As a Superuser, I have created two roles in Postgres on the same schema:
read_only_with_create_view
read_write
Then I created two users from each role:
read_only_with_create_view_user
read_write
Now any new views created by read_only_with_create_view_user cannot be accessed by read_write_user as the owner for views is different (read_only_with_create_view_user).
So what is the way to access all new views by read_write_user?
I want everything created by one user to be accessible to another user.
Steps I followed:
CREATE ROLE read_only_role WITH
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION VALID UNTIL 'infinity';
GRANT CONNECT ON DATABASE mydb to read_only_role;
GRANT USAGE,CREATE ON SCHEMA myschema TO read_only_role;
GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO read_only_role;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA myschema TO read_only_role;
CREATE USER read_only_with_create_view_user
WITH PASSWORD '*****'
in ROLE read_only_role;
-- Now created new views using this role. That means read_only_with_create_view_user is owner of those views.
-- Creating new read-write role.
CREATE ROLE rw_role WITH
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION VALID UNTIL 'infinity' IN ROLE read_only_role;
GRANT CONNECT ON DATABASE mydb to rw_role;
GRANT USAGE ON SCHEMA myschema TO crn_rw_role_qa;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA myschema TO rw_role;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA myschema TO rw_role;
CREATE USER read_write_user
WITH PASSWORD '*****'
in role rw_role;
After login with read_write_user, when I try to access new views created by read_only_with_create_view_user, I get this error:
ERROR: permission denied for relation view_name
********** Error **********
ERROR: permission denied for relation view_name
SQL state: 42501
You can set a role as a member of another role:
GRANT read_only_with_create_view_user TO read_write_user;
More info here.
EDIT
It will never work as you expect. See your current user schema:
Role read_write_user will cannot access objects owned by read_only_with_create_view_user simply because both don't have any relationship. To make this works as you expect you can reassign objects ownership to an "upper" level role, in this case: read_only_role (because everybody is a member of this role). But be warned that it will no longer be a read-only role.
You can do one of the following:
--Connected as read_only_with_create_view_user
CREATE VIEW my_view AS SELECT 1;
--Assign ownership to top-level role
ALTER VIEW my_view OWNER TO read_only_role;
Or you may prefer this approach:
--Connected as read_only_with_create_view_user
--Change current user to read_only_role
SET role = read_only_role;
--Create a view...
CREATE VIEW my_view AS SELECT 1;
--Turn back to read_only_with_create_view_user
RESET role;
If you prefer to do all at once you can reassign ownership of objects owned by read_only_with_create_view_user to your top-level role in just one command:
REASSIGN OWNED BY read_only_with_create_view_user TO read_only_role;
Finally, if you don't want to break your read-only rule you can also, of course, give permission directly to the object.
-- As read_only_with_create_view_user, execute the following:
CREATE VIEW my_view_2 AS SELECT 1;
GRANT SELECT ON my_view_2 TO read_write_user
Related
I need to create 2 roles in postgres, a read only role that only has permission to run SELECT queries, and an admin role that has full superuser privileges.
How can I remove "CREATE TABLE" from 1 role, while allowing "CREATE TABLE" on another role?
I'm using "REVOKE CREATE ON SCHEMA public FROM PUBLIC" to revoke create permissions, but this applies to all roles, and I'd like to allow an admin role to still create tables.
PostgreSQL doesn't have a special CREATE TABLE privilege, everybody is always allowed to create tables. Creating tables is restricted by schema permissions: if you grant a role the CREATE privilege on a schema, that role can create tables (and other objects) in that schema.
So grant CREATE on a schema to the one role and don't grant CREATE on any schema to the other role.
I have a postgresql (v10) database. I've created database tn_beta_db with schema tn_schema. I've created three users and executed the following, which is meant to grant all of them read and maybe modify access on all tables, current and future that tn_beta_migrator might create.
