I'm currently not able to create a postgresql database user within a function.
Background:
I have a Java Swing application and my goal is to develop a menu to create, alter and delete database users. To make it a bit more secure I created a role "usermanagement" and only members of this role are allowed to use the function to create users. The role also contains the right "createuser"
The query runs without any problems, but it does not create a new user... So i don't know what's wrong with it.
This is how i try to use my function:
SELECT create_databaseuser(v_username := 'thisname' ,v_password := 'pwpwpw');
Can anyone help?
Here is my code:
-- Function: public.create_databaseuser(text, text)
-- DROP FUNCTION public.create_databaseuser(text, text);
CREATE OR REPLACE FUNCTION public.create_databaseuser(
v_username text,
v_password text)
RETURNS numeric AS
$BODY$
DECLARE
r_id numeric;
BEGIN
--CREATE ROLE v_username LOGIN
--PASSWORD 'v_password' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
EXECUTE 'CREATE USER ' || v_username || ' WITH PASSWORD ' || v_password;
-- Alternative:CREATE ROLE v_username LOGIN PASSWORD v_password NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
return 1;
-- Simple Exception
EXCEPTION
WHEN others THEN
RETURN 0;
END;
$BODY$
LANGUAGE plpgsql VOLATILE SECURITY DEFINER
COST 100;
ALTER FUNCTION public.create_databaseuser(text, text)
OWNER TO postgres;
Note the STRICT (returns NULL on NULL input), uses FORMAT() to help against SQL injection issues, and quotes the inputs properly. The input argument "v_username" was revised to be of type NAME, to match the type in pg_catalog.pg_roles.
DROP FUNCTION IF EXISTS public.create_databaseuser(NAME, TEXT);
CREATE OR REPLACE FUNCTION public.create_databaseuser(
v_username NAME,
v_password TEXT)
RETURNS smallint AS
$BODY$
DECLARE
BEGIN
EXECUTE FORMAT('CREATE ROLE "%I" LOGIN PASSWORD ''%L''', v_username, v_password);
RETURN 1;
-- Simple Exception
EXCEPTION
WHEN others THEN
RETURN 0;
END;
$BODY$
LANGUAGE plpgsql STRICT VOLATILE SECURITY DEFINER
COST 100;
ALTER FUNCTION public.create_databaseuser(NAME, TEXT) OWNER TO postgres;
select rolname from pg_catalog.pg_roles order by 1;
SELECT create_databaseuser(v_username := 'thisname' ,v_password := 'pwpwpw');
select rolname from pg_catalog.pg_roles order by 1;
Related
this is a Postgres related question.
I can't figure out why I get ERROR undefined_table relation "temp_table" does not exist
I tried all sorts of things, but maybe I don't really understand how I correctly use a temporary table in a function that was created in another function.
CREATE FUNCTION api.test() RETURNS BOOLEAN LANGUAGE 'plpgsql' SECURITY DEFINER AS $$
BEGIN
CREATE TEMP TABLE temp_table( id INT NOT NULL) ON COMMIT DROP;
INSERT INTO temp_table (id) VALUES (1), (2);
RETURN TRUE;
END;
$$;
CREATE FUNCTION api.test_id(p_id INT) RETURNS BOOLEAN LANGUAGE 'plpgsql' SECURITY DEFINER AS $$
DECLARE
v_id INTEGER;
BEGIN
SELECT id INTO v_id FROM temp_table WHERE id = p_id LIMIT 1;
return v_id IS NOT NULL;
END;
$$;
PS: I create the temporary table in a function to protect it from being accessed outside of the functions by a different role.
I tested your code. It works if in the same transaction.
You are working from different transactions. See here:
https://www.postgresql.org/docs/current/sql-createtable.html#SQL-CREATETABLE-COMPATIBILITY
At "Temporary Tables"
I have a trigger function that gets a person's username from their first and last name, and then drops the user with that username from a group with privileges, essentially locking that person out of the database.
returns "trigger" AS'
DECLARE
uname varchar(255);
begin
uname = (SELECT CONCAT(LOWER(first_name), LOWER(last_name)) FROM members WHERE library_card_id = (SELECT members_library_card_id FROM borrowed_books WHERE fine_id IS NOT NULL));
alter group members drop user uname;
end;
' LANGUAGE 'plpgsql';
CREATE TRIGGER block_member_if_fine
AFTER UPDATE on borrowed_books
FOR EACH ROW
EXECUTE PROCEDURE f_block_member_if_fine();
However, when I use the trigger function, I get an error role "uname" does not exist
Is there a way to use uname as a variable? Or maybe there's a different way of dropping a user with a trigger function?
