patternsqlMinor
GRANT SELECT ON SEQUENCE succeeds, but to no effect?
Viewed 0 times
effectsucceedsbutgrantsequenceselect
Problem
I am trying to grant select access to sequences from one user/role to another. There are no errors when I run the command but once run, the second role is unable to view the sequences. I have run the exact same command on several other services/database instances which succeeded, this is only misbehaving one.
I have run both:
As per the recommendation here:
And as I mention above, this has been successful on other database schema on different machines. I have also tried individually:
and
This also has no effect. When logged in from
Similar results (or lack thereof) when running
I can see from the previous role that the sequence should be "grantable" (whatever that means, I can't find any documentation on it)
So I don't really know where to look at this point. The old role appears to have the ability to grant select to other roles, and doesn't error when attempting to run the comm
I have run both:
GRANT SELECT ON ALL SEQUENCES IN SCHEMA schema_name TO new_role;As per the recommendation here:
- https://stackoverflow.com/questions/7386321/grant-select-privilege-to-all-sequences-using-one-statement
And as I mention above, this has been successful on other database schema on different machines. I have also tried individually:
GRANT SELECT ON SEQUENCE some_id_sequence TO new_role;and
GRANT SELECT ON SEQUENCE public.some_id_sequence TO new_role;This also has no effect. When logged in from
new_role I see:select * from information_schema.role_usage_grants ;
...
(0 rows)Similar results (or lack thereof) when running
\ds.I can see from the previous role that the sequence should be "grantable" (whatever that means, I can't find any documentation on it)
live@live ~ => select * from information_schema.role_usage_grants limit 1;
┌──────────┬──────────┬────────────────┬───────────────┬──────────────┬─────────────┬────────────────┬──────────────┐
│ grantor │ grantee │ object_catalog │ object_schema │ object_name │ object_type │ privilege_type │ is_grantable │
├──────────┼──────────┼────────────────┼───────────────┼──────────────┼─────────────┼────────────────┼──────────────┤
│ old_role │ old_role │ old_role │ public │ some_id_seq │ SEQUENCE │ USAGE │ YES │
└──────────┴──────────┴────────────────┴───────────────┴──────────────┴─────────────┴────────────────┴──────────────┘
(1 row)So I don't really know where to look at this point. The old role appears to have the ability to grant select to other roles, and doesn't error when attempting to run the comm
Solution
GRANT'ing SELECT (or USAGE) on the sequence is not sufficient if it's contained in a schema for which the user has no permission. I believe that's the case because your schema named
as opposed to the lack of access privileges shown in the question.
This is also consistent with the fact that the same commands work in you other instances: presumably the schema public of these other databases is the original, not a dropped/recreated-differently version or with its permissions removed.
As possible solutions, consider doing, as the owner of the schema:
or the more limited
or the even more limited
public is not public. If it was, it would have permissions that would look like that:test=> \dn+
List of schemas
Name | Owner | Access privileges | Description
--------+----------+----------------------+------------------------
public | postgres | postgres=UC/postgres+| standard public schema
| | =UC/postgres |as opposed to the lack of access privileges shown in the question.
This is also consistent with the fact that the same commands work in you other instances: presumably the schema public of these other databases is the original, not a dropped/recreated-differently version or with its permissions removed.
As possible solutions, consider doing, as the owner of the schema:
GRANT ALL ON SCHEMA public TO public;or the more limited
GRANT ALL ON SCHEMA public TO new_role;or the even more limited
GRANT USAGE ON SCHEMA public TO new_role;Code Snippets
test=> \dn+
List of schemas
Name | Owner | Access privileges | Description
--------+----------+----------------------+------------------------
public | postgres | postgres=UC/postgres+| standard public schema
| | =UC/postgres |GRANT ALL ON SCHEMA public TO public;GRANT ALL ON SCHEMA public TO new_role;GRANT USAGE ON SCHEMA public TO new_role;Context
StackExchange Database Administrators Q#227659, answer score: 4
Revisions (0)
No revisions yet.