Change privileges on schema created by rdsadmin user - postgresql

I added the postgis_topology extension, which added the topology schema to my database. However, my root user does not have sufficient privileges to use the functions in that schema in the AWS RDS instance. The topology schema was created with the following (as seen in pgAdmin):
CREATE SCHEMA topology
AUTHORIZATION rdsadmin;
When I try to run the statement SELECT topology.CreateTopology('element_topo', 4326); I get an error "permission denied for schema topology". When I try to drop the schema and start over, the error is "must be the owner of schema topology".
I also tried just granting permissions to my root user with
GRANT ALL ON ALL FUNCTIONS IN SCHEMA topology TO my_root_user;
but that just gives "permission denied for schema topology".
How can I grant privileges on this schema to my root user?

I have not found the reason that the CREATE EXTENSION postgis_topology; statement creates the topology schema and all its functions and tables with the rds admin user. However, that prevents other users from executing functions.
The following DO statement resolves the issues by updating the owner of the tables and functions to the role given to the database's root user.
DO
$BODY$
DECLARE
_sql text;
BEGIN
EXECUTE 'SET search_path = topology,public;';
EXECUTE 'ALTER SCHEMA topology OWNER TO rds_superuser;';
EXECUTE 'ALTER TABLE topology.topology OWNER TO rds_superuser;';
EXECUTE 'ALTER TABLE topology.topology_id_seq OWNER TO rds_superuser;';
EXECUTE 'ALTER SEQUENCE topology.topology_id_seq OWNER TO rds_superuser;';
EXECUTE 'ALTER TABLE topology.layer OWNER TO rds_superuser;';
SELECT INTO _sql
string_agg('ALTER FUNCTION '
|| nsp.nspname || '.'
|| p.proname || '('
|| pg_get_function_identity_arguments(p.oid)
|| ') OWNER TO rds_superuser;', E'\n'
)
FROM pg_catalog.pg_proc p
JOIN pg_catalog.pg_namespace nsp ON p.pronamespace = nsp.oid
WHERE nsp.nspname = 'topology';
EXECUTE _sql;
END
$BODY$;

Related

Azure Flexible Postgres: `permission denied for table pg_authid` diring `pg_dumpall -r`

I have an Azure Database for PostgreSQL flexible server.
I'm trying to upgrade using the official docs.
The first step is to dump the roles
pg_dumpall -r --host=mySourceServer --port=5432 --username=myUser --database=mySourceDB > roles.sql
This fails with
pg_dumpall: error: query failed: ERROR: permission denied for table pg_authid
pg_dumpall: error: query was: SELECT oid, rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolconnlimit, rolpassword, rolvaliduntil, rolreplication, rolbypassrls, pg_catalog.shobj_description(oid, 'pg_authid') as rolcomment, rolname = current_user AS is_current_user FROM pg_authid WHERE rolname !~ '^pg_' ORDER BY 2
I'm running it under an admin username.
What am I doing wrong?

Redshift returns The server (version 8.0) does not support altering default privileges

I am trying to drop a user from redshift:
DROP USER xx;
I get:
[2021-03-01 14:00:39] [2BP01][500310] [Amazon](500310) Invalid operation: user "xx" cannot be dropped because some objects depend on it
[2021-03-01 14:00:39] Details:
[2021-03-01 14:00:39] owner of default privileges on new relations belonging to user xx;
I already removed it from the group:
ALTER GROUP a DROP USER xx;
I run:
select *
from pg_user
LEFT JOIN pg_group ON pg_user.usesysid = ANY(pg_group.grolist)
order by 1;
And it returns: xx,109,false,false,false,********,,,,,
Also run:
revoke create,usage on schema public from xx;
revoke all privileges on schema public from xx;
Then run this:
SELECT
distinct s.schemaname,
u.usename,
--'REVOKE ALL ON ALL TABLES IN SCHEMA '+s.schemaname+' FROM ronnylopez;',
has_schema_privilege(u.usename,s.schemaname,'create') AS user_has_select_permission,
has_schema_privilege(u.usename,s.schemaname,'usage') AS user_has_usage_permission
FROM
pg_user u
CROSS JOIN
(SELECT DISTINCT schemaname FROM pg_tables) s
WHERE
user_has_select_permission=True
and u.usename = 'xx';
And it returns only one row:
public,xx,true,true
If i run the default acl:
select * from pg_default_acl where defacluser= 109;
109,0,r,"{group admins=arwdRxt/xx,xx=arwdRxt/xx}"
To drop these i pretend to use \ddp using psql but i get:
The server (version 8.0) does not support altering default privileges.
So i'm stuck on here and not able to drop the user....
You can use the view v_generate_user_grant_revoke_ddl provided on GitHub to generate all of the REVOKE statements needed to allow the DROP USER to complete.
The ddl column provides the generated SQL
SELECT ddl
FROM v_generate_user_grant_revoke_ddl
WHERE grantee = 'useriwanttodrop';
Run the generated SQL and then drop the user. May require superuser permission.
--Generated
SET SESSION AUTHORIZATION master;
REVOKE ALL ON DATABASE mydb FROM useriwanttodrop;
RESET SESSION AUTHORIZATION;
--Drop
DROP USER useriwanttodrop;

