i have a postgresql 11 database with the public schema. I have a role user1 that has all privileges on schema public.
i would like to do the following :
create a schema "some_schema";
grant read only privileges to user1 to "some_schema";
create role user2 that has all privilegies on schema "some_schema".
I tried the following :
CREATE USER user2 WITH PASSWORD '***';
CREATE schema "some_schema";
GRANT CONNECT ON DATABASE user1 TO some_schema;
GRANT USAGE ON SCHEMA some_schema TO user1;
GRANT ALL ON SCHEMA some_schema to user2;
ALTER DEFAULT PRIVILEGES IN SCHEMA some_schema GRANT SELECT ON TABLES TO user1;
This does not work cause when i login like this and then i create a "test" table and select, it puts that user1 that "relation 'some_schema.test' doesn't exist" :
create table some_shema.test(id int);
\q
psql -U user1;
select * from some_schema.test;
result => relation some_schema.test doesn't exist.
I also changed the pg_hba.conf to give access to the new schema to both users and restarted the server.
I've tried to read the documentation and many things without success. Maybe it's the way i connect to the database ?
thank you.
Thank you #JGH, that was it. : the user2 had to give himself access to user1 to schema some_shema.
What i did :
psql
CREATE USER user2 WITH PASSWORD '***';
\c my_database
CREATE SCHEMA some_schema AUTHORIZATION user2;
\c my_database user2
create table some_schema.test(id int);
insert into some_schema.t(100);
GRANT USAGE ON SCHEMA some_schema TO user1;
GRANT SELECT ON ALL TABLES IN SCHEMA some_schema TO user1;
ALTER DEFAULT PRIVILEGES IN SCHEMA some_schema GRANT SELECT ON TABLES TO user1;
then :
\c my_database user1
select * from some_schema.t;
=> shows result 100 :)
Related
I need to grant permission to a specific user to create stored procedures in PostgreSQL without writing permissions to other tables. The stored procedure should read and write only in one table.
I've already setup the read permission to that table, but I'm struggling with the writting permissions.
GRANT CONNECT ON DATABASE production_database TO user;
GRANT USAGE ON SCHEMA public TO user;
GRANT SELECT ON table TO user;
If you want to write a procedure in PL/PGSQL you need to use PostgreSQL 11 or 12.
In PostgreSQL there is no explicit privilege to create a procedure or a function.
However you can try:
to create a specific schema just for the procedure
to grant USAGE to this schema only to the specific user
to create the procedure with SECURITY DEFINER as the table owner
Example:
create user myuser password 'myuser';
--
create table public.t(x int);
--
create schema myschema;
--
create or replace procedure myschema.myproc(param int)
language plpgsql
as
$$
declare
v int;
begin
insert into public.t values(param);
end;
$$
security definer
set search_path='';
--
grant usage on schema myschema to myuser;
Here the table owner is superuser postgres and the table schema is public:
With this script:
\c postgres myuser
select * from t;
call myschema.myproc(1);
\c postgres postgres
select * from t;
I get:
You are now connected to database "postgres" as user "myuser".
select * from t;
psql:cp.sql:25: ERROR: permission denied for table t
call myschema.myproc(1);
CALL
You are now connected to database "postgres" as user "postgres".
select * from t;
x
---
1
(1 row)
I created the table and granted the select statement to the role. Then I grant the role to user. User can perform select statement on my table, but he can not see information about this privilege via SELECT * FROM USER_TAB_PRIVS;
Step-by-step below by HR user:
CREATE TABLE A1 (ID NUMBER);
Table A1 created.
CREATE TABLE A2 (ID NUMBER);
Table A2 created.
CREATE ROLE ROLE1;
Role ROLE1 created.
GRANT SELECT ON A1 TO ROLE1;
Grant succeeded.
GRANT SELECT ON A2 TO ROLE1;
Grant succeeded.
GRANT ROLE1 TO MAX;
Grant succeeded.
Then steps by user MAX:
SET ROLE ROLE1;
Role ROLE1 succeeded.
SELECT * FROM HR.A1;--successfull
SELECT * FROM USER_TAB_PRIVS;--successful, but no rows
Whre is the problem? Whi can clarify?
User MAX has no table privileges, only privileges on role ROLE1.
Use the USER_ROLE_PRIVS to show these privileges.
user_tab_privs is limited to the privileges of the connected/current user.
Table user_tab_privs is a table from Oracle dictionary. So i suggest a Oracle database.
After the grant select you will get an entry from user_tab_privs if you are connected as the user HR. If you use a dba user you have to query dba_tab_privs.
I am trying to work on a scenario , where one user creates tables in a 'schema', and all such tables should be visible to a specific user/role, even if the tables are created in future (after grant SELECT command).