Try this :
CREATE OR REPLACE PROCEDURE f_block_member_if_fine()
RETURNS "trigger" LANGUAGE 'plpgsql' AS
$$
DECLARE
uname varchar(255);
BEGIN
SELECT CONCAT(LOWER(m.first_name), LOWER(m.last_name))
INTO uname
FROM members AS m
WHERE m.library_card_id = NEW.members_library_card_id
AND NEW.fine_id IS NOT NULL;
IF FOUND
THEN
EXECUTE 'ALTER GROUP members DROP USER '|| quote_nullable(uname) ;
END IF ;
RETURN NEW ;
END ;
$$
CREATE TRIGGER block_member_if_fine
AFTER UPDATE on borrowed_books
FOR EACH ROW
EXECUTE PROCEDURE f_block_member_if_fine();
How to call DROP USER from Pl/PgSql (see example) ?
CREATE PROCEDURE myfunc()
LANGUAGE PLPGSQL AS
$$
DECLARE
super_users TEXT[];
ldap_users TEXT[];
u TEXT;
BEGIN
super_users := ARRAY(SELECT usename::TEXT FROM pg_catalog.pg_user WHERE usesuper);
ldap_users := ARRAY(SELECT uid::TEXT FROM ldap_users);
FOREACH u IN ARRAY ldap_users LOOP
IF (u <> 'postgres' AND u <> ALL(super_users)) THEN
DROP USER IF EXISTS u;
END IF;
END LOOP;
END;
$$;
It leads to error that "role u does not exist"...
IMHO PL/PGSQL does not treat u as a variable, but as a name. And DROP USER... is not SQL but some extension. How to do it? Maybe some system function? Or special syntax to substitute u?
EDIT:
My solution (just found):
DECLARE
stm TEXT;
...
BEGIN
...
stm := 'DROP USER IF EXISTS "' || u '"';
EXECUTE stm;
...
It seems to work. Maybe there is other solutions? More canonical?
You need dynamic SQL for this:
execute format('DROP USER IF EXISTS %I', u);
Try this:
DROP OWNED BY user;
DROP ROLE user;
DROP USER user;
It works for me.
P.d: After checking SOF, you can try:
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM user;
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM user;
REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public FROM user;
DROP USER user;
Cheers mate.
I have the following script to dynamically create views into a PostgreSQL database.
CREATE OR REPLACE FUNCTION cs_refresh_mviews() RETURNS integer AS $$
DECLARE
mviews RECORD;
query text;
park_name text;
ppstatements int;
BEGIN
RAISE NOTICE 'Creating views...';
FOR mviews IN SELECT name FROM "Canadian_Parks" LOOP
park_name := mviews.name;
RAISE NOTICE 'Creating or replace view %s...', mviews.name;
query := 'CREATE OR REPLACE VIEW %_view AS
SELECT * from "Canadian_Parks" where name=''%'';
ALTER TABLE %_view OWNER TO postgres', park_name, park_name, park_name;
-- RAISE NOTICE query;
EXECUTE query;
END LOOP;
RAISE NOTICE 'Done refreshing materialized views.';
RETURN 1;
END;
$$ LANGUAGE plpgsql;
I have confirmed integrity of the string, such as
CREATE OR REPLACE VIEW Saguenay_St__Lawrence_view AS
SELECT * from "Canadian_Parks" where name='Saguenay_St__Lawrence';
ALTER TABLE Saguenay_St__Lawrence_view OWNER TO postgres
assigned to the query variable by manually submitting this to the database and getting a successful response.
However, if I attempt to execute the function using
SELECT cs_refresh_mviews();
the followig error is displayed:
ERROR: query "SELECT 'CREATE OR REPLACE VIEW %_view AS SELECT * from "Canadian_Parks" where name=''%''; ALTER TABLE %_view OWNER TO postgres', park_name, park_name, park_name" returned 4 columns
CONTEXT: PL/pgSQL function "cs_refresh_mviews" line 32 at assignment
********** Error **********
ERROR: query "SELECT 'CREATE OR REPLACE VIEW %_view AS SELECT * from "Canadian_Parks" where name=''%''; ALTER TABLE %_view OWNER TO postgres', park_name, park_name, park_name" returned 4 columns
SQL state: 42601
Context: PL/pgSQL function "cs_refresh_mviews" line 32 at assignment
Why has this been converted to a SELECT statement, instead of a pure CREATE?
