Why does new role already have access to some databases in snowflake? - sql

create role aaaaa_min_access_role;
grant role aaaaa_min_access_role to user me;
use role aaaaa_min_access_role;
show grants to role aaaaa_min_access_role;
show databases;
it results in 3 databases being outputted, the owner of those is accountadmin
wondering how?
when i do
REVOKE USAGE ON DATABASE DB_TEST FROM ROLE aaaaa_min_access_role;
REVOKE USAGE ON SCHEMA DB_TEST.SCHEMA FROM ROLE aaaaa_min_access_role;
REVOKE SELECT ON ALL TABLES IN SCHEMA DB_TEST.SCHEMA FROM ROLE aaaaa_min_access_role;
it results in 0 objects being impacted. I'm able to execute select * from DB_TEST.SCHEMA.Table1 successfully

Unless specified otherwise, new roles inherit from the PUBLIC role.
PUBLIC
Pseudo-role that is automatically granted to every user and every role in your account.
https://docs.snowflake.com/en/user-guide/security-access-control-overview.html#system-defined-roles
So the new role probably had at least some access to these databases through the PUBLIC role. You can check that by revoking the PUBLIC role from the new role you created.

Related

Postgres doesn't delegate privilege to child role

I am trying to create a group that has the right to create databases and roles. And then inherit these privileges with the next role. But the error constantly pops up that I don't have rights
Edited: (mistake between 'gg' and 'ggc', but steel doesn't work)
create role ggc with createdb createrole;
create user gg login password 'gg';
grant ggс to gg;
Always get this error: "SQL Error [42501]"
This way is also doesn't work
CREATE ROLE qwe WITH NOLOGIN CREATEDB CREATEROLE;
CREATE ROLE ads WITH LOGIN PASSWORD 'pass';
GRANT qwe TO ads;
SET ROLE ads;
CREATE DATABASE test;
This behavior is normal and is actually documented here:
The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute. Continuing the above example, we might choose to grant CREATEDB and CREATEROLE to the admin role. Then a session connecting as role joe would not have these privileges immediately, only after doing SET ROLE admin.
You grant roles to users, not the other way round

postgres: how to create role with insert and update access

I have a user db_owner who is owner to my database called 'Sales'.
Now i have to create two groups(sales_ro and sales_riu) and then i will add users to this groups.
sales_ro group should inherit(from db_owner) read access on tables and execute on functions in Sales db
sales_riu group should inherit(from db_owner) insert and update access on tables and execute on functions in Sales db.
can we create such two groups in Postgres ?
You don't need to create groups to achieve this. You can just create Roles and assign them to the users you want. For example:
CREATE ROLE sales_ro;
CREATE ROLE sales_riu;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO sales_ro;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT,INSERT,UPDATE ON TABLES TO sales_riu;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO sales_riu;
After that just grant role to expected users:
GRANT sales_ro TO your_user_1;
GRANT sales_riu TO your_user_2;
Please refer link 1 and link 2 to know more about ALTER DEFAULT PRIVILEGES and CREATE ROLE respectively.
Quoting below points from above links:
CREATE ROLE adds a new role to a PostgreSQL database cluster. A role
is an entity that can own database objects and have database
privileges; a role can be considered a “user”, a “group”, or both
depending on how it is used.
A role having the LOGIN attribute can be thought of as a user. Roles
without this attribute are useful for managing database privileges

how can I create role groups in postgresql

I can create a role in postgresql.
CREATE ROLE myname WITH LOGIN PASSWORD 'pass';
and I can set privilages on a database schema for this user.
GRANT USAGE ON SCHEMA public TO myname;
and select privilages to a user.
GRANT SELECT ON ALL TABLES IN SCHEMA public TO myname;
But I have so many users in my database. I do not want to set these privilages to all of my users. Actually I want to create role groupnames:
viewer
editor
admin
And
viewer will be select privilages on all tables,
editor will be select, insert and update privilages on all tables.
my users will be in these groups.
How can I do this?
CREATE ROLE viewer;
CREATE ROLE editor;
CREATE ROLE admin;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO viewer;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO viewer;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT,INSERT,UPDATE ON TABLES TO editor;
GRANT some_other_privs_to_admin_group
after that just grant group to user:
GRANT editor TO your_user;
and so on
https://www.postgresql.org/docs/current/static/sql-alterdefaultprivileges.html
https://www.postgresql.org/docs/current/static/sql-createrole.html
CREATE ROLE adds a new role to a PostgreSQL database cluster. A role
is an entity that can own database objects and have database
privileges; a role can be considered a “user”, a “group”, or both
depending on how it is used.
and
A role having the LOGIN attribute can be thought of as a user. Roles
without this attribute are useful for managing database privileges
For this very reason it is advisable to use "groups", that is roles (usually with NOLOGIN) to which you add the users (by granting the role to them).
In your case:
CREATE ROLE viewer;
GRANT <whatever> TO viewer;
GRANT viewer TO myname;
Then myname will enjoy all the privileges granted to viewer, and you don't have to mess around with granting and revoking privileges to every user.

