PostgreSQL Grant
- When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement.
- For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To allow other roles to use it, privileges must be granted.
- There are several different kinds of privilege: SELECT, INSERT, UPDATE, DELETE,REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.
- Lab to create USERS, SCHEMAS, ROLES, Alter SEARCH_PATH,
- GRANT and REVOKE privileges
Privileges:
PRIVILEGES | Description |
SELECT | Allows SELECT from any column, or the specific columns listed, of the specified table, this privilege allows the object to be read. |
INSERT | Allows INSERT of a new row into the specified table. |
UPDATE | Allows UPDATE of any column, or the specific columns listed, of the specified table. |
DELETE | Allows DELETE of a row from the specified table. |
TRUNCATE | Allows TRUNCATE on the specified table. |
REFERENCES | To create a foreign key constraint, it is necessary to have this privilege on both the referencing and referenced columns. The privilege may be granted for all columns of a table, or just specific columns. |
TRIGGER | Allows the creation of a trigger on the specified table. |
CREATE |
|
CONNECT | Allows the user to connect to the specified database. |
TEMPORARY TEMP |
Allows temporary tables to be created while using the specified database. |
EXECUTE | Allows the use of the specified function and the use of any operators that are implemented on top of the function. This is the only type of privilege that is applicable to functions. (This syntax works for aggregate functions, as well.) |
USAGE |
|
ALL PRIVILEGES | Grant all of the available privileges at once. The PRIVILEGES key word is optional in PostgreSQL, though it is required by strict SQL. |
Examples
— Connect the u2 user in postgres database
postgres=# \conninfo
You are connected to database "postgres" as user "u2" via socket in "/tmp" at port "5432".
— List down the user
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
john | Superuser | {}
postgres | Superuser, Create role, Create DB, Replication | {}
u1 | | {}
u10 | | {}
u11 | | {}
u2 | Superuser | {}
— list the table
postgres=# \dt
List of relations
Schema | Name | Type | Owner
--------+-------------+-------+----------
benz2 | buy | table | u2
benz2 | comment_log | table | u2
benz2 | contable | table | u2
benz2 | demo | table | u2
benz2 | dept | table | postgres
— Connect as u1 user
[postgres@r1 ~]$ psql -U u1
Password for user u1:
— Check the privileges of dept tables as u1 user
postgres=> \dp benz2.dept
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+------+-------+-------------------+--------------------------
benz2 | dept | table | |
(1 row)
Note: Here u1 user don’t have any privilege to access dept table
— connect the superuser as u2 grant the read & insert permission to u1 user to access the dept table
postgres=# grant select on benz2.dept to u1;
GRANT
postgres=# grant insert on benz2.dept to u1;
GRANT
–connect the u1 user and check the privilege using \dp command
postgres=> \dp benz2.dept
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+------+-------+---------------------------+--------------------------
benz2 | dept | table | postgres=arwdDxt/postgres+|
| | | u1=ar/postgres |
(1 row)
Here “ar” means insert & read(select)
The entries shown by \dp are interpreted thus:
rolename=xxxx -- privileges granted to a role
=xxxx -- privileges granted to PUBLIC
r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
* -- grant option for preceding privilege
/yyyy -- role that granted this privilege
— issue the select statement against the dept table as u1 user
postgres=> select * from benz2.dept;
ERROR: permission denied for schema benz2
LINE 1: select * from benz2.dept;
because you need to specify grant usuage option on benz2 schema ^
— again connect the u2 superuser and grant all privilege to u1 user to accessing dept table
postgres=# grant USAGE ON schema benz2 TO u1;
GRANT
— Now issue the select statement as u1 user against dept table
postgres=> select * from benz2.dept;
dept_id | department | address
---------+------------+---------
1 | ece | chennai
(1 row)
Some basic command of grant :
— Create a “nologin” role to act as the owner
create role dbowner nologin;
— Change the owner of your database to this
alter database mydb owner dbowner;
— Grant all your logins to this new role
grant dbowner to user1, user2;
granting privileges is from enterprisedb
grant all privileges on database <db_name> to <group_name>
granting privileges is from enterprisedb
grant all privileges on database <db_name> to <user_name>
grant all privileges on <table_name> to <user_name>
Revoking privileges is from enterprisedb
revoke all privileges on database <db_name> from <user_name>
Grant insert privilege to all users on table tab1:
GRANT INSERT ON tab1 TO PUBLIC;
Grant all available privileges to user manuel on view kinds:
GRANT ALL PRIVILEGES ON emp TO nijam;
Grant membership in role admins to user nijam:
GRANT admins TO nijam;
To assign privileges, the GRANT command is used. So, if “nijam” is an existing role, and “emp” is an existing table, the privilege to update the table can be granted with
GRANT UPDATE ON emp TO nijam;
The special name PUBLIC can be used to grant a privilege to every role on the system. Writing ALL in place of a specific privilege specifies that all privileges that apply to the object will be granted.
GRANT all ON emp TO public;
Use psql’s \dp command to obtain information about existing privileges for tables and columns
\dp emp
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+---------+-------+-----------------------+--------------------------
public | emp | table | u1=arwdDxt/u1 | col1:
: =r/u1 : u1_rw=rw/u1
: admin=arw/u1
(1 row)
We gave connect privilege to user for database connect
GRANT CONNECT ON DATABASE database_name TO user_name;
We gave connect privilege to ALL user for database connect
GRANT CONNECT ON DATABASE database_name TO Public;
GRANT CONNECT ON DATABASE database_name TO user_name;
REVOKE ALL ON ALL TABLES IN SCHEMA schema_name FROM PUBLIC;
GRANT CONNECT ON DATABASE database_name TO user_name;
we gave permission to access all objects in database on particular user
grant all privileges on database dbname to dbuser; GRANT CONNECT ON DATABASE database_name TO user_name;
Create role with Login privilege
CREATE ROLE demo_role WITH LOGIN;
GRANT CONNECT ON DATABASE database_name TO user_name;
Revoke Login Permission
ALTER ROLE demo_role WITH NOLOGIN;
Granting connect, update,insert privileges
GRANT CONNECT ON DATABASE database_name TO user_name;
GRANT UPDATE ON demo TO demo_role;
GRANT INSERT ON demo TO PUBLIC;
To view the grant table
\z
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+-------------+----------+----------------------------+------------------------
public | demo | table | postgres=arwdDxt/postgres +|
| | | demo_role=w/postgres +|
| | | test_user=arwdDxt/postgres+|
| | | =a/postgres |
public | demo_id_seq | sequence | |
(2 rows)