dangling permission on tables after drop user.
I have a database which started on Pg 7.1, moved to 7.2 via
pg_dump/restore, and ultimately to Pg 7.4 likewise.
While it was in 7.2, I added one user and granted access to various
tables. After the 7.4 migration, that user was no longer needed, so
was removed via "dropuser" command line tool.
Now, when I pg_dump that db using the version 7.4.5 tools, I cannot
restore because there are still grants in there for this phantom user:
REVOKE ALL ON TABLE partners FROM PUBLIC;
GRANT INSERT,SELECT,UPDATE,DELETE ON TABLE partners TO www;
GRANT ALL ON TABLE partners TO "102";
there is no user with ID 102 in the pg_user view. pg_restore complains
about the missing user "102". And no, the user was not "102" it was
the name of a (former) employee.
My questions are:
1) did I do something wrong in dropping that user?
2) how do I fix this in my system tables?
The gross hack is to pg_restore to an ascii file and delete those GRANT
lines, but the compressed dump is over 2Gb for this database.
Vivek Khera, Ph.D.
+1-301-869-4449 x806
Vivek Khera wrote:
there is no user with ID 102 in the pg_user view. pg_restore complains
about the missing user "102". And no, the user was not "102" it was the
name of a (former) employee.
The gross hack is to pg_restore to an ascii file and delete those GRANT
lines, but the compressed dump is over 2Gb for this database.
Am I missing something Vivek, or should the gross hack be "creating a
user with id=102" ?
--
Richard Huxton
Archonet Ltd
On Sep 29, 2004, at 4:55 PM, Richard Huxton wrote:
Vivek Khera wrote:
there is no user with ID 102 in the pg_user view. pg_restore
complains about the missing user "102". And no, the user was not
"102" it was the name of a (former) employee.The gross hack is to pg_restore to an ascii file and delete those
GRANT lines, but the compressed dump is over 2Gb for this database.Am I missing something Vivek, or should the gross hack be "creating a
user with id=102" ?
And how exactly does one accomplish this? pg_users is a view so you
can't insert into it.
Vivek Khera, Ph.D.
+1-301-869-4449 x806
On Wed, Sep 29, 2004 at 05:07:38PM -0400, Vivek Khera wrote:
On Sep 29, 2004, at 4:55 PM, Richard Huxton wrote:
Vivek Khera wrote:
there is no user with ID 102 in the pg_user view. pg_restore
complains about the missing user "102". And no, the user was not
"102" it was the name of a (former) employee.The gross hack is to pg_restore to an ascii file and delete those
GRANT lines, but the compressed dump is over 2Gb for this database.Am I missing something Vivek, or should the gross hack be "creating a
user with id=102" ?And how exactly does one accomplish this? pg_users is a view so you
can't insert into it.
CREATE USER ... WITH SYSID 102;
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
Dios hizo a Ad�n, pero fue Eva quien lo hizo hombre.
Vivek Khera <khera@kcilink.com> writes:
On Sep 29, 2004, at 4:55 PM, Richard Huxton wrote:
Am I missing something Vivek, or should the gross hack be "creating a
user with id=102" ?
And how exactly does one accomplish this?
CREATE USER.
regards, tom lane
On Sep 29, 2004, at 5:35 PM, Alvaro Herrera wrote:
Am I missing something Vivek, or should the gross hack be "creating a
user with id=102" ?And how exactly does one accomplish this? pg_users is a view so you
can't insert into it.CREATE USER ... WITH SYSID 102;
Ok. I did that. So now how do I get rid of that user and all the
grants? DROP USER ends up with the dangling GRANTs still hanging
about.
Is there no way to drop a user and have the necessary grants disappear?
How does one drop a user cleanly?
Vivek Khera, Ph.D.
+1-301-869-4449 x806
Attachments:
On Thu, Sep 30, 2004 at 09:32:30AM -0400, Vivek Khera wrote:
On Sep 29, 2004, at 5:35 PM, Alvaro Herrera wrote:
Am I missing something Vivek, or should the gross hack be "creating a
user with id=102" ?And how exactly does one accomplish this? pg_users is a view so you
can't insert into it.CREATE USER ... WITH SYSID 102;
Ok. I did that. So now how do I get rid of that user and all the
grants? DROP USER ends up with the dangling GRANTs still hanging
about.Is there no way to drop a user and have the necessary grants disappear?
How does one drop a user cleanly?
I'm afraid you'll have to ALTER TABLE (or whatever) for each of these ...
I don't think there is a command that would help you do that
automatically. You can cheat by looking at system catalogs for the
acl column (e.g. pg_class.relacl) and using that in a function.
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"El sentido de las cosas no viene de las cosas, sino de
las inteligencias que las aplican a sus problemas diarios
en busca del progreso." (Ernesto Hern�ndez-Novich)
On Thu, Sep 30, 2004 at 10:03:29AM -0400, Alvaro Herrera wrote:
I'm afraid you'll have to ALTER TABLE (or whatever) for each of these ...
I don't think there is a command that would help you do that
automatically. You can cheat by looking at system catalogs for the
acl column (e.g. pg_class.relacl) and using that in a function.
Andrew Hammond is about to (has?) post some helper code he has for
managing ACLs more easily.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
I remember when computers were frustrating because they *did* exactly what
you told them to. That actually seems sort of quaint now.
--J.D. Baldwin