How can I grant & revoke specific rights from Postgresql users?

I have been tasked to host HTML & PHP files of a website on one virtual machine and to set up a Postgresql database on another virtual machine.
I recently installed Postgresql and have been using the official Postgresql Documentation to learn how to create databases, create user and grant & revoke rights.
After having created a database named mfc_dst, I was ordered to create 4 differents users and this is where I have a problem :
-The first user has to be named admin and must be the only other user than the pre-existing user named postgres to have unlimited rights.
-The second (named cfc) and third user (named sec) must only have the SELECT and UPDATE privileges on all tables of the mfc_dst database.
-And the fourth/last user (named prof) must only be able to view a table named devoir from the database named mfc_dst.
To accomplish this, I used 2 different scripts :
CREATEandGRANT.sql
REVOKE ALL ON ALL TABLES IN SCHEMA public TO cfc;
REVOKE ALL ON ALL TABLES IN SCHEMA public TO sec;
REVOKE ALL ON ALL TABLES IN SCHEMA public TO prof;
GRANT CONNECT ON DATABASE mfc_dst TO admin;
GRANT CONNECT ON DATABASE mfc_dst TO cfc;
GRANT CONNECT ON DATABASE mfc_dst TO sec;
GRANT CONNECT ON DATABASE mfc_dst TO prof;
GRANT SELECT,UPDATE
ON ALL TABLES IN SCHEMA public
TO cfc;
GRANT SELECT,UPDATE
ON ALL TABLES IN SCHEMA public
TO sec;
GRANT SELECT ON devoir TO prof;
and this other one :
REVOKE.sql
REVOKE ALL ON TABLE professeur FROM PUBLIC;
REVOKE ALL ON TABLE reserver FROM PUBLIC;
REVOKE ALL ON TABLE salle FROM PUBLIC;
REVOKE ALL ON TABLE semaine FROM PUBLIC;
REVOKE ALL ON TABLE surveiller FROM PUBLIC;
Thanks to these 2 scripts, I was able to prevent the user named prof from seeing other tables, but the problem I have is that the users named cfc,sec and prof are still all three able to create tables and to drop them.
Is it possible to know how to prevent them from doing this and if possible, in the future, prevent newly created users from having such rights/privileges ?
Thank you in advance
All Postgres users implicitly are also automatically members of the public role, which grants them all permissions on the public schema. You can remove permissions from the public role with
revoke all on database mfc_dst from public;
revoke all on schema public from public;
Additionally, consider defining a new schema for your data tables, so that you can issue grant statements without having to deal further with the public role. If you do this, you can also set the search path to include your custom schema and to exclude the public schema.
Also, you might want to create a group role for the cfc and sec users and assign permissions to that role, rather than to the users individually. This will make future maintenance easier.

Vertica role grant not working

I am trying to setup a new role for making the access rights granting easier. I was wondering if there is an easier way to give select on all tables (newly created tables should be accessible automatically) under a schema to selected users. I ran following queries for the same. But still my user is not able to access the specific table.
CREATE ROLE myrole;
GRANT SELECT ON myschema.mytable TO myrole;
GRANT usage ON schema myschema TO myrole;
CREATE USER mytest1 identified BY '***';
GRANT myrole TO mytest1;
After this, when I login with mytest1 user and trying to run select on myschema.mytable it is asking me to grant usage on schema to user. After I grant usage on schema to user directly it is failing with permission denied for that table.
Please help with the same. I am running on vertica 5.0
Update:
I find that u also have to make that role default or explicitely set that role as default for user session for making the role's effect take place.
ALTER USER mytest1 DEFAULT ROLE myrole;
But still, my another question of how to make all tables under a schema accessible to specific users remains.
As per the Vertica SQL Reference Manual.pdf (page 725) (doc version 5.0 - for page numbers)
GRANT (Schema)
...
USAGE
Allows the user access to the objects contained within the
schema. This allows the user to look up objects within the
schema. Note that the user must also be granted access to the
individual objects. See the GRANT TABLE (page 727) ... .
The the user must also be granted access to the individual objects means that you need to also GRANT table.
The two I use is GRANT SELECT and GRANT REFERENCES which allows the user to run queries and join (reference) tables in the query.
Example:
GRANT SELECT ON TABLE [schema].[Table1] TO myUser;
GRANT SELECT ON TABLE [schema].[Table2] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table1] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table2] TO myUser;
...
6.0 doc reference GRANT SCHEMA (page 808) and GRANT TABLE (page 813).