You setup is pretty twisted. Why would you save part of the name of a view in a composite type of a table instead of saving it in a plain text column?
Anyhow, it could work like this:
Setup matching question:
CREATE SCHEMA x; -- demo in test schema
SET search_path = x;
CREATE TYPE mviews AS (id int, name text); -- composite type used in table
CREATE TABLE "Canadian_Parks" (name mviews);
INSERT INTO "Canadian_Parks"(name) VALUES
('(1,"canadian")')
,('(2,"islandic")'); -- composite types, seriously?
SELECT name, (name).* from "Canadian_Parks";
CREATE OR REPLACE FUNCTION cs_refresh_mviews()
RETURNS int LANGUAGE plpgsql SET search_path = x AS -- search_path for test
$func$
DECLARE
_parkname text;
BEGIN
FOR _parkname IN SELECT (name).name FROM "Canadian_Parks" LOOP
EXECUTE format('
CREATE OR REPLACE VIEW %1$I AS
SELECT * FROM "Canadian_Parks" WHERE (name).name = %2$L;
ALTER TABLE %1$I OWNER TO postgres'
, _parkname || '_view', _parkname);
END LOOP;
RETURN 1;
END
$func$;
SELECT cs_refresh_mviews();
DROP SCHEMA x CASCADE; -- clean up
Major points
As you are executing text with execute, you need to safeguard against SQL injection. I use the format() function for identifiers and the literal
I use the syntax SELECT (name).name to cope with your weird setup and extract the name we need right away.
Similarly, the VIEW needs to read WHERE (name).name = .. to work in this setup.
I removed a lot of noise that is irrelevant to the question.
It's also probably pointless to have the function RETURN 1. Just define the function with RETURNS void. I kept it, though, to match the question.
Untangled setup
How it probably should be:
CREATE SCHEMA x;
SET search_path = x;
CREATE TABLE canadian_parks (id serial primary key, name text);
INSERT INTO canadian_parks(name) VALUES ('canadian'), ('islandic');
SELECT * from canadian_parks;
CREATE OR REPLACE FUNCTION cs_refresh_mviews()
RETURNS void LANGUAGE plpgsql SET search_path = x AS
$func$
DECLARE
parkname text;
BEGIN
FOR parkname IN SELECT name FROM canadian_parks LOOP
EXECUTE format('
CREATE OR REPLACE VIEW %1$I AS
SELECT * FROM canadian_parks WHERE name = %2$L;
ALTER TABLE %1$I OWNER TO postgres'
, parkname || '_view', parkname);
END LOOP;
END
$func$;
SELECT cs_refresh_mviews();
DROP SCHEMA x CASCADE;
You've misunderstood usage of commas in assignment expression.
It turns query to array (RECORD) instead of scalar.
Use concatenation:
park_name := quote_ident(mviews.name||'_view');
query := 'CREATE OR REPLACE VIEW '||park_name||' AS SELECT * from "Canadian_Parks" where name='||quote_literal(mviews.name)||'; ALTER TABLE '||park_name||' OWNER TO postgres';
I want to create a schema with with a name passed by variable.
Example:
CREATE OR REPLACE FUNCTION test1("name" character varying)
RETURNS void AS
'CREATE SCHEMA "name";'
LANGUAGE 'sql' VOLATILE
COST 100;
You could use plpgsql and than EXECUTE:
CREATE OR REPLACE FUNCTION test1("name" character varying)
RETURNS void AS
$$
BEGIN
EXECUTE 'CREATE SCHEMA '|| quote_ident($1); -- security
RETURN;
END;
$$
LANGUAGE plpgsql
VOLATILE
COST 20;
user search_path to change the default schema so you may easily add tables to it!
and use format with %I to escape the schema name as identifier.
like this:
CREATE OR REPLACE FUNCTION test1("name" character varying)
RETURNS void AS
$$
BEGIN
EXECUTE FORMAT('CREATE SCHEMA %I;', $1);
EXECUTE FORMAT('SET search_path TO %I;', $1);
CREATE TABLE table1(
column1 integer
);
RETURN;
END;
$$
LANGUAGE plpgsql
VOLATILE
COST 20;
Using PROCEDURE (PostgreSQL 11+)
CREATE OR REPLACE PROCEDURE create_schema( _schema text)
LANGUAGE plpgsql as
$$
BEGIN
EXECUTE format( 'CREATE SCHEMA IF NOT EXISTS %I ',_schema);
END
$$;
Call this procedure via:
call create_schema('test');