patternsqlCritical
Granting access to all tables for a user
Viewed 0 times
tablesallusergrantingforaccess
Problem
I'm new to Postgres and trying to migrate our MySQL databases over. In MySQL I can grant
How is this best accomplished?
SELECT, UPDATE, INSERT, and DELETE privileges on a low privileged user and enable those grants to apply to all tables in a specified database. I must be missing something in Postgres because it looks like I have to grant those privileges for each table one at a time. With many databases and hundreds of tables per database that seems like a daunting task just to get off the ground. In addition, once a database is in operation, adding tables happens frequently enough that I wouldn't want to have to grant permissions each time unless absolutely necessary.How is this best accomplished?
Solution
First, you have to be able to connect to the database in order to run queries. This can be achieved by
The
The key word PUBLIC indicates that the privileges are to be granted to
all roles, including those that might be created later. PUBLIC can be
thought of as an implicitly defined group that always includes all
roles. Any particular role will have the sum of privileges granted
directly to it, privileges granted to any role it is presently a
member of, and privileges granted to PUBLIC.
If you really want to restrict your user to DML statements, then you have a little more to do:
These assume that you will have only one schema (which is named 'public' by default).
As Jack Douglas pointed out, the above only gives the privileges for the already existing tables. To achieve the same for future tables, you have to define default privileges:
Here,
And, finally, you have to do the same for the sequences (thanks to PlaidFan for pointing it out) - here it is the
REVOKE CONNECT ON DATABASE your_database FROM PUBLIC;
GRANT CONNECT
ON DATABASE database_name
TO user_name;The
REVOKE is necessary becauseThe key word PUBLIC indicates that the privileges are to be granted to
all roles, including those that might be created later. PUBLIC can be
thought of as an implicitly defined group that always includes all
roles. Any particular role will have the sum of privileges granted
directly to it, privileges granted to any role it is presently a
member of, and privileges granted to PUBLIC.
If you really want to restrict your user to DML statements, then you have a little more to do:
REVOKE ALL
ON ALL TABLES IN SCHEMA public
FROM PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE
ON ALL TABLES IN SCHEMA public
TO user_name;These assume that you will have only one schema (which is named 'public' by default).
As Jack Douglas pointed out, the above only gives the privileges for the already existing tables. To achieve the same for future tables, you have to define default privileges:
ALTER DEFAULT PRIVILEGES
FOR ROLE some_role -- Alternatively "FOR USER"
IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO user_name;Here,
some_role is a role that creates the tables, while user_name is the one who gets the privileges. Defining this, you have to be logged in as some_role or a member of it.And, finally, you have to do the same for the sequences (thanks to PlaidFan for pointing it out) - here it is the
USAGE privilege that you need.Code Snippets
REVOKE CONNECT ON DATABASE your_database FROM PUBLIC;
GRANT CONNECT
ON DATABASE database_name
TO user_name;REVOKE ALL
ON ALL TABLES IN SCHEMA public
FROM PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE
ON ALL TABLES IN SCHEMA public
TO user_name;ALTER DEFAULT PRIVILEGES
FOR ROLE some_role -- Alternatively "FOR USER"
IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO user_name;Context
StackExchange Database Administrators Q#33943, answer score: 228
Revisions (0)
No revisions yet.