If I execute single SQL statements in worksheet (eg CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';) then is works correctly. Wrapping it in anonymous block like this:
DO
$$
BEGIN
CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';
END
$$;
and I get following error message:
Error starting at line : 3 in command -
BEGIN
CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';
END
$$;
Error report -
ERROR: syntax error at or near "CREATE"
Position: 10
However, the same script works fine when I execute it in psql shell. Am I missing something obvious?
Using:
PostgreSQL version 9.4
Postgres JDBC driver postgresql-9.3-1102.jdbc41
SQL Developer version 4.0 (jdk 1.7.0_71)
The source of the error is JDBC's inability to deal with dollar-quoting correctly (yet). Related answer:
Exceptions when creating a trigger in PostgreSQL 9.1
You might be able to circumvent the problem in this case with:
DO
'
BEGIN
CREATE ROLE my_user LOGIN PASSWORD ''my_pwd'' VALID UNTIL ''infinity'';
END
';
If that doesn't do the trick, try to set a different query terminator, like advised in the linked answer.
You seem to be aware that you do not need a DO statement for the example code at all. Just:
CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';
Related
I have a simple GRANT statement that I need to run to allow a single user execute permissions on a routine:
GRANT EXECUTE ON ROUTINE sales.refresh_data(varchar, varchar) to rperson
...but it's throwing an error:
ERROR: syntax error at or near "sales"
From the documentation I can find, this is the correct syntax, and the function signature is correct.
I'm having this problem in postgres and I cannot find my way out.
For our key-users to create user accounts in our postgres database (Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1074-azure x86_64)), I created a stored procedure that creates a user with a password.
This is the code for the stored procedure:
CREATE OR REPLACE PROCEDURE geodata_create_user(
username CHARACTER VARYING,
password CHARACTER VARYING
)
LANGUAGE PLPGSQL SECURITY DEFINER
AS
$$
DECLARE
user_to_create CHARACTER VARYING;
BEGIN
-- Check name and create user
IF (username like 'user%') THEN
user_to_create := username;
ELSE
user_to_create := 'user_' || username;
END IF;
PERFORM create_role_if_not_exists (user_to_create);
-- Set password and assign geodata_user role to user
EXECUTE format('ALTER ROLE %I WITH LOGIN PASSWORD ''%I''', user_to_create, password);
EXECUTE format('GRANT another_role TO %I', user_to_create);
end;
$$;
GRANT ALL ON PROCEDURE geodata_create_user TO some_group_role;
If I test it (we have a dev cluster and an acc/prod cluster), it works fine.
The problem is that if one of the key-users creates a new user using this procedure, the user is created yet cannot login using the supplied password.
Following suggestion in pgAdmin and terminal: FATAL: password authentication failed for user to login using peer logon, I tried logging in on psql using the psql -U newuser command it tells me FATAL: Peer authentication failed for user
Then, following suggestion in psql: FATAL: Peer authentication failed for user "dev" logging on the psql using psql -U newuser -d mydbname -h 12.345.678.910 and it replies (after feeding the password created for the user):
Password for user newuser:
psql: error: connection to server at "12.345.678.910", port 8765 failed: could not initiate GSSAPI security context: Unspecified GSS failure. Minor code may provide more information: Server postgres/12.345.678.910#CFSERVICES.COM not found in Kerberos database
connection to server at "12.345.678.910", port 8765 failed: FATAL: password authentication failed for user "newuser"
connection to server at "12.345.678.910", port 8765 failed: FATAL: no pg_hba.conf entry for host "12.345.678.910", user "newuser", database "mydbname", SSL off
I do have a little database experience, however, this kind of stuff is way out of my league. Any one any idea on what goes wrong here? Is there an obvious error in my script? Or might it be a security issue (we use certificates to access the database server when approaching the database server through psql directly, yet usually we set up connections to the database using DBeaver where there is no need to use SSL or SSH Tunnel or certificates or so).
Hope someone can help me out on this.
Regards, Helmoet.
Your format() function is wrong, because a password is not a SQL identifier (which is what %I is for). This will result in it being escaped incorrectly at least in some cases. For example, if the password has a space or a dash in it (or other characters I don't know off the top of my head), this will cause the whole password to be surrounded by literal double quotes. Then the password would work, but you need to specify the double quotes, which is surely not what you would be expecting.
