APEX: The current application schema does not have CREATE TABLE, CREATE TRIGGER, CREATE SEQUENCE privilege and will not be able to create Access Control Page.
what the grant query could solve it, i have checked with query(grant connect, resource,dba to user and to the schema too...)
So, "GRANT All PRIVILEGE TO user;" is not always the solution to go for.
The issue I figured out is even when there is a role having all the grants, Apex does not recognize it and won't be able to create the needed tables.
Error message that will show up in the wizard:
The current application schema does not have CREATE TABLE, CREATE TRIGGER, CREATE SEQUENCE privilege and will not be able to create Access Control Page.
So what I did is grant each privilege again:
grant create table to <user>;
grant create trigger to <user>;
grant create sequence to <user>;
then it worked.
Related
I'm trying to understand the initial steps of PostgREST tutorial.
In the mentioned tutorial, it is recommended to create two different roles named web_anon and authenticator as below:
create role web_anon nologin;
grant usage on schema api to web_anon;
grant select on api.todos to web_anon;
create role authenticator noinherit login password 'mysecretpassword';
grant web_anon to authenticator;
As far as I know, the the PostgREST server receives Rest API requests from the clients, without any information about the user (role). And also, as far as I know, nologin roles can't do login to database. (can they send queries?)
So the questions are:
why do we need two different roles? What is the role of web_anon and what is the role of authenticator?
What can a nologin role do in postgres?
When PostgREST receives a rest API query, which user does it use to send and execute that query to the database?
To question 1:
A NOLOGIN role can be seen as a user group. The idea is to attach all privileges to a group rather than to individual users, which has several advantages:
It is possible to drop the user, because it does not have any privileges.
It is less work to add a user to a group or remove a user from a group than to grant or revoke lots of permissions whenever you have to add a user or change its privileges.
There is no danger of having so many individual ACL entries attached to a single database object that it becomes impossible to add more permissions (the whole metadata row has to fit into a single 8kB block).
This whole exercise only makes sense if you have many users in the database, otherwise it is silly. But it is a good idea to have different users for different purposes.
To question 2:
A NOLOGIN role can either be a group that carries privileges that users can inherit.
Another use is that you can use SET ROLE to assume the identity of the role.
To question 3:
I guess whatever user you use in the PostgreSQL connect string.
I have a server that will manage multiple Firebird databases. My users are allowed to have full access on all the objects for a single database but they are not allowed to create new database and no access to other databases in the same server. How do I configure for this scenario?
Since Firebird 3, users need to have an explicit privilege to create databases (Database DDL Privileges). So as long as you don't grant that privilege to a user, they cannot create a database (unless they have and apply the RDB$ADMIN role).
Giving a user access to everything in a database is harder to do. You'll need to define the access for each database object individually. The preferred way to do that, is to grant the necessary access to a role, and grant that role to the user. See SQL Privileges for details.
In Firebird 3 and earlier, users do not assume the rights of a role unless they explicitly specify that role on connect. Firebird 4 will introduce default roles, which will always be applied. It might be possible to use Firebird 3 privilege mapping to define a default role as well, but I'm not sure if that works.
Firebird does not provide a way to disallow a user to connect to a database: almost all rights are stored per database, so a user has to connect before the server knows which rights they have. If you want to disallow users to connect, you will need to create a custom ON CONNECT trigger to raises an exception for users that shouldn't be allowed to connect.
At the beginning of my current job I had limited access to DB but recently my role is changed to superuser, admin, and owner. My colleague who was the previous DB admin is able to create a schema or change the permissions as there is a permission tab in the properties and he can change permissions by clicking easily. Would you please let me know how I can create schema and change permissions as well?
Why his dbeaver looks different from me? He can easily right click on the schema folder on top of all schemas on the left side column and select create new schema while I do not have that, like the following picture I found on the internet.
I wonder if there is a possibility to hide tables from a certain user, not just revoking access to them.
Basically what needs to be done is to grant a user read-only access to the DB, but hide some tables from him.
I tried to revoke all privileges from schema public but to no avail.
So far you can not hide Postgres System Catalogs. Meaning you can not hide metadata.
The user can still see the structure, but can not access them if not granted access.
If you want to grant specific permissions to specific users you can use VIEWS.
https://www.tutorialspoint.com/postgresql/postgresql_views.htm
Is it possible with Postgresql to create a database which has 2 users which act like owners to the database?
I can create a group role and add both users to that group, and then make the group the owner of the database, but this requires both users to be have to manually set their role on every connection to make any tables they have created accessible to the other user. Is there any way to make the group be the default role for a user each time they log in or any other way to achieve the same thing?
No, each database can only have one owner. As stated previously you can have more than one superuser, or you can grant permissions specifically to group roles that are then inherited.
You might want to look at http://blog.hagander.net/archives/70-Faking-the-dbo-role.html, for a way to fake something similar to what you're asking for. It's not perfect, but it might be good enough for you. It should be able to solve the object-ownership problem at least.
Ah, found it: PostgreSQL Docs: Chapter 20. Database Roles and Privileges
"member roles that have the INHERIT attribute automatically have use of privileges of roles they are members of."
CREATE ROLE joe LOGIN INHERIT;
CREATE ROLE admin NOINHERIT;
GRANT admin TO joe;
"Immediately after connecting as role joe, a database session will have use of privileges granted directly to joe plus any privileges granted to admin, because joe "inherits" admin's privileges."