I entered postgres console with sudo and did this:
create user uu with password 'uu';
create database u_db owner uu;
grant all privileges on u_db to uu;
Error: Relation u_db doesnt exist.
You have to use the keyword DATABASE for granting here. So I'm posting you the output from psql in:
postgres=# create user uu with password 'uu';
CREATE ROLE
postgres=# create database u_db owner uu;
CREATE DATABASE
postgres=# grant all privileges on u_db to uu;
FEHLER: Relation »u_db« existiert nicht
postgres=# grant all privileges on database u_db to uu;
GRANT
However. IMHO through the owner setting of database you don't need to grant extra rights for the user uu.
Related
In a PostgreSQL server, I want to create a database (db1) and give all privileges on that database to a user (user1). I run these commands:
CREATE USER user1 WITH PASSWORD 'password';
CREATE DATABASE db1;
\c db1
CREATE SCHEMA user1;
DROP SCHEMA public;
Now the database (db1) has only the schema user1. The next step is to grant all privileges to the user (user1).
If I run the following commands, and try to create a table as user1, it works:
GRANT ALL PRIVILEGES ON SCHEMA user1 TO user1;
\c db1 user1
CREATE TABLE t1(a int);
If I only grant privileges on the database (and not the schema), it does not work:
GRANT ALL PRIVILEGES ON DATABASE db1 TO user1;
\c db1 user1
CREATE TABLE t1(a int);
The create table will fail with these errors:
db1=> CREATE TABLE t1(a int);
ERROR: no schema has been selected to create in
LINE 1: CREATE TABLE t1(a int);
^
db1=> CREATE TABLE user1.t1(a int);
ERROR: permission denied for schema user1
LINE 1: CREATE TABLE user1.t1(a int);
^
So, my questions are: Is the GRANT ALL PRIVILEGES ON DATABASE really needed here? What are the privileges granted by that command?
What are the privileges granted by that command?
According to the privileges documentation, a GRANT ALL on the DATABASE level encompasses:
CREATE: allows new schemas and publications to be created within the database, and allows trusted extensions to be installed within the database.
CONNECT: Allows the grantee to connect to the database. This privilege is checked at connection startup (in addition to checking any restrictions imposed by pg_hba.conf).
TEMPORARY: Allows temporary tables to be created while using the database.
By default, anyone (PUBLIC) has CONNECT and TEMPORARY privileges already, so GRANT ALL PRIVILEGES ON DATABASE db1 TO user1; will only affect the CREATE privilege. Judge yourself whether that's really needed.
Instead of creating the schema and granting all privileges on it to user1, you may want to grant the CREATE privilege on the database, and let the user1 create their schema themselves (so that they become its owner and will thereby get all the privileges on it). It will allow them to also create any other schema then.
Thanks #Bergi it is clear now. Using the GRANT ALL PRIVILEGES ON DATABASE the following works:
postgres=# CREATE USER user1 WITH PASSWORD 'password';
CREATE ROLE
postgres=# CREATE DATABASE db1;
CREATE DATABASE
postgres=# GRANT ALL PRIVILEGES ON DATABASE db1 TO user1;
GRANT
postgres=# \c db1 user1
You are now connected to database "db1" as user "user1".
db1=> CREATE SCHEMA user1;
CREATE SCHEMA
db1=> DROP SCHEMA public;
ERROR: must be owner of schema public
db1=> CREATE TABLE t1(a int);
CREATE TABLE
db1-> \dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+-------
user1 | t1 | table | user1
(1 row)
db1-> \dn
List of schemas
Name | Owner
--------+----------
public | postgres
user1 | user1
(2 rows)
Observe that the user (user1) cannot delete the schema public because the owner is postgres, even the user has all privileges on the database (db1).
I want to make a database backup of a postgresql database.