My current flow is as:
USERS: dbadmin, user1, user2
SCHEMA: myschema
dbadmin=> GRANT ALL ON SCHEMA myschema to user1;
dbadmin=> GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO user2;
dbadmin=> ALTER SCHEMA myschema DEFAULT INCLUDE PRIVILEGES;
-- user1 now creates table
user1=> CREATE TABLE myschema.table1 (id INT);
-- can user2 see that table
user2=> SELECT * FROM myschema.table1;
-- Permission Denied for table1
Any Ideas on how to do this ?
Thanks.
Figured out the issue from here. Posting here for others.
The only catch in above queries was using "GRANT SELECT ON ALL TABLES IN SCHEMA "
Instead it should be "GRANT SELECT ON SCHEMA"
How can I create correct roles-tree for postgresql database for users which can do this:
read only (select) data (A)
A + modify (insert, delete, update) data (B)
B + create tables (C)
C + create tables and also all special privileges (D)
I checked documentation about roles and default privileges, but nothing helps me understand how Postgres work with roles. My actual script for create sample roles:
create database daba;
create role "ra" nologin noinherit; -- default read only role
grant connect on database "daba" to "ra";
grant usage on schema public to "ra" with grant option;
grant select on all tables in schema public to "ra" with grant option;
-- ingore sequences and functions now
create role "rb" nologin inherit;
grant "ra" to "rb"; -- grant connect, grant select
grant insert, update, delete on all tables in schema public to "rb" with grant option;
create role "rc" nologin inherit;
grant "rb" to "rc";
grant all privileges on schema public to "rc" with grant option;
grant all privileges on all tables in schema public to "rc" with grant option;
create role "rd" nologin inherit;
grant "rc" to "rd";
grant "postgres" to "rd";
-- default privileges for new created tables
-- only "rc" and "rd" can create table, "ra" can read it
alter default privileges for role "rc", "rd" in schema public grant select on tables to "ra" with grant option;
-- "rb" and higher can insert, update or delete also
alter default privileges for role "rc", "rd" in schema public grant insert, update, delete on tables to "rb" with grant option;
-- roles done, create users
create role "ua" login encrypted password 'ua' in role "ra";
create role "ub" login encrypted password 'ub' in role "rb";
create role "uc" login encrypted password 'uc' in role "rc";
create role "ud" login encrypted password 'ud' in role "rd";
OK, roles and users are created, now test with errors on lines:
-- connect as "ud"
create table ud_a (a numeric); -- OK
insert into ud_a values (1); -- OK
select * from ud_a; -- OK -- 1 row
-- connect as "uc"
select * from ud_a; -- SQL Error [42501]: ERROR: permission denied for relation ud_a
-- As user "uc" I cannot insert value, or drop table
insert into ud_a values (2); -- **SQL Error [42501]: ERROR: permission denied for relation ud_a**
drop table ud_a; -- **SQL Error [42501]: ERROR: must be owner of relation ud_a**
-- But I can create new table! As "uc":
create table uc_a (a numeric); -- OK
insert into uc_a values (2); -- OK
-- After this when i connect as more powerfull user - "ud"
-- I cannot even read from this table even though my user "ud" is created under role "rd" with "grant 'rc' to 'rd'":
select * from uc_a; -- SQL Error [42501]: ERROR: permission denied for relation uc_a
-- Connect as "ua" for read only return also errors for selects:
select * from ud_a; -- SQL Error [42501]: ERROR: permission denied for relation ud_a
select * from uc_a; -- SQL Error [42501]: ERROR: permission denied for relation uc_a
Cleaning:
-- as "postgres":
drop owned by "ud"; drop owned by "uc"; drop owned by "ub"; drop owned by "ua";
drop role "ud"; drop role "uc"; drop role "ub"; drop role "ua";
drop owned by "rd"; drop owned by "rc"; drop owned by "rb"; drop owned by "ra";
drop role "rd"; drop role "rc"; drop role "rb"; drop role "ra";
drop database daba;
I need to create role structure where user A can select all tables created by user C or D and all users inherit from prveious level (so everything which can select user A can select also user B, C and D) and also role D which can drop table created by user under role C and so on...
Can you help me with this?
I am using oracle database 11g Release 2
I am able to create user and give it create session privileges, but I am unable to give it select privilege.
create user user1 identified by pass;
User created.
grant create session to user1;
Grant succeeded.
grant select on emp to user1;
Grant succeeded.
After this I connect as user1
Now when I run this statement it say
select * from emp;
oracle reply=
ERROR at line 1:
ORA-00942: table or view does not exist
Than I checked privileges to user1 using
select * from session_privs;
PRIVILEGE
---------------------------------
CREATE SESSION
Which means only create session privilege is available to user1. How can I give select privileges to user1?
Giving a use the SELECT privilege (or any other privilege for that matter) does not create a synonym. As user1, who is not the table's owner, you should still reference the table by its fully qualified name, with the owner.
Assuming the owner is called owner1, user1's query should be:
SELECT * FROM owner1.emp
As for the data dictionary query, this is also to be expected. These privileges are recorded in the [DBA|ALL|USER]_TAB_PRIVS views:
SELECT * FROM all_tab_privs WHERE grantee = 'USER1'