Postgres roles and users - permission denied for table
From the documentation of ALTER DEFAULT PRIVILEGES
:
You can change default privileges only for objects that will be created by yourself or by roles that you are a member of. The privileges can be set globally (i.e., for all objects created in the current database), or just for objects created in specified schemas. Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type.
Therefore the effect of running ALTER DEFAULT PRIVILEGES
as master
doesn't affect the default privileges of tables created by app_user1
.
To fix that you must execute the
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO readonly;
as app_user1
too.
Related videos on Youtube
Domajno
Updated on June 04, 2022Comments
-
Domajno almost 2 years
I configured Postgres 11.2 database running on RDS following the instructions in https://aws.amazon.com/blogs/database/managing-postgresql-users-and-roles/
- I logged in as the master user created during RDS creation
- Executed
CREATE SCHEMA myschema;
- Executed script from the link above
-- Revoke privileges from 'public' role REVOKE CREATE ON SCHEMA public FROM PUBLIC; REVOKE ALL ON DATABASE mydatabase FROM PUBLIC; -- Read-only role CREATE ROLE readonly; GRANT CONNECT ON DATABASE mydatabase TO readonly; GRANT USAGE ON SCHEMA myschema TO readonly; GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO readonly; ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO readonly; -- Read/write role CREATE ROLE readwrite; GRANT CONNECT ON DATABASE mydatabase TO readwrite; GRANT USAGE, CREATE ON SCHEMA myschema TO readwrite; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA myschema TO readwrite; ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO readwrite; GRANT USAGE ON ALL SEQUENCES IN SCHEMA myschema TO readwrite; ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT USAGE ON SEQUENCES TO readwrite; -- Users creation CREATE USER reporting_user1 WITH PASSWORD 'some_secret_passwd'; CREATE USER reporting_user2 WITH PASSWORD 'some_secret_passwd'; CREATE USER app_user1 WITH PASSWORD 'some_secret_passwd'; CREATE USER app_user2 WITH PASSWORD 'some_secret_passwd'; -- Grant privileges to users GRANT readonly TO reporting_user1; GRANT readonly TO reporting_user2; GRANT readwrite TO app_user1; GRANT readwrite TO app_user2;
After that I connected in as
app_user1
and created a new table and added one row to it. Then, I connected using reporting_user1 and tried toSELECT * FROM
that new table but saw following message on the console:ERROR: permission denied for table first_table SQL state: 42501
What am I missing in my configuration? I expect the reporting_user1 to have read access to all tables created by the app_user1 in myschema.
-
Domajno over 4 yearsAd the cited AWS article explains following statement should take care of that
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO readonly;
-
Juned Ahsan over 4 yearsDoes it work on the existing table? If yes then something is wrong for the new entities, thats what my answer is addressing
-
Domajno over 4 yearsI did not have any existing objects (entities) so I do not know. Granting explicit permission to the new table results in an error. This is executed as the master user of the DB.
GRANT SELECT ON myschema.first_table TO reporting_user1;
ERROR: permission denied for table first_table
. -
Juned Ahsan over 4 yearstry to grant to the role instead i.e. readonly. Rerunning this should help GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO readonly;
-
Domajno over 4 yearsSame
ERROR: permission denied for table first_table
-
Juned Ahsan over 4 yearsare u using the same user to GRANT permissions as you used when you intiially setup ?
-
Domajno over 4 yearsYes, initial master user created when RDS instance is created.
-
Domajno over 4 yearsIf I did not do it
app_user2
should still be able to read tables because it hasreadwrite
role, right? -
Leon over 4 yearsNo, because - unless
app_user1
executedSET ROLE readwrite
before creating the table - the owner of the table isapp_user1
and the fact thatapp_user1
andapp_user2
can assume the same rolereadwrite
doesn't enableapp_user2
to peek intoapp_user1
's personal tables.