\c tn_beta_db
-- User tn_beta_reader --
ALTER DEFAULT PRIVILEGES IN SCHEMA tn_schema FOR ROLE tn_beta_reader GRANT SELECT ON TABLES TO tn_beta_reader;
GRANT CONNECT ON DATABASE tn_beta_db TO tn_beta_reader;
GRANT USAGE ON SCHEMA tn_schema TO tn_beta_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA tn_schema TO tn_beta_reader;
-- User tn_beta_migrator --
ALTER DEFAULT PRIVILEGES IN SCHEMA tn_schema FOR ROLE tn_beta_migrator GRANT ALL ON TABLES TO tn_beta_migrator;
GRANT CONNECT ON DATABASE tn_beta_db TO tn_beta_migrator;
GRANT USAGE ON SCHEMA tn_schema TO tn_beta_migrator;
GRANT ALL ON ALL TABLES IN SCHEMA tn_schema TO tn_beta_migrator;
GRANT CREATE ON SCHEMA tn_schema TO tn_beta_migrator;
-- User tn_beta_writer --
ALTER DEFAULT PRIVILEGES IN SCHEMA tn_schema FOR ROLE tn_beta_writer GRANT SELECT,INSERT,DELETE,UPDATE ON TABLES TO tn_beta_writer;
GRANT CONNECT ON DATABASE tn_beta_db TO tn_beta_writer;
GRANT USAGE ON SCHEMA tn_schema TO tn_beta_writer;
GRANT SELECT,INSERT,DELETE,UPDATE ON ALL TABLES IN SCHEMA tn_schema TO tn_beta_writer;
If I now connect as tn_beta_migrator, I can create a table and do things with it.
create table tn_schema.foo(x int);
-- and then INSERT, SELECT, UPDATE, even DROP
But now if I connect as either of tn_beta_reader or tn_beta_writer, I can not use that table.
tn_beta_db=> select * from tn_schema.foo ;
ERROR: permission denied for relation foo
tn_beta_db=>
I would expect to be able to read/write/modify/delete as tn_beta_writer and to be able to read as tn_beta_reader.
If I rerun the grant script, above, this permits me to access foo, but a newly created table bar would then be inaccessible.
I'd thought that the alter default privileges commands would permit these roles, in the future, to access the tables created by tn_beta_migrator.
Any pointers on what I've misunderstood?
The role in the FOR ROLE clause in ALTER DEFAULT PRIVILEGES is not the role that will get the privileges, it is the role that creates the tables.
So your statements should start with
ALTER DEFAULT PRIVILEGES FOR ROLE tn_beta_migrator ...
I am aware that similar questions have been asked before, but the answers do not appear to solve my problem, so I think a more complete answer would be valuable.
I would like to create a read-only user for a postgresql database. I have already granted access to the server for my user using the pg_hba.conf file.
As the postgres admin user, I have run the following commands:
CREATE ROLE read_only_user NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
GRANT CONNECT ON DATABASE the_database TO read_only_user;
GRANT USAGE ON SCHEMA public to read_only_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO read_only_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO read_only_user;
ALTER ROLE read_only_user WITH PASSWORD '*********************';
ALTER ROLE read_only_user VALID UNTIL 'infinity';
ALTER ROLE read_only_user WITH LOGIN;
ALTER USER read_only_user SET search_path = public;
As a result, I am able to log in to the the_database DB locally, and remotely using a DB client, with username and password authentication and I can list the tables in the database. However, any attempt to select or view the contents of the database results in
ERROR: permission denied for relation the_table
What other permissions are needed, since as far as I can tell, all the necessary permissions are granted.
We granted third-party software access to our postgresql database. After billing dispute we have now cut ties with this company but cannot delete the user. We need to delete this user soon but can't figure out how to do it. Here's some of what we're seeing when we try to do it:
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> REVOKE ALL ON ALL TABLES IN SCHEMA PUBLIC FROM evil_user;
REVOKE
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> REVOKE ALL ON SCHEMA public FROM evil_user;
REVOKE
prod=> REVOKE ALL ON DATABASE prod FROM evil_user;
REVOKE
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM evil_user;
ALTER DEFAULT PRIVILEGES
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
We need to get these people out of our database. For a number of reason we cannot easily move to a new Postgres instance.
There are unintuitive permission requirements when using REASSIGN without a supserusesr account, such as on RDS and Cloud SQL, but it is possible as long as your current_user has permission to GRANT evil_user TO prod. See this other post where I answered the same question: https://stackoverflow.com/a/62557497/79079
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
You must perform this action as a postgres superuser account, usually the user postgres.
I ran into a very annoying role inheritance issue with PostgreSQL. It simply doesn't behave as it should according to the documentation.
I would like to have a master role, and grant its permissions to newly created users. These users should inherit the permissions without issuing SET ROLE manually.
CREATE ROLE testrole NOSUPERUSER INHERIT CREATEDB NOCREATEROLE;
CREATE ROLE testuser LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
GRANT testrole TO testuser;
Now after I connect as testuser, I get the following:
postgres=> CREATE DATABASE foobar;
ERROR: permission denied to create database
postgres=> SET ROLE testrole;
SET
postgres=> CREATE DATABASE foobar;
CREATE DATABASE
According to the docs linked above (because of the INHERIT option), the SET ROLE shouldn't be required.
What am I missing here?
A bit further down the same page:
"The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute."