HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

GRANT SELECT ON SEQUENCE succeeds, but to no effect?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
effectsucceedsbutgrantsequenceselect

Problem

I am trying to grant select access to sequences from one user/role to another. There are no errors when I run the command but once run, the second role is unable to view the sequences. I have run the exact same command on several other services/database instances which succeeded, this is only misbehaving one.

I have run both:

GRANT SELECT ON ALL SEQUENCES IN SCHEMA schema_name TO new_role;


As per the recommendation here:

  • https://stackoverflow.com/questions/7386321/grant-select-privilege-to-all-sequences-using-one-statement



And as I mention above, this has been successful on other database schema on different machines. I have also tried individually:

GRANT SELECT ON SEQUENCE some_id_sequence TO new_role;


and

GRANT SELECT ON SEQUENCE public.some_id_sequence TO new_role;


This also has no effect. When logged in from new_role I see:

select * from information_schema.role_usage_grants ; 
...
(0 rows)


Similar results (or lack thereof) when running \ds.

I can see from the previous role that the sequence should be "grantable" (whatever that means, I can't find any documentation on it)

live@live ~ => select * from information_schema.role_usage_grants limit 1;
┌──────────┬──────────┬────────────────┬───────────────┬──────────────┬─────────────┬────────────────┬──────────────┐
│ grantor  │ grantee  │ object_catalog │ object_schema │  object_name │ object_type │ privilege_type │ is_grantable │
├──────────┼──────────┼────────────────┼───────────────┼──────────────┼─────────────┼────────────────┼──────────────┤
│ old_role │ old_role │ old_role       │ public        │ some_id_seq  │ SEQUENCE    │ USAGE          │ YES          │
└──────────┴──────────┴────────────────┴───────────────┴──────────────┴─────────────┴────────────────┴──────────────┘
(1 row)


So I don't really know where to look at this point. The old role appears to have the ability to grant select to other roles, and doesn't error when attempting to run the comm

Solution

GRANT'ing SELECT (or USAGE) on the sequence is not sufficient if it's contained in a schema for which the user has no permission. I believe that's the case because your schema named public is not public. If it was, it would have permissions that would look like that:

test=> \dn+
                          List of schemas
  Name  |  Owner   |  Access privileges   |      Description       
--------+----------+----------------------+------------------------
 public | postgres | postgres=UC/postgres+| standard public schema
        |          | =UC/postgres         |


as opposed to the lack of access privileges shown in the question.
This is also consistent with the fact that the same commands work in you other instances: presumably the schema public of these other databases is the original, not a dropped/recreated-differently version or with its permissions removed.

As possible solutions, consider doing, as the owner of the schema:

GRANT ALL ON SCHEMA public TO public;


or the more limited

GRANT ALL ON SCHEMA public TO new_role;


or the even more limited

GRANT USAGE ON SCHEMA public TO new_role;

Code Snippets

test=> \dn+
                          List of schemas
  Name  |  Owner   |  Access privileges   |      Description       
--------+----------+----------------------+------------------------
 public | postgres | postgres=UC/postgres+| standard public schema
        |          | =UC/postgres         |
GRANT ALL ON SCHEMA public TO public;
GRANT ALL ON SCHEMA public TO new_role;
GRANT USAGE ON SCHEMA public TO new_role;

Context

StackExchange Database Administrators Q#227659, answer score: 4

Revisions (0)

No revisions yet.