SET client_min_messages to specific ROLE postgres

Hi Im trying to set the client_min_messages = error to a role using the postgres user, but when I login in the role I check current_setting('client_min_messages') and I get DEFAULT VALUE (notice). Ive already tried restarting config and also done some tests.
To summarize I did:
Login with postgres role.
check default values of client_min_messages(notice) and log_min_messages(warning).
ALTER ROLE anne SET client_min_messages = error;
ALTER ROLE anne SET log_min_messages = panic;
SELECT pg_reload_conf();
Logout postgres.
Login anne.
check SELECT current_setting('client_min_messages'), returning NOTICE(default value).
check SELECT current_setting('log_min_messages'), returning panic(non default value).
Test the code below
begin;
do $$
begin
raise info ' client_min_messages: %',current_setting('client_min_messages'); -- i get "notice"
raise debug ' time : %', NOW();
raise notice ' time : %', NOW();
raise warning ' time : %', NOW();
end $$;
I mean, I have to set client_min_messages every time I log with an user? So the Alter Role/User SET client_min_messages is useless?
I've tried changing login_min_messages to an specific role and when I login with the role the configuration remains ok(not default value).
The method should work. It worked for me.
Do you have any environment variables (like PGOPTIONS) set or explicit call out of the set client_min_messages command in the session?

Permission denied on a table of a view while I can directly query the table

I have a weird problem. I have a table like public.foo where I have enabled RLS. Now I have another view like create view app.foo_v as select * from public.foo. When I now do a select * from public.foo everything is fine and working as expected. But when I do select * from app.foo_v I get an error like this:
SQL Error [42501]: ERROR: permission denied for relation foo
What privilege am I missing here?
EDIT 1:
This behavior remains even if I disable RLS temporarily
EDIT 2:
-- as postgres
create schema report;
create user app_user with password 'a';
create user view_user with password 'a';
create user app_admin with password 'a';
grant all on schema report to view_user;
grant app_user to app_admin;
grant view_user to app_admin;
-- as app_user
create table fooo(name varchar);
-- as view_user
create view report.foo_v as select * from public.fooo;
-- as app_admin
select * from public.fooo;
select * from report.foo_v;
PS I am running: PostgreSQL 10.6 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.3 20140911 (Red Hat 4.8.3-9), 64-bit
It seems that your view_user is missing the SELECT privilege on the underlying table.
GRANT SELECT ON TABLE fooo IN SCHEMA public to view_user;
As you describe in the comment it could be solved as well if user A is getting role C.

Issue with creating a table that successfully created in a different tablespace

I attempted the following, but I am receiving an ORA-01950 error
ALTER USER USER1 QUOTA 200M ON NUSERS;
User altered.
GRANT SELECT ON HR.EMPLOYEES TO USER1;
Grant succeeded.
CONN USER1/USER;
Connected.
CREATE TABLE T3 AS SELECT * FROM HR.EMPLOYEES NUSERS;
CREATE TABLE T3 AS SELECT * FROM HR.EMPLOYEES NUSERS
*
ERROR at line 1:
ORA-01950: no privileges on tablespace 'USERS'
You said this: ALTER USER USER1 QUOTA 200M ON NUSERS;
Oracle responded: ORA-01950: no privileges on tablespace 'USERS'
See the big bold N difference?