Granting access to all tables for a user
I'm new to Postgres and trying to migrate our MySQL databases over. In MySQL I can grant
DELETEprivileges on a low privileged user and enable those grants to apply to all tables in a specified database. I must be missing something in Postgres because it looks like I have to grant those privileges for each table one at a time. With many databases and hundreds of tables per database that seems like a daunting task just to get off the ground. In addition, once a database is in operation, adding tables happens frequently enough that I wouldn't want to have to grant permissions each time unless absolutely necessary.
How is this best accomplished?
First, you have to be able to connect to the database in order to run queries. This can be achieved by
REVOKE CONNECT ON DATABASE your_database FROM PUBLIC; GRANT CONNECT ON DATABASE database_name TO user_name;
REVOKEis necessary because
The key word PUBLIC indicates that the privileges are to be granted to all roles, including those that might be created later. PUBLIC can be thought of as an implicitly defined group that always includes all roles. Any particular role will have the sum of privileges granted directly to it, privileges granted to any role it is presently a member of, and privileges granted to PUBLIC.
If you really want to restrict your user to DML statements, then you have a little more to do:
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM PUBLIC; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO user_name;
These assume that you will have only one schema (which is named 'public' by default).
As Jack Douglas pointed out, the above only gives the privileges for the already existing tables. To achieve the same for future tables, you have to define default privileges:
ALTER DEFAULT PRIVILEGES FOR ROLE some_role -- Alternatively "FOR USER" IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO user_name;
some_roleis a role that creates the tables, while
user_nameis the one who gets the privileges. Defining this, you have to be logged in as
some_roleor a member of it.
And, finally, you have to do the same for the sequences (thanks to PlaidFan for pointing it out) - here it is the
USAGEprivilege that you need.
Thanks, `FOR some_role` was the key part I was missing to make it work for my tables created later. But I didn't have to be logged in as `some_role`, it worked also if I executed the query as the default admin `postgres` user.
assuming you want to give them all privileges - do this:
grant all privileges on database dbname to dbuser;
dbnameis the name of your database and
dbuseris the name of the user.
This will add the following privileges on the _database_: `CREATE, CONNECT, TEMPORARY`. No privileges on tables.
A similar command for all tables would be, `GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO dbuser;`
It may be that I was doing something wrong here since I am very new to PostgreSQL. But this only solved the first part of the problem for me - setting the privileges on all existing tables.
In order for permissions to be correctly set for my user on new tables, that are created I has to set default permissions for the user:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON tables TO user_name; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, USAGE ON sequences TO user_name;
--Create User CREATE USER my_user_test WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOREPLICATION CONNECTION LIMIT -1 PASSWORD 'xxxxxxx'; -- Grant connect to my data base GRANT CONNECT ON DATABASE my_db_test TO my_user_test; -- Grant usage the schema GRANT USAGE ON SCHEMA my_sch_test TO my_user_test ; -- Grant all table for SELECT, INSERT, UPDATE, DELETE GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA my_sch_test TO my_user_test;