Is it possible, to configure a Postgres database such, that a specific table may only be updated by a trigger. I have history table, updated by trigger, so I want to prevent this table from un unauthorised access. I want history table to be updated only from trigger.
Sure. Both the history table and the table with the trigger belong to a user that has no login rights. Then you grant privileges on the latter table to the application user.
To prevent unauthorized access to a table you can change the owner of the table to the user who should be accessing with the following query:
alter table yourschema.yourtable owner to youruser;
Now you can disable the trigger for all other users using the query:
alter table yourschema.yourtable disable trigger triggername all;
here all means that the trigger is disabled for all the users. Now only the owner will be able to use the trigger to update the table.
A trigger always fires on the event on it is defined. Thus, if an update trigger is defined for updates, no one can bypass the trigger during an update if the trigger is enabled.
If you have different user groups with different privileges accessing your database, then you should map this about users in the database. For instance you can disallow that a user can disable triggers on a table.
Related
How to create user that can create only tables in database?
grant create on database sport to test1; is wrong because we can create triggers too
There is no way to do that except with an event trigger that throws an error whenever the wrong user creates certain objects.
Note that creating tables or triggers is not connected to permissions on the database, but to permissions on the schema. It seems strange and arbitrary to me to prevent a user that can create tables from adding triggers to these tables.
currently I have mariadb user with host like this
'userdb'#'10.148.0.0/255.255.240.0'
and grant like this
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON *.* TO 'userdb'#'10.148.0.0/255.255.240.0' IDENTIFIED BY PASSWORD '*21E60721C392B0B98F8E387DDA480376C04B42B5'
but when from application we got error message like this
TRIGGER command denied to user 'userdb'#'10.148.0.0/255.255.240.0' for table 'tclmuser'
and then i check the definer from trigger is same like user.
so this is issue come from host at user ?
Is it possible to set role with access to one database, with all privileges except to drop tables?
Not really. If a user can issue CREATE TABLE, it can issue a DROP for that table as well. From the docs:
The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege; it is inherent in the owner, and cannot be granted or revoked.
And as noted by the CREATE TABLE docs:
The table will be owned by the user issuing the command.
There is no mechanism to allow a user to create tables that they do not own and therefore cannot drop.
I am using Microsoft Azure Database for PostgreSQL with PostgreSQL 10 installed. As I'm trying to work on future tables together with other users I want to enable the other users to alter my tables as well.
I've created a role pgpublish and all users are members of the role. For a new table, which I created, I altered the table owner to the role pgpublish. Now everyone with the role pgpublish is able to alter the table:
ALTER TABLE "MYcoolSchema"."CoolNewTable" OWNER TO pgpublish;
To make this more automatic/generic, I created a trigger function and tried to create an event trigger as explained here.
Unfortunately I can't create the event trigger (The trigger function works fine), as it is stated:
ERROR: permission denied to create event trigger
"trg_create_set_owner" HINT: Must be superuser to create an event trigger.
SQL state: 42501
Is there a workaround for creating event triggers on Microsoft Azure Database for PostgreSQL? How can this look like?
I could run a cron job on another system to scan for new tables and alter the owner of these new tables to pgpublish but this is not cool at all.
I have a database shared by many users, all the users are in a group "example" and the vast majority of objects in the database are owned by "example". Very occasionally a user will create a new table - that table gets assigned to the user who created it and so the other users are unable to alter the new table.
Is there a way to have the ownership of a table automatically set to the group "example" and not the user who created the table or a way to set up a trigger that happens after a CREATE TABALE or a way to set up group/permissions such that all users will be considered owners of objects regardless of who actually created them?
You could change the default privileges this way:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC;
or to give write access:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT,INSERT,UPDATE,DELETE ON TABLES TO PUBLIC;
https://www.postgresql.org/docs/9.0/static/sql-alterdefaultprivileges.html
You probably want to use an EVENT TRIGGER
This is doable in all versions of Pg from 9.3 forward but depending on your version might require different approaches since the structures for event triggers have improved significantly.
In earlier versions you could look through the table catalogs for items owned by the current user. In newer versions you can use pg_event_trigger_ddl_commands to get the information you need. you want to run the command at ddl end.