Обсуждение: problem with read-only user

Поиск
Список
Период
Сортировка

problem with read-only user

От
ROS Didier
Дата:
Hi
I created a read-only role as follows:
psql -p 5434 kidsdpn03
CREATE ROLE kidsdpn03_ro PASSWORD 'xxx';
ALTER ROLE kidsdpn03_ro WITH LOGIN;
GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro;
GRANT USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro;
ALTER ROLE kidsdpn03_ro SET search_path TO kidsdpn03;

but when i create new tables, i don't have read access to those new  tables.
Anybody can help to solve this problem ?
Thank you in advance

Didier ROS
didier.ros@edf.fr







Ce message et toutes les pièces jointes (ci-après le 'Message') sont établis à l'intention exclusive des destinataires
etles informations qui y figurent sont strictement confidentielles. Toute utilisation de ce Message non conforme à sa
destination,toute diffusion ou toute publication totale ou partielle, est interdite sauf autorisation expresse. 

Si vous n'êtes pas le destinataire de ce Message, il vous est interdit de le copier, de le faire suivre, de le
divulguerou d'en utiliser tout ou partie. Si vous avez reçu ce Message par erreur, merci de le supprimer de votre
système,ainsi que toutes ses copies, et de n'en garder aucune trace sur quelque support que ce soit. Nous vous
remercionségalement d'en avertir immédiatement l'expéditeur par retour du message. 

Il est impossible de garantir que les communications par messagerie électronique arrivent en temps utile, sont
sécuriséesou dénuées de toute erreur ou virus. 
____________________________________________________

This message and any attachments (the 'Message') are intended solely for the addressees. The information contained in
thisMessage is confidential. Any use of information contained in this Message not in accord with its purpose, any
disseminationor disclosure, either whole or partial, is prohibited except formal approval. 

If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this
messagein error, please delete it and all copies from your system and notify the sender immediately by return message. 

E-mail communication cannot be guaranteed to be timely secure, error or virus-free.

Re: problem with read-only user

От
Tom Lane
Дата:
ROS Didier <didier.ros@edf.fr> writes:
> I created a read-only role as follows:
> psql -p 5434 kidsdpn03
> CREATE ROLE kidsdpn03_ro PASSWORD 'xxx';
> ALTER ROLE kidsdpn03_ro WITH LOGIN;
> GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro;
> GRANT USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro;
> GRANT SELECT ON ALL TABLES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
> GRANT SELECT ON ALL SEQUENCES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
> ALTER DEFAULT PRIVILEGES IN SCHEMA kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro;
> ALTER ROLE kidsdpn03_ro SET search_path TO kidsdpn03;

> but when i create new tables, i don't have read access to those new  tables.

You only showed us part of what you did ... but IIRC,
ALTER DEFAULT PRIVILEGES only affects privileges for objects
subsequently made by the same user that issued the command.
(Otherwise it'd be a security issue.)  So maybe you didn't
make the tables as the same user?

            regards, tom lane

Re: problem with read-only user

От
Tom Lane
Дата:
ROS Didier <didier.ros@edf.fr> writes:
> I created a read-only role as follows:
> psql -p 5434 kidsdpn03
> CREATE ROLE kidsdpn03_ro PASSWORD 'xxx';
> ALTER ROLE kidsdpn03_ro WITH LOGIN;
> GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro;
> GRANT USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro;
> GRANT SELECT ON ALL TABLES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
> GRANT SELECT ON ALL SEQUENCES IN SCHEMA kidsdpn03 TO kidsdpn03_ro;
> ALTER DEFAULT PRIVILEGES IN SCHEMA kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro;
> ALTER ROLE kidsdpn03_ro SET search_path TO kidsdpn03;

> but when i create new tables, i don't have read access to those new  tables.

You only showed us part of what you did ... but IIRC,
ALTER DEFAULT PRIVILEGES only affects privileges for objects
subsequently made by the same user that issued the command.
(Otherwise it'd be a security issue.)  So maybe you didn't
make the tables as the same user?

            regards, tom lane

RE: problem with read-only user

От
ROS Didier
Дата:
Hi Tom
    Thanks for your answer.
    Actually, you're right, the tables, the sequences are created by the user kidsdpn03 and another read-only role
(kidsdpn03_ro)must interrogate these objects. 
    So every time the kidsdpn03 role creates a new table, the kidsdpn03_ro role will not have the rights to read them.
Kidsdpn03_romust be explicitly granted read rights on this objects. 
    Can you confirm that if it was the kidsdpn03_ro role that created the tables, there would be no problem when
accessingnew tables? 
    Thanks in advance.

