Обсуждение: permission denied (even when run as postgres) for views after makingtheir owner nosuperuser
permission denied (even when run as postgres) for views after makingtheir owner nosuperuser
От
Achilleas Mantzios
Дата:
Hello,
I have a strange issue here, demonstrated by the below script, run as postgres (superuser), problem is in both 9.3 and
10.0:
dynacom=# create table testforfu (id serial, descr name);
CREATE TABLE
dynacom=# insert into testforfu (descr) values('bar');
INSERT 0 1
dynacom=# CREATE ROLE fuser;
CREATE ROLE
dynacom=# ALTER ROLE fuser WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN NOREPLICATION NOBYPASSRLS;
ALTER ROLE
dynacom=# create schema fuser;
CREATE SCHEMA
dynacom=# alter schema fuser owner to fuser ;
ALTER SCHEMA
dynacom=# SET search_path = fuser,pg_catalog;
SET
dynacom=# create view fuser.testforfu as select * from public.testforfu;
CREATE VIEW
dynacom=# alter view fuser.testforfu owner to fuser ;
ALTER VIEW
dynacom=# create table fuser.testforfutbl (descr TEXT);
CREATE TABLE
dynacom=# alter table fuser.testforfutbl owner to fuser ;
ALTER TABLE
dynacom=# select * from fuser.testforfu ;
id | descr
----+-------
1 | bar
(1 row)
dynacom=# alter user fuser nosuperuser ;
ALTER ROLE
dynacom=# select * from fuser.testforfutbl ;
descr
-------
(0 rows)
dynacom=# select * from fuser.testforfu ;
ERROR: permission denied for relation testforfu
So the select on the table works, but not on the select on the view. If I remake fuser as superuser then the select
worksok :
alter user fuser superuser ;
ALTER ROLE
dynacom=# select * from fuser.testforfu ;
id | descr
----+-------
1 | bar
(1 row)
In fact, there is no way on earth I can regain access to view fuser.testforfu for any user (postgres included) unless I
changeits ownership (or make fuser a superuser).
is this normal? documented? Am I missing anything?
--
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt
Re: permission denied (even when run as postgres) for views aftermaking their owner nosuperuser
От
"David G. Johnston"
Дата:
In fact, there is no way on earth I can regain access to view fuser.testforfu for any user (postgres included) unless I change its ownership (or make fuser a superuser).
is this normal? documented? Am I missing anything?
When dealing with views the owner of the view is performing all of the queries. So if you make the view owner lack permission to access the underlying tables the view isn't going to work no matter the permissions of the view caller.
Documented here:
"Access to tables referenced in the view is determined by permissions of the view owner."
David J.
Re: permission denied (even when run as postgres) for views aftermaking their owner nosuperuser
От
Achilleas Mantzios
Дата:
On 26/01/2018 16:42, David G. Johnston wrote:
In fact, there is no way on earth I can regain access to view fuser.testforfu for any user (postgres included) unless I change its ownership (or make fuser a superuser).
is this normal? documented? Am I missing anything?When dealing with views the owner of the view is performing all of the queries. So if you make the view owner lack permission to access the underlying tables the view isn't going to work no matter the permissions of the view caller.
Thanks a lot!
Documented here:"Access to tables referenced in the view is determined by permissions of the view owner."David J.
-- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt