I have multiple databases, each one with multiple schemas. Something like this:
db1
schema1
schema2
db2
schema1
schema2
db3
schema1
schema2
I need to grant access to someuser *only to* db1.schema2.
In the pg_hba.conf I can restrict which user connects to wich database. And in the schema1 I can revoke usage and create privileges.
At this moment someuser can connect only to db1 and only can create tables in schema2 not in schema1.
However, the user can view the structure of the tables in schema1.
Is it posible to avoid someuser to view the structure of the tables in schema1?
First, schemas aren't used in the hba.conf flie. What you're looking for are simply grants and revokes. You're wanting to revoke "usage" of the schema from the role or perhaps the public role. According to the documentation, there are still other ways (ie, the system tables) to query this information, but it'll hide it from the front end. In short, there's no way to absolutely deny all ways of seeing the table description, and apparently the designers don't see a need to implement such a feature.
See discussion here
Revoking usage of the schema:
revoke usage on schema myschema from myrole
Related
I have an application which uses a postgres database. I have a superadmin user. Now I need two more users: One "application-user" with CRUD-privileges and one with ALTER and CREATE-privileges (to apply migrations). These are all users I need, because the application has its own User-Access management and it is not at all planned to change that.
I want something like: GRANT SELECT, INSERT, UPDATE, DELETE ON DATABASE MyDatabase TO myuser
I've read here that postgres provides pre defined roles. This is good - but these roles apply globally (as pointed out in one comment). MyDatabase is on public schema which becomes problematic because some system tables are on public too - and I don't want myuser to be able to read from or write to these.
I'd be fine with GRANT pg_read_all_data, pg_write_all_data ON DATABASE MyDatabase TO myuser but this doesn't work.
As I'll not change these privileges often I'd even be fine with GRANT pg_read_all_data ON MyDatabase.MyTable TO myuser as well. But this doesn't work either.
Any ideas on this?
There are no ALTER and CREATE privileges in PostgreSQL. The database user that should be able to run ALTER and CREATE statements will have to be the owner of the database objects. If you already have objects owned by a different user, you will have to change the ownership.
For the other user, you will have to grant privileges on each and every object. Privileges on the database won't help – there is no inheritance of privileges between objects. Don't forget to grant USAGE on the schemas.
I recommend that you create more schemas than public. If you have a separate schema for your application's objects, you can use statements like
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA myapp TO someuser;
I've created a database in Postgres, like so:
CREATE DATABASE mydb
I've created a user (role), like so:
CREATE USER myuser
I would now like to GRANT certain permissions (e.g. SELECT) to this user for all tables in this database. How can I achieve this?
The closest thing I can find is the GRANT ... ON ALL TABLES IN SCHEMA someschema, but I don't think this addresses the issue, since a single "database" can have multiple "schema", and I'd like these permissions to apply to all existing tables in all existing schema, as well as all future tables in all future schema.
Similarly, what would then be the equivalent to REVOKE all permissions for all tables in a database?
I am the admin of a PostgreSQL 11 DB on Azure.
Some of the users only have access to specific views.
The users were created by:
CREATE USER M1234 WITH PASSWORD '1234!';
GRANT USAGE ON SCHEMA public TO M1234;
GRANT SELECT ON table v_xxx TO M1234;
GRANT SELECT ON table v_yyy TO M1234;
For some reason the grant for select on one or all the existing views is removed every so often and the users of course cannot access.
I would really appreciate it if anyone has any insight as to why and how this could happen and if there is a more long term solution.
You grant SELECT on existing tables, but for future tables, you need additional permissions
-- Grant access to future tables ALTER DEFAULT PRIVILEGES IN SCHEMA a_given_schema GRANT SELECT ON TABLES TO read access;
Is there a way to restrict the user to view all the schemas in a database?
Scenario:
I have a database with multiple schemas. I need to give access to a user for a particular schema and it's tabled.
Even though I try revoking all the access to that particular user and PUBLIC group, still he can view all the schemas and its tables. (Only the data he can't view.
I tried below commands:
REVOKE ALL ON SCHEMA devops_test FROM testuser;
REVOKE ALL ON SCHEMA devops_test FROM PUBLIC;
REVOKE ALL on all tables IN SCHEMA devops_test FROM testuser;
Once connected to database, users can read a list of all databases, schema's, tables, and even table columns in the cluster from the system tables, even if they are prevented from reading the data within those tables through the use of REVOKE ALL FROM. Try this:
REVOKE USAGE ON SCHEMA information_schema FROM PUBLIC;
REVOKE USAGE ON SCHEMA pg_catalog FROM PUBLIC;
REVOKE SELECT ON TABLE pg_catalog.pg_database FROM PUBLIC;
If I’ve made a bad assumption please comment and I’ll refocus my answer.
I have a bit of a funny situation in Amazon Redshift where I have a user X who has grant select on all tables in schema public, but once a new table is created, this grant doesn't seem to apply to the new table. Is this normal behaviour? If yes, how does one deal with it such that the schema level grants are maintained. Thank you.
Executing the following command as super user (master):
alter default privileges
for user staging_user
in schema staging
grant select on tables
to reporting_user;
will allow reporting_user to select data from all future tables created by staging_user in schema staging.
In Redshift tables and views do not automatically inherit the permissions of their parent schema. Your newly created tables are only accessible to the user who created them, and the superuser.
In a recent patch to Redshift a new feature to grant default privileges was implemented that addresses this issue.
Alter Default Privileges
The following code snippet will grant select privileges only for all future tables in the sales schema to the sales_admin group. If you want this to apply to existing tables in a schema you will need to combine it with a second grant statement.
alter default privileges in schema sales grant select on tables to group sales_admin;
This is a normal behavior. Only the object owner/superuser have permission to use the object by default.
http://docs.aws.amazon.com/redshift/latest/dg/r_Privileges.html
You can add grant command to your create table statement and grant needed privileges for the user.
When we first spotted new tables not appearing in our reporting tool, I discovered a quick workaround is to re-execute the following SQL statement for the groups/users impacted:
ALTER DEFAULT PRIVILEGES IN SCHEMA <SCHEMANAME> GRANT SELECT ON TABLES TO GROUP <USER/GROUPNAME>;