So it should instead look like this, using %L not %I:
EXECUTE format('ALTER ROLE %I WITH LOGIN PASSWORD %L', user_to_create, password);
Your original code would work for passwords that didn't have any of the special symbols in them, so maybe that is why it tested fine.
I'm migrating all the role from my PostgreSQL hosted in GCE VM to Cloud SQL by generating dump file
sudo -Hu postgres pg_dumpall -U postgres --globals-only --file=globals.sql
When I import the same(globals.sql) in Cloud SQL I came across below error:
exit status 3 SET SET SET CREATE ROLE ERROR: must be superuser to alter superusers
Note:
I used postgres user to import this dump file to the cloud sql database.
I'm curious is there any other way to tackle this since postgres user does not have superuser privileges?
I tried executed one query from globals.sql file using cloud shell, below is the output:
postgres=> CREATE ROLE vipinm;
CREATE ROLE
postgres=> ALTER ROLE vipinm WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS;
ERROR: must be superuser to alter superusers
Thanks in advance!
The psql documentation says:
psql returns 0 to the shell if it finished normally, 1 if a fatal error of its own occurs (e.g., out of memory, file not found), 2 if the connection to the server went bad and the session was not interactive, and 3 if an error occurred in a script and the variable ON_ERROR_STOP was set.
So don't set ON_ERROR_STOP.
The error means that you cannot execute the following line from your dump:
ALTER ROLE postgres WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN REPLICATION BYPASSRLS;
That is fine, and you can ignore the error.
This is kind of a bug. As a non-superuser, you can't even reiterate that another role is still not a superuser, as even mentioning anything about superusers even when it would have no effect throws an error. You can get around this by creating the role in its final state, rather than doing the CREATE then ALTER dance that pg_dump likes to do.
CREATE ROLE vipinm WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS;
Alternatively, you could remove from the ALTER statement all the attributes that don't cause any change but merely reiterate the current state of things, leaving:
ALTER ROLE vipinm WITH LOGIN;
I have this database triviaDB that i am connecting to from a flask-sqlalchemy 'postgresql://devuser:devpass#localhost:5432/triviaDB'however it's giving me a programing error psycopg2: auth not allowed.
so i use the following commands in psql to try and give devuser authorization on this database but here is the problem
when i run GRANT ALL PRIVILEGES ON DATABASE triviaDB to devuser; iget this error:
ERROR: database "triviadb" does not exist
when i quote the db name GRANT ALL PRIVILEGES ON DATABASE 'triviaDB' TO devuser; i get this :
ERROR: syntax error at or near "'triviaDB'"
If the DB name was created with upper cases, you need to use double quotes:
GRANT ALL PRIVILEGES ON DATABASE "triviaDB" to devuser;
I have postgres 9.3 being installed with my windows desktop app on computers all over the place. I don't want Joe Script-kiddy looking at the pgpass.conf, getting the postgres password a running amuck in my Database.
I was able to to make a backup role using this article but I ran out of luck with reindexdb and Vacuum Analyze.
So far my solution is to write an application that will take an encrypted vbscript file and use ado to connect and run.
I've read over the PG help on grant and role and I just can't see how to do this. I'd appreciate any ideas.
Neil McGuigan suggestion worked for reindex and analyze. I need to reindex each table in a loop though. If I try just to reindex database myDb I get EINDEX DATABASE cannot be executed from a function or multi-command string. I get the same error with vacuum [table]
I'm still playing around with dblink as a possible solution.
.. Well I can't use dblink because it wants the password so I'd have to code the password into the function and since my backup role has select it can view the contents of the function.
So I've got a low privileged role, backup, that can backup, analyze and reindex but cannot vacuum. seems strange to me.
You can always wrap the command in a function. Run the function with its definer's privileges. Give execute privileges to someone else. Example:
set role roleThatOwnsTable1;
/*
SECURITY DEFINER tells Postgres to run the function with the privileges of the role that
defined the function, as opposed to the privileges of the role that invoked the function.
*/
create or replace function reindexTable1() returns void SECURITY DEFINER language plpgsql as $$
begin
reindex table table1;
end $$;
grant execute on function reindexTable1() to someGuy;
set role someGuy;
select reindexTable1();
This does, of course, open that functionality to someone that should normally not have it, so be careful.