases, ever.
If you revoke CONNECT privilege on all databases except the allotted one, the user will not be able to access the contents of other databases.
Roles and database names are global, and not readily blockable. You can try Frank Heikens suggestion of selective revocations on the system tables, but you take risks to do that. PostgreSQL developers on the usenet mailing lists have discouraged tampering with access to the system catalogs.
Psql, among other tools, assumes they will be available and functions poorly without them.
Why is knowing the names of other databases and roles so bad?
REVOKE the SELECT permissions on the information_schema and some sections in the system catalog.
By default any objects you create are created in the public schema. Also, any users that you create have CREATE and USAGE privileges on the public schema. You should revoke CREATE and USAGE to the public schema for this user, or you should change the default access level. You'll also need to move the database to which this user has access into the user's schema, or a schema accessible to the user. See DDL Schemas in the Postgres manual.