I was trying to implement autonomous transaction in Postgres by using pg_background extension. Although it is installed, I can't call the function pg_background_launch.
Command CREATE EXTENSION pg_background returns error ERROR: extension "pg_background" already exists, so I know it already exists.
But when I run query SELECT pg_background_launch('SELECT 1'); it returns error ERROR: permission denied for function pg_background_launch
Any idea, what did I miss? Is it needed to grant some privileges? In the documentation here https://github.com/vibhorkum/pg_background, there is nothing more done after creating the extension.
You need the user who created the extension to grant out access to the functions to other users:
GRANT ALL ON FUNCTION public.pg_background_launch(sql text, queue_size integer) to some_user;
GRANT ALL ON FUNCTION public.pg_background_result(pid integer) to some_user;
GRANT ALL ON FUNCTION public.pg_background_detach(pid integer) to some_user;
Related
I have a problem with extension creating. I run following code:
CREATE EXTENSION IF NOT EXISTS dblink WITH SCHEMA pg_catalog;
And then I receive next error:
ERROR: permission denied to create "pg_catalog.dblink_pkey_results"
DETAIL: System catalog modifications are currently disallowed.
So, I haven't got thought about what I need to do in these case...
I have a simple GRANT statement that I need to run to allow a single user execute permissions on a routine:
GRANT EXECUTE ON ROUTINE sales.refresh_data(varchar, varchar) to rperson
...but it's throwing an error:
ERROR: syntax error at or near "sales"
From the documentation I can find, this is the correct syntax, and the function signature is correct.
In PostgreSQL I have a database with a custom function witch loads binary content of the file in database table by using the system function pg_read_binary_file.
If I ran this custom funtion under a user with superuser rights, it executes successfuly. But when the user does not have superuser rights, I receive an error:
permission denied for function pg_read_binary_file
I thought that all that I need is to simply GRANT permissions to EXECUTE the funtion for such user, so I did the following:
GRANT EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint,boolean) TO someuser;
GRANT EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint) TO someuser;
GRANT EXECUTE ON FUNCTION pg_read_binary_file(text) TO someuser;
If I check the permissions by
SELECT proacl FROM pg_proc WHERE proname='pg_read_binary_file';
I get:
{postgres=X/postgres,someuser=X/postgres}
{postgres=X/postgres,someuser=X/postgres}
{postgres=X/postgres,someuser=X/postgres}
As I understand, now someuser has permission to execute the function pg_read_binary_file. But when I try to run my custom function, I still receive the same error:
permission denied for function pg_read_binary_file
So the question is how to give permission to a non-superuser to execute the function pg_read_binary_file? Maybe there are some additional permissions that must be granted, but it is not obvious.
In the documentation on Portgres system functions for pg_read_binary_file it is written that:
Restricted to superusers by default, but other users can be granted EXECUTE to run the function.
I searched for some additional information about the way how can I give such permissions, but without luck.
There are three possibilities:
You are using an old PostgreSQL version.
Before commit e79350fef2917522571add750e3e21af293b50fe, this was not governed by permissions on the functions, but by hard-coded checks in the function itself.
This doesn't seem to be your case, however, because the error messages would then read:
ERROR: must be superuser to read files
You are not someuser when you try to execute the function. Test with
SELECT current_user;
You are connected to a different database (e.g., you changed the permissions in the postgres database, but someuser connects to a different database).
I've got a Postgres database and user I've created on Google Cloud SQL.
I'm trying to install the postgis extension for that user:
myuser=> CREATE EXTENSION postgis;
ERROR: permission denied to create extension "postgis"
HINT: Must be superuser to create this extension.
as you can see, it won't allow me to create the extension for this user, so I attempted to make this user a superuser from the postgres role:
postgres=> ALTER USER myuser WITH SUPERUSER;
ERROR: must be superuser to alter superusers
and I get the following error. This is because Google Cloud SQL does not allow the SUPERUSER role for any postgres accounts according to: https://cloud.google.com/sql/docs/postgres/users.
So I'm in this weird state of purgatory that I need to add this extension, but can't.
Any tips on how to proceed?
It looks like creating a new user through the API (or the console) will give it the proper permissions, at least according to the prompt when trying to add additional users through the console:
Using: Postgres 9, CentOS 7,
Postgres Data directory not in default location but used RSync to make sure permissions were correct. And yes appropriate .config files were changed.
When I try to query a view containing an encrypted item as a NON superuser (Testuser), I get this error:
ERROR: must be superuser to read files CONTEXT: PL/pgSQL function
decrypt_data(bytea) line 13 at assignment
If I run that same query using POSTGRES superuser, the query completes fine.
This seems to be a file system read permission error when trying to read the Key files. Everything I see using encryption seem to not mention how to run without being superuser.
I have already run the following grants for Testuser:
GRANT ALL PRIVILEGES ON DATABASE xxx_db to Testuser;
GRANT SELECT ON ALL TABLES IN SCHEMA xxxxx TO Testuser;
GRANT ALL ON ALL TABLES IN SCHEMA xxxxx TO Testuser;
The test user can create tables, views, basically anything within that db.. just not read encryption keys.
The permissions on the keys are 775 right now, I even tried 777 without luck.
Any Ideas?
pgcrypto is a PostgreSQL extension described here:
https://www.postgresql.org/docs/current/static/pgcrypto.html
but it doesn't provide a decrypt_data(bytea) function.
This function seems to be custom code that happens to open a server-side file, with pg_read_file() or a similar method.
These methods are restricted to superusers to avoid normal users to read on the server's filesystem, no matter what are the Unix rights of the particular file they want to read.
You can verify this in the source of decrypt_data(bytea), which can be obtained with:
select pg_get_functiondef('decrypt_data(bytea)'::regprocedure);
or \df+ decrypt_data(bytea) from within psql.
I found the issue. I need to grant the user with function permissions.
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA xxxxx TO yyyyyyyyy;