Postgresql default privileges for new schema in multi-tenant Rails application - postgresql

In my Rails 4 multi-tenant application, I create new schemas in Postgresql with the gem Apartment.
It works very well but I have a problem with the privileges for new schemas.
In Postgresql, I created a "backup" user to backup my database.
I defined the default privileges with :
ALTER DEFAULT PRIVILEGES FOR USER foo GRANT SELECT ON TABLES TO backup;
ALTER DEFAULT PRIVILEGES FOR USER <nom_user_ks-xxx_dbuser> GRANT SELECT ON SEQUENCES TO backup;
This works for new tables and sequences (as it's explained in Postgresql documentation) in existing schemas but it doesn't work for new schemas.
After googling hours, I can't find a solution.
What is the best way to apply default privileges for new schemas ?
Thanks

Related

How to provide read only access to all existing databases in postgresql

what's the recommended way to provide readonly access to all databases in postgresql version 12.
I am using this found at How do you create a read-only user in PostgreSQL?
CREATE ROLE readaccess;
CREATE USER my_user_test WITH PASSWORD 'my_user_test';
GRANT readaccess TO my_user_test;
\c database_name;
-- need to connect to the database first on which we need to execute the below commands
GRANT CONNECT ON DATABASE database_name TO readaccess;
GRANT USAGE ON SCHEMA public TO readaccess;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
-- Assign permissions to read all newly tables created in the future
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
But using this approach I need to individually connect to each database and provide the role read only access.
Is there a better approach to provide a read only access all existing databases at once?
Thanks.

Postgresql: cannot set default privileges on tables [duplicate]

I'm building a spring boot application. Flyway database migrations are executed at the application startup.
I decided to use two different roles: role__app (read/write rights on tables, sequences in app schema) and role__migration (advanced rights in app/migration schemas).
Flyway migrations are executed under role__migration so it becomes the owner of the created objects. I thought that the following statements would help:
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO role__app;
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT USAGE ON SEQUENCES TO role__app;
But when the new tables are added to the app schema the user__app (belongs to the role__app) doesn't have access to the tables.
Is it possible to maintain such a flow (with app, migrattion users/roles) by Postgres or by any other means?
As a side note I should mention that I run the following statements on the target database:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE myDb FROM PUBLIC;
Update 1
I added the FOR ROLE clause, yet I'm still getting the permission denied message for a created table (app.property) in app schema for user user__app. The owner of the table is user__mig.
Update 2
After logging in as postgres user in dbeaver we can see that user__mig has all necessary permissions ticked whereas the user__app has no permissions on the app.property table at all:
Here is a gist to reproduce the problem: https://gist.github.com/happygrizzly/849a6a791f028ba5b191f73180ae35d1
You should write
ALTER DEFAULT PRIVILEGES FOR USER role__migration ...
If you omit the FOR USER clause, the privileges are only granted on objects created by the user who ran ALTER DEFAULT PRIVILEGES.
With the above statement, the privileges are granted when role__migration creates an object. That does not extend to members of the role role__migration.

Postgres: granting access to a role/user for future tables created by a different role/user

I'm building a spring boot application. Flyway database migrations are executed at the application startup.
I decided to use two different roles: role__app (read/write rights on tables, sequences in app schema) and role__migration (advanced rights in app/migration schemas).
Flyway migrations are executed under role__migration so it becomes the owner of the created objects. I thought that the following statements would help:
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO role__app;
ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT USAGE ON SEQUENCES TO role__app;
But when the new tables are added to the app schema the user__app (belongs to the role__app) doesn't have access to the tables.
Is it possible to maintain such a flow (with app, migrattion users/roles) by Postgres or by any other means?
As a side note I should mention that I run the following statements on the target database:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE myDb FROM PUBLIC;
Update 1
I added the FOR ROLE clause, yet I'm still getting the permission denied message for a created table (app.property) in app schema for user user__app. The owner of the table is user__mig.
Update 2
After logging in as postgres user in dbeaver we can see that user__mig has all necessary permissions ticked whereas the user__app has no permissions on the app.property table at all:
Here is a gist to reproduce the problem: https://gist.github.com/happygrizzly/849a6a791f028ba5b191f73180ae35d1
You should write
ALTER DEFAULT PRIVILEGES FOR USER role__migration ...
If you omit the FOR USER clause, the privileges are only granted on objects created by the user who ran ALTER DEFAULT PRIVILEGES.
With the above statement, the privileges are granted when role__migration creates an object. That does not extend to members of the role role__migration.

Default privileges for new users on public schema?

I just created a database with an additional application schema.
And for our Java Spring Boot applications I created a new role with the following SQL scripts for setting up the privileges:
CREATE USER app_role WITH ENCRYPTED PASSWORD '#########';
GRANT ALL ON SCHEMA application TO app_role;
Now my expectation was that I could only create and delete tables within the schema application when logging in with this role.
However, I am also able to create and modify tables in the schema public.
Are there any default privileges for the public schema?
Why can I create tables in schemas I did not grant any privileges to?
The public schema has a special role in PostgreSQL, as the documentation describes.
If you don't want that (and it can be a security problem), you can either REVOKE the CREATE privilege or even drop the schema alogether.

Revoke access to postgres database for a role

I have created a separate role "newrole" and new schema "newschema" for a certain user that should only execute some stored functions. I have managed to revoke access to schema "public" for the current database.
Logged in as "newrole" I still have access to postgres database like this:
SELECT * FROM pg_user
I want to revoke all access to the postgres database and tried following that not work:
REVOKE ALL ON DATABASE postgres FROM newrole
When logged in as newrole I can still read the postgres database.
How do I revoke any access to the postgres admin database?
I have searched a long time but not found anything regarding access to the postgres admin database.
TIA,
This issue has nothing to do with database postgres. Instead, you want to manipulate the catalog of the current database. Every database has a catalog of information on all objects in schema pg_catalog, and in standards-compliant form in schema information_schema, so you should restrict access to those for the role in question and also for the public role because every role is also member of that role:
REVOKE ALL PRIVILEGES ON SCHEMA pg_catalog FROM newrole;
REVOKE ALL PRIVILEGES ON SCHEMA pg_catalog FROM public;
REVOKE ALL PRIVILEGES ON SCHEMA information_schema FROM newrole;
REVOKE ALL PRIVILEGES ON SCHEMA information_schema FROM public;
However, the system does not always honour this accross-the-board restriction, the catalogs are there for a reason and provide important functions in the database. Particularly functions may still execute.
In general, you do not want to fiddle with the catalogs unless you really know what you are doing.
you should be able to run this:
select * FROM information_schema.table_privileges where grantee = 'newrole';
to display all the privileges for newrole. With that information you should be able to explicitly revoke everything other than access to 'newschema'