I did this on my existing database:
sudo -u postgres psql oder psql -U postgres
CREATE USER backup;
ALTER USER backup WITH PASSWORD 'new_password';
GRANT CONNECT ON DATABASE confluence TO backup;
GRANT CONNECT ON DATABASE taiga TO backup;
GRANT USAGE ON SCHEMA public TO backup;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO backup;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO backup;
If I run pg_dump -Fc confluence > dumpfile I get
pg_dump: [archiver (db)] query failed: ERROR: permission denied for relation EVENTS
pg_dump: [archiver (db)] query was: LOCK TABLE public."EVENTS" IN ACCESS SHARE MODE
In Permission denied for relation I read that this would help:
GRANT ALL PRIVILEGES ON TABLE confluence TO backup;
I wonder if it is the rigth way to give all privileges to a backup user who shall not have the permissions to write the database. I want it to be a read only user.
Is this a nonsense requirement?
What do you suggest me to do instead?
In addition to grant CONNECT permission on the database and SELECT permission on all tables (in the public schema), you also need to grant select on all sequences (in the public schema).
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO <user>
to to summarize:
--Create user
CREATE USER backup;
ALTER USER backup WITH PASSWORD 'new_password';
--Grant read only privileges
GRANT CONNECT ON DATABASE <database> TO backup;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO backup;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO backup; -- new!
--Automatically grant read only privileges on new tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO backup;
I am aware that similar questions have been asked before, but the answers do not appear to solve my problem, so I think a more complete answer would be valuable.
I would like to create a read-only user for a postgresql database. I have already granted access to the server for my user using the pg_hba.conf file.
As the postgres admin user, I have run the following commands:
CREATE ROLE read_only_user NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
GRANT CONNECT ON DATABASE the_database TO read_only_user;
GRANT USAGE ON SCHEMA public to read_only_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO read_only_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO read_only_user;
ALTER ROLE read_only_user WITH PASSWORD '*********************';
ALTER ROLE read_only_user VALID UNTIL 'infinity';
ALTER ROLE read_only_user WITH LOGIN;
ALTER USER read_only_user SET search_path = public;
As a result, I am able to log in to the the_database DB locally, and remotely using a DB client, with username and password authentication and I can list the tables in the database. However, any attempt to select or view the contents of the database results in
ERROR: permission denied for relation the_table
What other permissions are needed, since as far as I can tell, all the necessary permissions are granted.
I have created a Postgres user user1, and granted all permission to my_db, when I try to select a table from the database, I'm getting a permission denied error.
Create user1
>>zya$ psql -d postgres
psql (9.6.3)
Type "help" for help.
postgres=# CREATE USER user1 WITH PASSWORD 'password1';
CREATE ROLE
postgres=# GRANT ALL PRIVILEGES ON DATABASE my_db to user1;
GRANT
postgres=# \q
Login as user1
>>zya$ psql -d my_db --username=user1
psql (9.6.3)
Type "help" for help.
my_db=> SELECT DISTINCT name FROM user_tbl order by id;
ERROR: permission denied for relation user_tbl
ALTER DATABASE name OWNER TO new_owner;
you have to change database my_db owner to your username user1
I know this might be late but what you might want to do is to assign
This is from my trials and I was able to fix similar issue. It seems you have to set similar privileges to tables function and sequences like shown below
GRANT ALL PRIVILEGES ON DATABASE yourdb TO yourusr;
GRANT ALL ON ALL TABLES IN SCHEMA your_schema TO yourusr;
GRANT ALL ON ALL SEQUENCES IN SCHEMA your_schema TO yourusr;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA your_schema TO yourusr;
I am using Postgres and I am inserting a value:
stat.execute("insert into company(name,age,address,salary)values('"+s+"','24','dommanagdde','25000')");
It shows this error:
permission denied for relation (table name)company
Can anyone help?
The user you are using does not have insert permissions on the company table. You can solve this by granting them:
GRANT INSERT ON company TO someuser;
PostgreSQL GRANT
Radically via psql:
\c DB_NAME; - switch to your DB
GRANT ALL ON ALL TABLES IN SCHEMA "public" TO someuser;