Participants
Chandra Barnett
Chandra Barnett
Tom Lane
Tom Lane
Alvaro Herrera
Alvaro Herrera
Dave Page
Dave Page
Attachments
Show all attachments
Thread Outline
#1Chandra BarnettChandra Barnett
Jul 01, 2008
#2Alvaro HerreraAlvaro Herrerato Chandra Barnett (#1)
Jul 01, 2008
#3Tom LaneTom Laneto Alvaro Herrera (#2)
Jul 01, 2008
#4Chandra BarnettChandra Barnettto Tom Lane (#3)
Jul 01, 2008
#5Tom LaneTom Laneto Chandra Barnett (#4)
Jul 01, 2008
#6Chandra BarnettChandra Barnettto Tom Lane (#5)
Jul 02, 2008
#7Dave PageDave Pageto Chandra Barnett (#6)
Jul 03, 2008

Problem with roles and permissions

Started by Chandra Barnettalmost 18 years ago7 messagesgeneral
Jump to latest
#1Chandra Barnett
Chandra Barnett
chandra.barnett@cognition.com

Hi --

I've recently started using PostgreSQL after working with MySQL for quite a while. I've been trying to set up roles so I can manage permissions per-user, but it's not working the way I expected and I'm wondering if anyone can steer me straight.

What I've done so far is to set up a "group role" and explicitly granted it every possible type of permission on the database in question, and also on the individual relations in that database. Then I created a "login role" and made it part of the group role I created. I expected that to let me connect to the dbms using that login role and database, and that I'd then be able to select/insert/update/delete in the relations in that database. I can connect just fine to that database with that login role, as I expected, but I then can't execute any commands. A sample error message from a failed INSERT is "ERROR: permission denied for relation sessions". A look in pgAdmin, however, tells me that I've explicitly granted the group role all permissions on both the relation and the database it's in.

It seems there must be some other step that I didn't know to do. In MySQL, for example, after changing permissions, one needs to "flush privileges" to get everything to take effect. Is there something analogous to this in PostgreSQL? If so, can someone tell me how to do it via pgAdmin III?

For context, I'm using PostgreSQL 8.3 and pgAdmin III on Windows XP.

Thanks for your help!
--

Chandra Barnett <chandra.barnett@cognition.com> 310-641-7200 x207

Software Engineer, Cognition, Inc. HYPERLINK "http://www.cognition.com/&quot;&lt;http://www.cognition.com&gt;

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.4.3/1528 - Release Date: 7/1/2008 7:26 AM

#2Alvaro Herrera
Alvaro Herrera
alvherre@2ndquadrant.com
In reply to: Chandra Barnett (#1)
Re: Problem with roles and permissions

Chandra Barnett wrote:

What I've done so far is to set up a "group role" and explicitly
granted it every possible type of permission on the database in
question, and also on the individual relations in that database. Then
I created a "login role" and made it part of the group role I created.
I expected that to let me connect to the dbms using that login role
and database, and that I'd then be able to select/insert/update/delete
in the relations in that database. I can connect just fine to that
database with that login role, as I expected, but I then can't execute
any commands.

Probably your group role needs to have the INHERIT property set.
Alternatively, you could "SET ROLE group" after connecting.

It seems there must be some other step that I didn't know to do. In
MySQL, for example, after changing permissions, one needs to "flush
privileges" to get everything to take effect. Is there something
analogous to this in PostgreSQL?

Fortunately not.

--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Alvaro Herrera (#2)
Re: Problem with roles and permissions

Alvaro Herrera <alvherre@commandprompt.com> writes:

Probably your group role needs to have the INHERIT property set.

I think it's the other way around --- the login role needs the INHERIT
property. Anyway, one or the other should do it.

regards, tom lane

#4Chandra Barnett
Chandra Barnett
chandra.barnett@cognition.com
In reply to: Tom Lane (#3)
Re: Problem with roles and permissions

That did it! Thanks, all.

(Out of curiosity, what's the reason for not making this the default? It seems to me that if you're making a role a child of another role, it's /because/ you want to inherit permissions. OTOH maybe defaulting to more security is smart enough to be worth the confusion...)

-cb.

I think it's the other way around --- the login role needs the INHERIT property. Anyway, one or the other should do it.

regards, tom lane

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.4.3/1528 - Release Date: 7/1/2008 7:26 AM

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.4.3/1528 - Release Date: 7/1/2008 7:26 AM

#5Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Chandra Barnett (#4)
Re: Problem with roles and permissions

"Chandra Barnett" <chandra.barnett@cognition.com> writes:

That did it! Thanks, all.

(Out of curiosity, what's the reason for not making this the default?

Uh ... it *is* the default.

regards, tom lane

#6Chandra Barnett
Chandra Barnett
chandra.barnett@cognition.com
In reply to: Tom Lane (#5)
Re: Problem with roles and permissions

Bah. Must be pgAdmin, then. In its role creation dialogue, INHERIT is definitely off by default. Guess that's not you guys, though. Sorry to have impugned your judgement... =)

-cb.

"Chandra Barnett" <chandra.barnett@cognition.com> writes:

That did it! Thanks, all.

(Out of curiosity, what's the reason for not making this the default?

Uh ... it *is* the default.

regards, tom lane

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.4.4/1530 - Release Date: 7/2/2008 8:05 AM

#7Dave Page
Dave Page
dpage@pgadmin.org
In reply to: Chandra Barnett (#6)
Re: Problem with roles and permissions

On Wed, Jul 2, 2008 at 6:09 PM, Chandra Barnett
<chandra.barnett@cognition.com> wrote:

Bah. Must be pgAdmin, then. In its role creation dialogue, INHERIT is definitely off by default. Guess that's not you guys, though. Sorry to have impugned your judgement... =)

Fixed in SVN. Sorry for the confusion.

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com

← Back to Topics