Menu
Please explain the output of the \z command in PostgreSQL. I understand the permission, I read the documentation, but somehow I missed the interpretation of the output of \z.
datastore_default=> \z Access privileges Schema | Name | Type | Access privileges | Column access privileges --------+-----------------+-------+-----------------------------------+-------------------------- public | _table_metadata | view | ckan_default=arwdDxt/ckan_default+| | | | datastore_default=r/ckan_default +| | | | readonlyuser=r/ckan_default +| public | foo | table | ckan_default=arwdDxt/ckan_default+| | | | datastore_default=r/ckan_default +| | | | readonlyuser=r/ckan_default +| Somehow readonlyuser seems to be able to read tables foo and _foo but in practice it cannot. Both commands return an error:
sudo -u postgres psql -d datastore_default -U readonlyuser -c 'SELECT * FROM foo' sudo -u postgres psql -d datastore_default -U readonlyuser -c 'SELECT * FROM public.foo' ERROR: permission denied for schema public LINE 1: SELECT * FROM public.foo Edit: apparently I had a poor understanding of how database and schema permissions work. First of all only the db admin (user postgres) or the owner of the database (in my case user ckan_default) can grant other users privileges on a specific database. The schema is only at a database level, so it's ok that I added readonlyuser the permission to see the public schema, it cannot select from other databases anyway.
903
In PostgreSQL, there are no groups of users. Instead you can create roles with certain permissions, and then grant those roles to other roles. Roles will inherit the permissions of roles granted to them, if those roles have the INHERIT attribute.
Users, groups, and roles are the same thing in PostgreSQL, with the only difference being that users have permission to log in by default. The CREATE USER and CREATE GROUP statements are actually aliases for the CREATE ROLE statement.
Description. CREATE ROLE adds a new role to a PostgreSQL database cluster. A role is an entity that can own database objects and have database privileges; a role can be considered a “user”, a “group”, or both depending on how it is used.
The error says permission denied for schema public (emphasis mine)
You need to give readonlyuser rights on schema public:
GRANT USAGE ON SCHEMA public TO readonlyuser; The contents of the ACL is explained on this page. The most relevant part quoted here:
rolename=xxxx -- privileges granted to a role =xxxx -- privileges granted to PUBLIC
r -- SELECT ("read") w -- UPDATE ("write") a -- INSERT ("append") d -- DELETE D -- TRUNCATE x -- REFERENCES t -- TRIGGER X -- EXECUTE U -- USAGE C -- CREATE c -- CONNECT T -- TEMPORARY arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects) * -- grant option for preceding privilege /yyyy -- role that granted this privilege
The + are part of the way psql formats the result, they are not part of the value.
76
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
