Privileges not being updated - postgresql

After running
db=> GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
WARNING: no privileges were granted for "pg_stat_statements"
GRANT
I tried to
drop trigger t_table on tablex;
I got this result
[42501] ERROR: must be owner of relation tablex
This is everything I ran to change my privileges:
GRANT CONNECT ON DATABASE dbx to userx;
GRANT USAGE ON SCHEMA public to userx;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO userx;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON FUNCTIONS TO userx;
What could I be possibly be missing? could WARNING: no privileges were granted for "pg_stat_statements" mean something or is it stopping at that table and not adding the privileges?

Like the error message says, only the table owner (and a superuser) can do that.
The TRIGGER privilege allows you to create a trigger on the table, but not to drop one.
Ownership is not a privilege you can grant; you have to use ALTER TABLE ... OWNER TO ... for that.

Related

Can't revoke default schema privilege

pgadmin shows the default privilege for a schema was granted to an individual user and I need to revoke privilege granted from individual users.
ALTER DEFAULT PRIVILEGES IN SCHEMA a_schema
GRANT ALL ON TABLES TO a_user;
I try the following command but can't revoke the privilege.
ALTER DEFAULT PRIVILEGES IN SCHEMA a_schema
REVOKE ALL ON TABLES FROM a_user;
Can someone show me how to revoke the default privilege schema from user?

dropping a postgres role

I am struggling with dropping a ready only user I created on one of the database in the cluster. I created a read only user using following script:
CREATE USER is_user_readonly WITH ENCRYPTED PASSWORD 'test1';
GRANT CONNECT ON DATABASE db1 to is_user_readonly;
GRANT USAGE ON SCHEMA public to is_user_readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO is_user_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO is_user_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO is_user_readonly;
I logged in database db1 and created this user is_user_readonly. I logged in as admin. This user is created on all databases in the cluster.
Now, for dropping this user, I logged in db1 as admin and ran below scripts:
REVOKE ALL PRIVILEGES ON DATABASE db1 FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON SCHEMA public FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM is_user_readonly;
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM is_user_readonly;
REVOKE USAGE ON SCHEMA public FROM is_user_readonly;
REVOKE CONNECT ON DATABASE db1 FROM is_user_readonly;
At this point I am really pulling out my hair that there is still some dependency.
SQL Error [2BP01]: ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public
ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public
ERROR: role "is_user_readonly" cannot be dropped because some objects depend on it
Detail: privileges for default privileges on new relations belonging to role isadmin in schema public.
Do I need to run the revoke script on all database in this cluster?
Any help is highly appreciated.
Revoke the default privileges:
ALTER DEFAULT PRIVILEGES FOR ROLE whatever IN SCHEMA public
REVOKE SELECT ON TABLES FROM is_user_readonly;
The role whatever here is the user you were logged in as when you ran the ALTER DEFAULT PRIVILEGES statement.

