patternsqlMajor
Grant access to all tables of a database
Viewed 0 times
tablesallgrantdatabaseaccess
Problem
I recently wanted to share regular access rights with one user of a server and I realized that a simple
I would like to grant rights to all tables from a given database to a specified user, but I am not sure if it is the best idea to grant him access to whole schema
CREATE USER and GRANT ALL ON DATABASE commands didn't let him run a simple SELECT on the data.I would like to grant rights to all tables from a given database to a specified user, but I am not sure if it is the best idea to grant him access to whole schema
public as I don't know if it would allow some kind of privilege escalation. Is there any other way?Solution
Postgres 14
... adds the predefined role
The manual:
Read all data (tables, views, sequences), as if having
on those objects, and
having it explicitly. This role does not have the role attribute
set
For older versions
The privilege on
To grant read access to all tables, you also need privileges on all schemas and tables:
You may also want to set default privileges for future schemas and tables. Run for every role that creates objects in your db
But you really need to understand the whole concept first.
And it's almost always better to bundle privileges in group roles and then grant/revoke the group role to/from user roles. Related:
... adds the predefined role
pg_read_all_data to make this simple:GRANT pg_read_all_data TO myuser;The manual:
pg_read_all_dataRead all data (tables, views, sequences), as if having
SELECT rightson those objects, and
USAGE rights on all schemas, even withouthaving it explicitly. This role does not have the role attribute
BYPASSRLS set. If RLS is being used, an administrator may wish toset
BYPASSRLS on roles which this role is GRANTed to.For older versions
The privilege on
DATABASE only grants general connection rights to the database and no more. A user with just that privilege can only see what the general public is allowed to see.To grant read access to all tables, you also need privileges on all schemas and tables:
GRANT USAGE ON SCHEMA public TO myuser; -- more schemas?
GRANT SELECT ON ALL TABLES IN SCHEMA public TO myuser;You may also want to set default privileges for future schemas and tables. Run for every role that creates objects in your db
ALTER DEFAULT PRIVILEGES FOR ROLE mycreating_user IN SCHEMA public
GRANT SELECT ON TABLES TO myuser;But you really need to understand the whole concept first.
And it's almost always better to bundle privileges in group roles and then grant/revoke the group role to/from user roles. Related:
- Why can a new user select from any table?
- How to grant all privileges on views to arbitrary user
- Grant privileges for a particular database in PostgreSQL
- How to manage DEFAULT PRIVILEGES for USERs on a DATABASE vs SCHEMA?
Code Snippets
GRANT pg_read_all_data TO myuser;GRANT USAGE ON SCHEMA public TO myuser; -- more schemas?
GRANT SELECT ON ALL TABLES IN SCHEMA public TO myuser;ALTER DEFAULT PRIVILEGES FOR ROLE mycreating_user IN SCHEMA public
GRANT SELECT ON TABLES TO myuser;Context
StackExchange Database Administrators Q#91953, answer score: 30
Revisions (0)
No revisions yet.