I need to achieve the below goal in postgresql. There is a database "textdb" with 4 schema's that are public, ds, fin, viz.
We need to create a script that can be used to provide access to the role. So, I need to create 3 roles, one for analyst, another for data scientist, and last one for visualization people.
CREATE ROLE analyst WITH LOGIN;
CREATE ROLE ds WITH LOGIN;
CREATE ROLE vi WITH LOGIN;
The respective team members will be added to their respective roles so that we need not to get access to individual users. Analyst is required to get complete access of the database "testdb", ds role will have access to all the data in the schema "ds" and "fin" and vi role will have access to schema "viz".
Also, whenever new table/view/procedure/function is added, then automatically users should have the required access.
If you plan to grant those roles to users they don't need login I believe. This is exact difference between "USER that can connect" and "just ROLE"
for new relations grants use ALTER DEFAULT PRIVILEGES
to grant role to user just grant ds to user_mike; if you \du+ user_mike you will see roles granted in "Menber of" section
Related
We have an existing postgres database gsrdb in production with superuser gsr. We have been doing all the database maintenance with that user gsr. Also, the same user gsr is used by our app service to do transactions on the database.
We want to change this now. We want a separate superuser gsr_admin(whose credentials are managed by Vault) that can do the dba maintenance but still have our app service use existing user gsr.
The problem I am facing is that all the database objects so far are owned by gsr user and if I run updates, as user gsr_admin, on the database w.r.t. either table constraints or sequences it fails saying error: must be owner of relation...blah blah
How can I fix this?
So I was thinking if I could create a superuser admin group role called admin_group and reassign all the ownerships of all the database objects to it from user gsr and then alter both users gsr and gsr_admin to belong to this admin group role. Wouldn't that way everything that has been created so far would be owned by role admin_group ? And whether I create new objects as a user gsr or as gsr_admin either of them can still update the objects?
I might be wrong. Would really appreciate some inputs.
Simply run
ALTER ROLE gsr NOSUPERUSER;
ALTER ROLE gsr RENAME TO gsr_admin; -- needs a new password now
CREATE ROLE gsr LOGIN;
GRANT USAGE ON SCHEMA myschema TO gsr;
GRANT SELECT, INSERT, UPDATE, DELETE
ON ALL TABLES IN SCHEMA myschema TO gsr;
Similarly, grant USAGE on sequences and other required privileges. You may want to run some ALTER DEFAULT PRIVILEGES for future objects as well.
I have created two new users and a new role. Given select privilege to the role for one table in schema A and assigned this role to user b. While issuing a select query for the table in schema a with this user I am experiencing table or view not found issue.
CREATE USER READUSER1 IDENTIFIED BY readuser1;
CREATE USER READUSER2 IDENTIFIED BY readuser2;
CREATE ROLE READONLY_USER IDENTIFIED BY readonlyuser;
GRANT select ON READUSER1.TESTA TO READONLY_USER;
GRANT READONLY_USER TO READUSER2;
Now from READUSER2 session :
SELECT * FROM READUSER1.TESTA > 00942. 00000 - "table or view does not exist"
I assume that you created the table successfully in the readUser1 schema though you don't show that step.
When logged in as readUser2, what roles are enabled for the session?
select *
from session_roles
I'll wager that the role is not enabled for the session. Normally, you don't set passwords on roles because you normally want those roles to be available to the user as soon as they log in. If you set a password on a role, however, then every time the user creates a new session, they have to explicitly enable the role by specifying the password. That's quite useful in some unusual situations but it's not the norm.
Assuming that readonly_user does not appear in session_roles, you can enable the role using the set role command
set role readonly_user
identified by readonlyuser;
Once you've done that, the role should appear in session_roles and you should be able to query the table.
Normally, though, you'd have created a normal role not a password protected role by omitting the identified by clause
create role readonly_user;
I'm coming to postgreSQL with a SQL Server background and was naively applying the same concepts to postgreSQL in order to allow different users to share 'by default' some objects within a database.
This is what I did:
CREATE DATABASE testdb;
CREATE ROLE testdb_role_full INHERIT;
GRANT ALL PRIVILEGES ON DATABASE testdb TO testdb_role_full;
CREATE USER user1 INHERIT;
GRANT testdb_role_full TO user1;
CREATE USER user2 INHERIT;
GRANT testdb_role_full TO user2;
Once done, I created a table t1 using the user1.
Then, I tried, as user2, to read the t1 table and I received a "permission denied error"... :-(
By reading the documentation, it seems that I have to issue a SET ROLE testdb_role_full first so as to act as the testdb_role_full.
However, this is not really that I want. I do not want the user to be aware of this.
So my question:
Is there any way to make this work?
Thanks a lot,
José
You've granted some privileges on the database, but that doesn't mean any user with the role testdb_role_full would have all privileges on all objects inside that database. To quote from the documentation:
When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement. For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To allow other roles to use it, privileges must be granted.
So after the user1 created the table t1, he is the owner and only he has the privileges on it. He would need to run
GRANT ALL PRIVILEGES ON TABLE t1 TO testdb_role_full;
then user2 would be able to access it as well (without having to switch any roles - that's only necessary when it has the NOINHERIT attribute on the role).
If you don't want your users to have to execute GRANT each time they create a new object in the database, you can alter the default privileges that will be applied whenever an object is created by user2:
ALTER DEFAULT PRIVILEGES FOR user2
GRANT ALL PRIVILEGES ON TABLES TO testdb_role_full;
Notice these specify the initial value only, and user2 could revoke the privileges on his tables if he wanted to prevent others from seeing them.
I am facing an issue while creating a readonly users in RDS PostgreSQL 9.6. I am executing the following SQL commands:
---- ###### CREATE ROLE ################
CREATE ROLE readonlyrole_dev;
-- Grant access to existing tables
GRANT USAGE ON SCHEMA public TO readonlyrole_dev;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonlyrole_dev;
-- set the privileges that will be applied to objects created in the future.
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonlyrole_dev;
CREATE USER readonly_dev WITH PASSWORD 'welcome1';
GRANT readonlyrole_dev TO readonly_dev;
When I login with the readonly_dev user, it has privilege to create the new tables by default but I don't want to do that. I want to keep readonly_dev only a read only user.
Note: To revoke the access from the user I am executing
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
which revokes create objects privilege to all old users as well. I only want to revoke create privilege from newly created user.
How can I do that?
You cannot do that, and it is not necessary either.
Just deny the user the CREATE permission on all schemas. You should use user groups for that - put all users who should have the privilege to create tables in a group that has the required privilege on the schema and revoke CREATE from PUBLIC.
If you insist that you must have this, try creating an event trigger that throws an exception whenever a certain user tries to create a table.
I want to allow a users assigned to a role to delete their own content in postgres but not content made by admins. I am new to database management and thought that the below would work but doesn't.
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO analyst;
GRANT ALL ON ALL TABLES IN SCHEMA public TO analyst;
You should use row level security. Docs : https://www.postgresql.org/docs/10/ddl-rowsecurity.html
Ex :
CREATE POLICY analyst_policy
ON public.mytable
USING (user = CURRENT_USER);