AW: Connect to db denied for superuser inherited by group

Поиск
Список
Период
Сортировка
От
Тема AW: Connect to db denied for superuser inherited by group
Дата
Msg-id 214530c2d4cb438ca204bd2a3b5b4747@swisscom.com
обсуждение исходный текст
Ответ на Re: Connect to db denied for superuser inherited by group  (Stephen Frost <sfrost@snowman.net>)
Ответы Re: AW: Connect to db denied for superuser inherited by group  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-admin
Дерево обсуждения 
What I've done

CREATE ROLE superrole WITH  NOLOGIN  SUPERUSER ..;
CREATE USER nosuperuser WITH LOGIN NOSUPERUSER INHERIT ..;
GRANT superrole TO nosuperuser WITH ADMIN OPTION;
REVOKE CONNECT ON DATABASE nonpublicdb FROM public ;

psql -d postgres -U nosupuser

postgres=# set role superrole;

postgres=# \c nonpublicdb
FATAL:  permission denied for database " nonpublicdb "
DETAIL:  User does not have CONNECT privilege.

I expect that the connection to the database is allowed since a role with superuser is used.  (I don't' expect any
differencebetween using a role (including superuser) or a user (including superuser).) 

Postgres Version: PostgreSQL 9.5.2 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4),
64-bit

Regards --Michael


-----Ursprüngliche Nachricht-----
Von: Stephen Frost [mailto:sfrost@snowman.net]
Gesendet: Freitag, 16. März 2018 14:43
An: Dietrich Michael, INI-ONE-CIS-GSV-MFS <Michael.Dietrich@swisscom.com>
Cc: pgsql-admin@lists.postgresql.org
Betreff: Re: Connect to db denied for superuser inherited by group

Greetings,

* Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote:
> Unexpected behavior when trying to connect to a database. Facts:
> 1) The privilege to connect to the database was revoked from public.
> 2) User without superuser privileges uses a role with superuser rights
> (usage confirmed with SHOW current_role.)

Please provide more details about what this step #2 actually means.

> 3) Unecpected Message: FATAL: permission denied for database "db" DETAIL: User does not have CONNECT privilege.

Details about exactly what you're doing to connect here would be helpful.

> After granting one of the listed privileges it is working as expected.
> 1) granting superuser to user
> 2) granting connect to db for user
> 3) granting connect to db to group
> 3) granting connect to db to public
>
> What am I missing?  --Michael

CONNECT privileges are needed to be able to connect to the database, so it's not surprising that you needed to GRANT
themto the user after REVOKE'ing them from PUBLIC.  What's not clear is what you're actually trying to do and what
you'reexpecting to work that apparently isn't. 

Thanks!

Stephen

В списке pgsql-admin по дате отправления:

Предыдущее
От: Achilleas Mantzios
Дата:
Сообщение: Re: Compile error while building postgresql 10.3
Следующее
От: Tom Lane
Дата:
Сообщение: Re: AW: Connect to db denied for superuser inherited by group