Participants
ROS Didier
ROS Didier
Tom Lane
Tom Lane
Attachments

No attachments in this thread

Thread Outline
#1ROS DidierROS Didier
Dec 20, 2019
#2Tom LaneTom Laneto ROS Didier (#1)
Dec 20, 2019
#3ROS DidierROS Didierto Tom Lane (#2)
Dec 27, 2019

problem with read-only user

Started by ROS Didierabout 6 years ago3 messages
#1ROS Didier
ROS Didier
didier.ros@edf.fr

Hi
I created a read-only role as follows:
psql -p 5434 kidsdpn03
CREATE ROLE kidsdpn03_ro PASSWORD 'xxx';
ALTER ROLE kidsdpn03_ro WITH LOGIN;
GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro;
GRANT USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro;
ALTER ROLE kidsdpn03_ro SET search_path TO kidsdpn03;

but when i create new tables, i don't have read access to those new tables.
Anybody can help to solve this problem ?
Thank you in advance

Didier ROS
didier.ros@edf.fr

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: ROS Didier (#1)
Re: problem with read-only user

ROS Didier <didier.ros@edf.fr> writes:

I created a read-only role as follows:
psql -p 5434 kidsdpn03
CREATE ROLE kidsdpn03_ro PASSWORD 'xxx';
ALTER ROLE kidsdpn03_ro WITH LOGIN;
GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro;
GRANT USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro;
ALTER ROLE kidsdpn03_ro SET search_path TO kidsdpn03;

but when i create new tables, i don't have read access to those new tables.

You only showed us part of what you did ... but IIRC,
ALTER DEFAULT PRIVILEGES only affects privileges for objects
subsequently made by the same user that issued the command.
(Otherwise it'd be a security issue.) So maybe you didn't
make the tables as the same user?

regards, tom lane

#3ROS Didier
ROS Didier
didier.ros@edf.fr
In reply to: Tom Lane (#2)
RE: problem with read-only user

Hi Tom
Thanks for your answer.
Actually, you're right, the tables, the sequences are created by the user kidsdpn03 and another read-only role (kidsdpn03_ro) must interrogate these objects.
So every time the kidsdpn03 role creates a new table, the kidsdpn03_ro role will not have the rights to read them. Kidsdpn03_ro must be explicitly granted read rights on this objects.
Can you confirm that if it was the kidsdpn03_ro role that created the tables, there would be no problem when accessing new tables?
Thanks in advance.

Didier ROS
didier.ros@edf.fr
Tél. : +33 6 49 51 11 88

-----Message d'origine-----
De : tgl@sss.pgh.pa.us [mailto:tgl@sss.pgh.pa.us]
Envoyé : vendredi 20 décembre 2019 15:05
À : ROS Didier <didier.ros@edf.fr>
Cc : pgsql-hackers@postgresql.org; pgsql-sql@postgresql.org
Objet : Re: problem with read-only user

ROS Didier <didier.ros@edf.fr> writes:

I created a read-only role as follows:
psql -p 5434 kidsdpn03
CREATE ROLE kidsdpn03_ro PASSWORD 'xxx'; ALTER ROLE kidsdpn03_ro WITH
LOGIN; GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro; GRANT
USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro; GRANT SELECT ON ALL TABLES
IN SCHEMA kidsdpn03 TO kidsdpn03_ro; GRANT SELECT ON ALL SEQUENCES IN
SCHEMA kidsdpn03 TO kidsdpn03_ro; ALTER DEFAULT PRIVILEGES IN SCHEMA
kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro; ALTER ROLE
kidsdpn03_ro SET search_path TO kidsdpn03;

but when i create new tables, i don't have read access to those new tables.

You only showed us part of what you did ... but IIRC, ALTER DEFAULT PRIVILEGES only affects privileges for objects subsequently made by the same user that issued the command.
(Otherwise it'd be a security issue.) So maybe you didn't make the tables as the same user?

regards, tom lane

Ce message et toutes les pièces jointes (ci-après le 'Message') sont établis à l'intention exclusive des destinataires et les informations qui y figurent sont strictement confidentielles. Toute utilisation de ce Message non conforme à sa destination, toute diffusion ou toute publication totale ou partielle, est interdite sauf autorisation expresse.

Si vous n'êtes pas le destinataire de ce Message, il vous est interdit de le copier, de le faire suivre, de le divulguer ou d'en utiliser tout ou partie. Si vous avez reçu ce Message par erreur, merci de le supprimer de votre système, ainsi que toutes ses copies, et de n'en garder aucune trace sur quelque support que ce soit. Nous vous remercions également d'en avertir immédiatement l'expéditeur par retour du message.

Il est impossible de garantir que les communications par messagerie électronique arrivent en temps utile, sont sécurisées ou dénuées de toute erreur ou virus.
____________________________________________________

This message and any attachments (the 'Message') are intended solely for the addressees. The information contained in this Message is confidential. Any use of information contained in this Message not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval.

If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return message.

E-mail communication cannot be guaranteed to be timely secure, error or virus-free.

← Back to Topics