Participants
Susan Hurst
Susan Hurst
David G. Johnston
David G. Johnston
Adrian Klaver
Adrian Klaver
Attachments
Show all attachments
Thread Outline
#1Susan HurstSusan Hurst
May 16, 2019
#2...#3
David G. JohnstonSusan Hurst
to Susan Hurst (#1)
May 16, 2019
#2David G. JohnstonDavid G. Johnstonto Susan Hurst (#1)
May 16, 2019
#3Susan HurstSusan Hurstto David G. Johnston (#2)
May 16, 2019
#4Adrian KlaverAdrian Klaverto Susan Hurst (#1)
May 16, 2019

Permissions for information_schema

Started by Susan Hurstalmost 7 years ago4 messagesgeneral
Jump to latest
#1Susan Hurst
Susan Hurst
susan.hurst@brookhurstdata.com

What are the correct permissions to give to a role so that all objects
in the information_schema (and pg_catalog) are visible to a user?
Permissions seem to make a difference but I don't know which adjustments
to make without causing unintended consequences. We revoked select on
all tables and functions from public, if that makes a difference. We
don't use the public schema but it appears that postgres does.

Should I be looking at something other than permissions to make
information_schema more visible? We are particularly interested in
using the comments on everything to create views of our database
structures that we can use for our team's training documentation. Of
course, the comments/descriptions can't be selected in isolation so we
need full visibility.

Below are samples of select statements with outputs that disagree based
upon the database and presumably, the permissions.

Thanks for your help!

Sue

Production db logged in as admin:

CREATE ROLE admin LOGIN
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
GRANT read TO admin;
GRANT write TO admin;

select * from information_schema.table_constraints; -- 206 rows
select * from information_schema.constraint_column_usage; -- 0 rows

sandbox db logged in as postgres:

CREATE ROLE postgres LOGIN
ENCRYPTED PASSWORD 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SUPERUSER INHERIT CREATEDB CREATEROLE REPLICATION;
select * from information_schema.table_constraints; -- 621 rows
select * from information_schema.constraint_column_usage; -- 127 rows

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Susan E Hurst
Principal Consultant
Brookhurst Data LLC
Email: susan.hurst@brookhurstdata.com
Mobile: 314-486-3261

#2David G. Johnston
David G. Johnston
david.g.johnston@gmail.com
In reply to: Susan Hurst (#1)
Re: Permissions for information_schema

On Thu, May 16, 2019 at 9:50 AM Susan Hurst <susan.hurst@brookhurstdata.com>
wrote:

What are the correct permissions to give to a role so that all objects
in the information_schema (and pg_catalog) are visible to a user?

Have you determined that using the underlying pg_catalog schema is not
viable.

David J.

#3Susan Hurst
Susan Hurst
susan.hurst@brookhurstdata.com
In reply to: David G. Johnston (#2)
Re: Permissions for information_schema

The objects are granted SELECT to PUBLIC.

---
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Susan E Hurst
Principal Consultant
Brookhurst Data LLC
Email: susan.hurst@brookhurstdata.com
Mobile: 314-486-3261

On 2019-05-16 11:53, David G. Johnston wrote:

Show quoted text

On Thu, May 16, 2019 at 9:50 AM Susan Hurst <susan.hurst@brookhurstdata.com> wrote:

What are the correct permissions to give to a role so that all objects
in the information_schema (and pg_catalog) are visible to a user?

Have you determined that using the underlying pg_catalog schema is not viable.

David J.

#4Adrian Klaver
Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Susan Hurst (#1)
Re: Permissions for information_schema

On 5/16/19 9:50 AM, Susan Hurst wrote:

What are the correct permissions to give to a role so that all objects
in the information_schema (and pg_catalog) are visible to a user?

As example:
https://www.postgresql.org/docs/11/infoschema-tables.html

"... Only those tables and views are shown that the current user has
access to (by way of being the owner or having some privilege)."

If you do:

\d+ information_schema.tables

at the end of the view definition you will see:

... AND (pg_has_role(c.relowner, 'USAGE'::text) OR
has_table_privilege(c.oid, 'SELECT, INSERT, UPDATE, DELETE, TRUNCATE,
REFERENCES, TRIGGER'::text) OR has_any_column_privilege(c.oid, 'SELECT,
INSERT, UPDATE, REFERENCES'::text));

So the permissions check is baked into the view definition. That means
the role doing the query has to meet the above criteria. Either you have
to create a role that creates all objects and then let that role use the
information_schema(or grant it to other roles) or you need to use a
superuser role.

Permissions seem to make a difference but I don't know which adjustments
to make without causing unintended consequences. We revoked select on
all tables and functions from public, if that makes a difference.  We
don't use the public schema but it appears that postgres does.

Should I be looking at something other than permissions to make
information_schema more visible?  We are particularly interested in
using the comments on everything to create views of our database
structures that we can use for our team's training documentation.  Of
course, the comments/descriptions can't be selected in isolation so we
need full visibility.

Below are samples of select statements with outputs that disagree based
upon the database and presumably, the permissions.

Thanks for your help!

Sue

Production db logged in as admin:

CREATE ROLE admin LOGIN
  NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
GRANT read TO admin;
GRANT write TO admin;

select * from information_schema.table_constraints;         -- 206 rows
select * from information_schema.constraint_column_usage;   -- 0 rows

sandbox db logged in as postgres:

CREATE ROLE postgres LOGIN
  ENCRYPTED PASSWORD 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
  SUPERUSER INHERIT CREATEDB CREATEROLE REPLICATION;
select * from information_schema.table_constraints;        -- 621 rows
select * from information_schema.constraint_column_usage;  -- 127 rows

--
Adrian Klaver
adrian.klaver@aklaver.com

← Back to Topics