Aurora Postgres 11.8
Is there any way possible that a non-superadmin user can run pg_stat_statements_reset()?
Details:
Have to schedule pg_stat_statements_reset() on an hourly basis, since there is no internal scheduler available in Aurora Postgres 11.8, I want to go for lambda/cronjob as only the superadmin can run it so its a security risk in my environment to expose superadmin password in a lambda/cronjob. So is there any way out in my case? can there be an sp that starts execution from non-superuser and then switch user within etc?
Thanks
The documentation for pg_stat_statements_reset says:
pg_stat_statements_reset discards statistics gathered so far by pg_stat_statements corresponding to the specified userid, dbid and queryid. If any of the parameters are not specified, the default value 0(invalid) is used for each of them and the statistics that match with other parameters will be reset. If no parameter is specified or all the specified parameters are 0(invalid), it will discard all statistics. By default, this function can only be executed by superusers. Access may be granted to others using GRANT.
Let me repeat that: Access may be granted to others using GRANT.
Related
thank for taking the time to try answer/understand this question.
I am using AWS Aurora Postgres (Engine version: 13.4) database.
I referred to this document for creating readwrite and readonly roles for 2 new rdsiam users -> "dev_ro" and "dev_rw". I have granted readwrite role to "dev_rw" and readonly to "dev_ro". The additional changes are:
myschema is "public" - which is my default schema
I add the same permissions as "myschema" to another schema called "graphile_worker" (from graphile/worker - which is a job queue).
With this in mind, here is what I have done:
I run my application which adds some repeating jobs (jobs schedule itself), implying that the jobs table can never be empty
Connect to RDS using the IAM user (doesn't matter dev_ro or dev_rw)
I run SELECT * FROM graphile_worker.jobs in my IDE (dbeaver - shouldn't matter, I think)
The table shows up empty
Disconnect and Re-connect to RDS using superuser credentials (which are created when server is created)
Run same query as above
See data in the table
I don't know why this is happening.
I double-checked, both "dev_ro/w" (through the roles) and superuser, have:
CONNECT to database (without doubt)
SELECT on all tables of graphile_worker schema
USAGE on the graphile_worker schema
Moreover, I can query graphile_worker.migrations and the migration records show up as expected (on both devro/w and superuser)!
Please let me know if there is any more information that I can provide to help debug this issue.
Removing Row-Level Security (RLS) solved this issue.
Thanks #Hambone for asking the right question.
RLS is removed by executing
ALTER ROLE <username> WITH BYPASSRLS
We are trying to install a release for our application. The program uses 2 SLQ Accounts: SA and SAA2.
SAA2 should be a standard user which can run some Select Statement. SA is a super admin (Captain Obvious).
However we are stuck in 2 different ways:
1) If we grant sysadmin right to SAA2, our scripts could not run because it refers to to the defined schema implemented in login page of the account. As we understood, since it's associated to sysadmin, the default schema change to dbo.
But, the account can login successfully
If we want to resolve it by this way, we have to implements these workaround :
Force account to use his own default schema
Change our scripts with a full name without using schema (not possible)
Invalid object name ...
2) If we want to use SAA2 as a standard accounts (because script are mainly focus on SELECT), MSSSQL refuse the account to connect. Indeed, if we try to simply login using SQL Credentials, as a sysadmin it works, as a standard user, it wont. (like this https://social.msdn.microsoft.com/Forums/sqlserver/en-US/23952fef-7ad7-4374-b7e9-89476a62adc9/users-unable-to-access-their-database-unless-they-are-given-sysadmin-permission?forum=sqlsecurity)
Error number 18456, Severity 14, State 1
We just want to find a way to execute our query, as a sysadmin or not.
I'm new to Postgres' RLS feature. I believe I'm following the documentation appropriately, but am getting unexpected behavior. Consider the following case:
i have a table named report_files
this table has a simple policy, policy <name> for all using (true)
the user has grant all permissions on the table (grant all on all tables in schema testing to testuser;, along with grant execute on all functions ... and grant usage for the schema as well)
the user can now read all fields in the table, but cannot insert records, against expectation
Here's a really short snippet from psql demonstrating the aforementioned: https://gist.github.com/cdaringe/85dd9a7b1278afe4770869dc494216f3
I have set a permissive policy, which clearly evaluates OK as evidenced by the successful select command.
What can I troubleshoot to get the insert to work?
Thanks!
ERROR: permission denied for sequence report_files_id_seq
It looks to me like you need to grant your user permission to use the id sequence: report_files_id_seq
You should be able to do this with the following
GRANT USAGE, SELECT ON SEQUENCE report_files_id_seq TO testuser;
Or to bulk add all tables:
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA <insert schema name here>
ALL is equivalent to USAGE, SELECT, UPDATE
As I cannot comment yet, I will add some input as an answer if anyone arrives on this thread like me today.
Yes, you have to grant permissions on sequence(s) separately, in addition to the privileges already granted on the table(s). In fact it is what you have to do.
Even if your table is dependant on the sequence object, they are both different objects from the RDBMS point of view, so they require distinct privileges.
As for your indices example, index in a sub-object of a table, and no additional privilege is required to be able to make use of indices so no further action than the index creation is needed.
Moreover, be careful to prefix the sequence name in case it is stored in a schema which is not the default one (public) and which is not in your search_path.
If that is not the case, you may encounter a permission denied error even though you have all necessary privilege on the sequence you aim to work with.
We have created a UDF, now this fetched information from some restricted database(s) and also reads extended properties of restricted database(s). We wish to keep restricted database(s) as is, i.e. that is no direct access to those databases.
However, we would like everyone (I mean every authenticated SQL user) to be able to run this scaler UDF like this:
SELECT somedatabase.dbo.udf_getInfo()
So in other words, only scaler function udf_getInfo should be accessible to everyone, and this scaler value function will read some DB information, that user executing have no direct access.
use YourDbName
GO
-- only one of these is correct
GRANT SELECT on dbo.udf_getinfo() TO public
GO
-- only one of these is correct
GRANT EXEC on dbo.udf_getinfo() TO public
GO
-- YOU MUST HAVE PERMISSION also - AND - you need to have the GRANT on it to give the permission.
The predicates added by a Row Level Security policy do not show in the 10046 trace file. One suggestion is to use the 10053 (optimizer) trace to see the VPD predicates, but it is difficult to set the 10053 trace on a given session from another session.
Is there any other way to see what predicates were added by an RLS policy ?
Scenario : The RLS policy is applied on a query in session #1. We need to analyse what happens in session #1 from session #2.
The database 10g is Oracle 10g.
You need a user who has access to V$VPD_POLICY. By default that would be just the SYSDBA users, so you'll probably need a DBA to grant you access on the view. The view ties predicates to SQL statements. You'll need to get the SQL_ID from V$SQLAREA, because that gives you the ADDRESS, which is the only mechanism to link the SQL statement to the right row in V$SESSION.
Actually the order of access is: V$SESSION gives you the ADDRESS of the last statement executed by session 1. You use that to find its SQL_ID in V$SQLAREA, which in turn allows you to link to V$VPD_POLICY.
So you need access to several of the V$ views. But if you're tuning you should have access to them anyway, except V$VPD_POLICY.