Limit db user permission on google cloud sql - postgresql

I'm new to Google Cloud SQL. I created two postgres DBs with two new users (one created from web dashboard and one created from commandline). My goal is to prevent the two users to be able to modify each other DB, but I cannot get it to work.
Here is what I want:
UserA all privileges on DB_A
UserA no privileges on DB_B
UserB all privileges on DB_B
UserB no privileges on DB_A
I already tried to grant/revoke permissions from psql prompt, but in the end I still be able to create/drop tables in DB_A as UserB.
Is it possible to achieve what I want? Am I missing something?

Postgres on Cloud SQL is standard Postgres, so it's just like any other Postgres instance:
To give a role all privileges:
GRANT ALL ON <db_name> TO <role_name>;
To remove all privileges:
REVOKE ALL ON <db_name> TO <role_name>;
The Postgres docs on privileges does give the follow caveat for:
The special privileges of an object's owner (i.e., the right to modify
or destroy the object) are always implicit in being the owner, and
cannot be granted or revoked
So keep that in mind - if UserA owns both databases, they can always modify them.

Related

Create role which can run any queries on all databases postgresql

theres a default postgres user (superuser) hes able to run some random queries on all databases like select * from regions; etc.
i do have a 7 databases in pgadmin tool 1 user which is postgres and i created role service_user and granted all privileges to service_user(GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO service_user;), but when i sign in to different database as service_user im not able to run queries, it says permission denied. so i need to login to that db as superuser grant all privileges again and then service_user is able to tun queries.
So my question is how can i grant all privileges to this service_user so he can login to any database and run queries. i can do it manually but its 7 databases i need to login and log out 7 times to every database. what if i have 500 databases running. keep in mind service_user shoould not be superuser. just read-write permissions and able to run any queries in any 7 databases. enter image description here

Amazon RDS - Postgresql role cannot access tables

created a postgresql instance on AWS with the username ziggy. I restored a database to that instance. however I cannot even select any of the tables
select * FROM mac_childcare_parcels
gives me ERROR: permission denied for relation mac_childcare_parcels
********** Error **********
the owner of that table belongs to the postgres login.
so i tried running this: grant all privileges on all tables in schema public to ziggy but since I am not a superuser I cannot give myself privileges so that throws a permissions error. what do I have to do to get access to the tables?
this does not work either
grant select on mac_childcare_parcels to ziggy
this query returns successful but does not let the login ziggy access the tables
GRANT USAGE ON SCHEMA public TO ziggy;
First login with superuser and provide all rds superuser access to the newly created user using a command like below
GRANT rds_superuser TO ziggy;
replace rds_superuser with your rds superuser.
You need to also GRANT USAGE on the SCHEMA, e.g.
GRANT USAGE ON SCHEMA public TO ziggy;
The superuser access is needed to run the access level queries. But as you said that access is not present then i would say copy the replica of the db which you have restored from backup and grant yourself as superuser.
then provide all needed access to any users.

Basic configuration of database permissions

I'm learning databases and I have a question how to prepare the rules and groups configuration for the following assumptions:
I have two databases:
databaseA
databaseB
Each database will have several users connecting using the connectionString (server, port, database, username, password). So I have 3 users to each database:
userA1, userA2, userA3
userB1, userB2, userB3
How to create groups and roles and how to grant permission so that users A can only connect to database A and users B to database B. Can I make A users not see database B, have not seen users assigned to database B?
Probably it is a simple question, but I would like to see an example of how to do it - for now I have A and B database and the postgres user.
There is no point in trying to keep others from seeing a database's or user's metadata, don't try. PostgreSQL does not support that.
You create a user (a “login role”) with
CREATE ROLE user1a LOGIN;
As to the permissions, you first have to remove the default privilege that allows everyone to connect to the database:
REVOKE CONNECT, TEMP ON DATABASE databasea FROM PUBLIC;
Then you have to specifically allow the required users in:
GRANT CONNECT ON DATABASE databasea TO usera1, usera2, usera3;
If you have many users, or the users change frequently, it is better to use a group (a “nologin role”) that has the CONNECTprivilege, and you add the users to the group.
You have to configure pg_hba. conf so that the users are allowed to authenticate, see the documentation.

Create user with grant privileges on only one database

I want to grant read/write privileges to new user only to one database, so he can't access other databases.
After I created new user with:
sudo -u postgres createuser <username> What privileges this user get?
Is this all I need:
GRANT ALL PRIVILEGES ON my_db TO new_user; to get access to only one database?
What is the best way to do this?
Using PostgreSQL 10
By default, PUBLIC (everyone) is allowed to connect to all databases. So you'd have to revoke that privilege and hand out CONNECT more judiciously.
In addition to that, you'd have to make sure that every user has CREATE on all schemas in “his” database and the necessary privileges on all tables, because privileges on the database itself are not enough to access the objects in the database.
It could be the simplest solution to use REASSIGN OWNED to give the user ownership of all objects in “his” database.

Postgres ACL for Schemas

I'm not a DBA and I have got some questions around access controls for schemas. Let's say I have a Postgres server running a several databases. The admin user is postgres. I have another user tmpUser with which I could log in to the remote server using pgadmin3 client.
I now create a database called myDatabase which is by default owned by the postgres user. I then use my admin client to remotely log in to this myDatabase using the tmpUser account.
I now create a new schema inside this myDatabase called myDbSchema. I created a new role called myDbRole and did a grant usage, grant all on myDatabase, myDbSchema to the myDbRole.
The question now is how should I control access to this myDatabase. I tried to log in to the remote server using the tmpUser and when I tried to execute select * from myTable where myTable is a table in myDatabase, it came back with a permission denied sql message. So I changed the owner of the table to the tmpUser which I really do not want to!
Is there a guide or something on how I should go about creating and organizing roles with schemas in postgres?
It is not entirely clear what your problem is (for instance, what is role "myDbRole" for, is that a group role (NOLOGIN) or a user role (LOGIN)?) but in general you could follow this pattern of permission management:
Create a specific role to own a database and all or most of the objects in it. This should be a group role (NOLOGIN) for security reasons. Do not use the postgres user; if you need to login as that role often to do regular database work, you are doing something wrong. Any superuser (or other user role that has that role granted to it) can "impersonate" that owner role using SET SESSION AUTHORIZATION to do necessary maintenance. In a production environment this should be hardly ever necessary; during development you might want to consider making the role with LOGIN permission for ease of use.
The owner creates all the schemas, tables, views, functions, etc. that you need for your application. By default, all of those objects are only available to the database owner, with the exception of functions.
Define a number of group role profiles, each having specific requirements of the database. You could have, for instance sales_staff, product_managers, accounting and senior_management for a company, or web_user, web_admin, app_developer and app_manager for a web site. The database owner then GRANTs access to the database (CONNECT), schemas (USAGE), tables, views and functions (EXECUTE), as needed. I usually REVOKE ALL ON FUNCTION x() TO public, for security reasons.
Assign group role membership to user roles, as needed: GRANT sales_staff TO jane. The user roles should have LOGIN INHERIT such that they can log in and inherit the permission of group roles that they are a member of. That includes the permission to connect to a database and usage rights on schemas. Note that a single user role can have membership in multiple group roles.
Lastly, update your pg_hba.conf file to enable remote access to the database.