Postgres user creation and restrict DDL & database access
How to create a postgres user ? user should not have any DDL execution permission on postgres database.
and the user should not connect other database means user need to restrict the other database connectivity
How to achive this ?
Note : Db_name is nijam, user and schema name should be nijam.
Connecting the database where you want to create schema:
\c nijam
Creating seperate schema for nijam user:
create schema nijam;
creating postgres user :
CREATE ROLE nijam WITH LOGIN PASSWORD 'Nijam@$%&123';
Grant connect to the database:
GRANT CONNECT ON DATABASE nijam TO nijam;
GRANT USAGE ON schema nijam TO nijam;
Now you cannot create any objects on non default databases but you can create objects in default databases(postgres,template1) of default schemas (public) .
NON_default Database:
================
nijam=> \dn
List of schemas
Name | Owner
--------+---------
nijam | pginsta
public | pginsta
(2 rows)
Default schema of non default database:
nijam=> show search_path;
search_path
-----------------
"$user", public
(1 row)
nijam=> create table t1(id int);
ERROR: permission denied for schema nijam
LINE 1: create table t1(id int);
^
Non default schema of non default database:
pginsta=> \c nijam
You are now connected to database "nijam" as user "nijam".
nijam=> set search_path=nijam;
SET
nijam=> create table t(id int);
ERROR: permission denied for schema nijam
LINE 1: create table t(id int);
Default Database :
============
$ psql -U nijam -d postgres
psql (10.5)
Type "help" for help.
postgres=> create schema schema1;
ERROR: permission denied for database postgres
postgres=>
Default schema of Default database:
postgres=> show search_Path;
search_path
-----------------
"$user", public
(1 row)
postgres=> create table t1(id int);
CREATE TABLE
postgres=> drop table t1;
DROP TABLE
As super user create a default schema :
nijam@2ndquadrant.in:/nijam> psql -d postgres
psql (10.5)
Type "help" for help.
postgres=# create schema schema1;
CREATE SCHEMA
postgres=#
postgres=> \dn
List of schemas
Name | Owner
---------+---------
public | pginsta
schema1 | pginsta
(2 rows)
Non default schema of default database:
nijam@2ndquadrant.in:/nijam> psql -U nijam -d postgres
psql (10.5)
Type "help" for help.
postgres=> set search_path=schema1;
SET
postgres=> show search_path;
search_path
-------------
schema1
(1 row)
postgres=> create table t1(id int);
ERROR: no schema has been selected to create in
LINE 1: create table t1(id int);
FOR POSTGRES DB RESTRICTION :
==========================
We have much more control here. If we do not grant access to a specific database we will not be able to connect. So we might grant access to the postgres_db database but not to the postgres database by adding this line to pg_hba.conf:
host postgres_db nijam 192.168.1.5/32 md5
nijam@2ndquadrant.in~$ psql -h 192.168.1.5 -p 5444 -U nijam -d postgres_db
Password for user nijam:
psql (9.3.10, server 9.4.5.12)
WARNING: psql major version 9.3, server major version 9.4.
Some psql features might not work.
Type "help" for help.
postgres_db=>
But we are not able to connect to any other database:
nijam@2ndquadrant.in~$ psql -h 192.168.1.5 -p 5444 -U nijam -d postgres
psql: FATAL: no pg_hba.conf entry for host "192.168.22.1", user "nijam", database "postgres", SSL off
nijam@2ndquadrant.in~$ psql -h 192.168.22.22 -p 5444 -U nijam -d template1
psql: FATAL: no pg_hba.conf entry for host "192.168.22.1", user "nijam", database "template1", SSL off
Granting create and table access privileges to bvms user for bvms schema :
psql -d bvms -U pginsta
\c bvms
Grant CREATE ON SCHEMA bvms to bvms;
Creating t1 table as bvms user connected with bvms schema :
psql -U bvms
set search_path=bvms;
show search_path;
drop table t1;
create table t1(id int);
psql -U bvms
set search_path=public;
show search_path;
drop table t1;
create table t1(id int);
bvms=> create table t1(id int);
CREATE TABLE
bvms=> drop table t1;
DROP TABLE