Quesition about permissions on Postgres

I know it should be easy question but still facing an issue with permissions.
I need to have 3 users in postgres:
Fully Admin like default "postgres" user
Should have access to insert, select and update with delete but no admin access
Should have access to all tables only with read only permissions
I did this in this way:
CREATE role program_schema_role_ro ;
CREATE role program_schema_role_normal ;
CREATE role program_schema_role_admin ;
CREATE USER user_ro WITH PASSWORD 'user_ro';
CREATE USER user_app WITH PASSWORD 'user_app';
CREATE USER user_admin WITH PASSWORD 'user_admin';
GRANT program_schema_role_ro to user_ro;
GRANT program_schema_role_normal TO user_app;
GRANT program_schema_role_admin TO user_admin;
GRANT program_schema_role_admin TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_admin IN SCHEMA public GRANT ALL ON TABLES TO program_schema_role_admin;
GRANT ALL ON ALL TABLES IN SCHEMA public TO program_schema_role_admin;
GRANT posgtres TO program_schema_role_admin;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_admin GRANT ALL ON SEQUENCES TO program_schema_role_admin;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_admin;
REVOKE program_schema_role_admin FROM postgres;
GRANT program_schema_role_normal TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_normal IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON TABLES TO program_schema_role_normal;
GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON ALL TABLES IN SCHEMA public TO program_schema_role_normal;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_normal GRANT USAGE, SELECT ON SEQUENCES TO program_schema_role_normal;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_normal;
REVOKE program_schema_role_normal FROM postgres;
GRANT program_schema_role_ro TO postgres;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_ro IN SCHEMA public GRANT SELECT ON TABLES TO program_schema_role_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO program_schema_role_ro;
ALTER DEFAULT PRIVILEGES FOR ROLE program_schema_role_ro GRANT SELECT ON SEQUENCES TO program_schema_role_ro;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO program_schema_role_ro;
REVOKE program_schema_role_ro FROM postgres;
But still after all of this I facing a lot of issues.
Like after new table which created by admin, no read access to other
Or app user or ro user have permissions to alter.
Where is my mistake?
The ALTER DEFAULT PRIVILEGES statements you run will only affect objects created by program_schema_role_ro itself, not objects created by members of that role.
You'd have to run
ALTER DEFAULT PRIVILEGES FOR ROLE user_admin ...

Postgresql readonly role and user

I couldn't find an answer to this question: why does selecting from the table fail after the privileges were granted?
-- create new role
CREATE ROLE readonly;
-- grant access to all existing tables
GRANT CONNECT ON DATABASE shop TO readonly;
GRANT USAGE ON SCHEMA public TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO readonly;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readonly;
-- grant access to all table which will be created in the future
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO readonly;
-- create user and grant role to this user
CREATE USER b_readonly WITH PASSWORD 'reAdOnLy123';
GRANT readonly TO b_readonly;
My error message from db is following:
ERROR: permission denied for relation customer_search_query SQL
state: 42501
Is there some new trick in Postgresql 9.6.5?
If pg version < 14
try as:
postgres=# CREATE ROLE readaccess;
postgres=# CREATE USER read_user WITH PASSWORD 'read_password';
postgres=# GRANT readaccess TO read_user;
--- INPORTANT (select needed db)---
postgres=# \с your_db;
your_db=# GRANT CONNECT ON DATABASE your_db TO readaccess;
your_db=# GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
if pg version >= 14
GRANT pg_read_all_data TO readaccess;
It is likely that the table you're querying from, customer_search_query is not in the public schema. Try running this command.
GRANT SELECT ON customer_search_query TO readonly;

Grant access to views in postgresql

I have a view called testview in postgresql.
I created a new user called testuser.
I would like testuser to have all privileges on all tables and views in the database.
To do this I ran the following commands:
GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser;
GRANT USAGE ON SCHEMA public TO testuser;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO testuser;
testuser now has access to all tables in the database, but if I try to run SELECT * FROM testview I get the following error: permission denied for relation testview.
What is wrong? How do testuser get access to testview?
I agree it should work. With permissions GRANT ... ON ALL TABLES should include views too.
Did you create the view after granting the privileges to testuser? If so then it doesn't have the same privileges as the other tables. That's because GRANT ... ON ALL TABLES means "on all tables that currently exist". To include tables/views you create in the future, you can say:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO testuser;
Or if you want to give more than SELECT, you can say ALL PRIVILEGES instead.
I think this behavior of ON ALL TABLES is one of the most misunderstood bits about Postgres permissions, and it isn't really called out in the standard documentation, so I tried to emphasize it in my own Postgres permissions overview.
postgres=# GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser;
postgres=# GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO testuser;
GRANT USAGE on schema:
GRANT USAGE ON SCHEMA schema_name TO username;
Grant SELECT for a specific table:
GRANT SELECT ON tbl_loans_new TO oloffm;
Grant SELECT for multiple tables:
GRANT SELECT ON ALL TABLES IN SCHEMA schema_name TO username;