Didier ROS
didier.ros@edf.fr
Tél. : +33 6 49 51 11 88

-----Message d'origine-----
De : tgl@sss.pgh.pa.us [mailto:tgl@sss.pgh.pa.us]
Envoyé : vendredi 20 décembre 2019 15:05
À : ROS Didier <didier.ros@edf.fr>
Cc : pgsql-hackers@postgresql.org; pgsql-sql@postgresql.org
Objet : Re: problem with read-only user

ROS Didier <didier.ros@edf.fr> writes:
> I created a read-only role as follows:
> psql -p 5434 kidsdpn03
> CREATE ROLE kidsdpn03_ro PASSWORD 'xxx'; ALTER ROLE kidsdpn03_ro WITH
> LOGIN; GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro; GRANT
> USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro; GRANT SELECT ON ALL TABLES
> IN SCHEMA kidsdpn03 TO kidsdpn03_ro; GRANT SELECT ON ALL SEQUENCES IN
> SCHEMA kidsdpn03 TO kidsdpn03_ro; ALTER DEFAULT PRIVILEGES IN SCHEMA
> kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro; ALTER ROLE
> kidsdpn03_ro SET search_path TO kidsdpn03;

> but when i create new tables, i don't have read access to those new  tables.

You only showed us part of what you did ... but IIRC, ALTER DEFAULT PRIVILEGES only affects privileges for objects
subsequentlymade by the same user that issued the command. 
(Otherwise it'd be a security issue.)  So maybe you didn't make the tables as the same user?

            regards, tom lane



Ce message et toutes les pièces jointes (ci-après le 'Message') sont établis à l'intention exclusive des destinataires
etles informations qui y figurent sont strictement confidentielles. Toute utilisation de ce Message non conforme à sa
destination,toute diffusion ou toute publication totale ou partielle, est interdite sauf autorisation expresse. 

Si vous n'êtes pas le destinataire de ce Message, il vous est interdit de le copier, de le faire suivre, de le
divulguerou d'en utiliser tout ou partie. Si vous avez reçu ce Message par erreur, merci de le supprimer de votre
système,ainsi que toutes ses copies, et de n'en garder aucune trace sur quelque support que ce soit. Nous vous
remercionségalement d'en avertir immédiatement l'expéditeur par retour du message. 

Il est impossible de garantir que les communications par messagerie électronique arrivent en temps utile, sont
sécuriséesou dénuées de toute erreur ou virus. 
____________________________________________________

This message and any attachments (the 'Message') are intended solely for the addressees. The information contained in
thisMessage is confidential. Any use of information contained in this Message not in accord with its purpose, any
disseminationor disclosure, either whole or partial, is prohibited except formal approval. 

If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this
messagein error, please delete it and all copies from your system and notify the sender immediately by return message. 

E-mail communication cannot be guaranteed to be timely secure, error or virus-free.

RE: problem with read-only user

От
ROS Didier
Дата:
Hi Tom
    Thanks for your answer.
    Actually, you're right, the tables, the sequences are created by the user kidsdpn03 and another read-only role
(kidsdpn03_ro)must interrogate these objects. 
    So every time the kidsdpn03 role creates a new table, the kidsdpn03_ro role will not have the rights to read them.
Kidsdpn03_romust be explicitly granted read rights on this objects. 
    Can you confirm that if it was the kidsdpn03_ro role that created the tables, there would be no problem when
accessingnew tables? 
    Thanks in advance.

Didier ROS
didier.ros@edf.fr
Tél. : +33 6 49 51 11 88

-----Message d'origine-----
De : tgl@sss.pgh.pa.us [mailto:tgl@sss.pgh.pa.us]
Envoyé : vendredi 20 décembre 2019 15:05
À : ROS Didier <didier.ros@edf.fr>
Cc : pgsql-hackers@postgresql.org; pgsql-sql@postgresql.org
Objet : Re: problem with read-only user

ROS Didier <didier.ros@edf.fr> writes:
> I created a read-only role as follows:
> psql -p 5434 kidsdpn03
> CREATE ROLE kidsdpn03_ro PASSWORD 'xxx'; ALTER ROLE kidsdpn03_ro WITH
> LOGIN; GRANT CONNECT ON DATABASE kidsdpn03 TO kidsdpn03_ro; GRANT
> USAGE ON SCHEMA kidsdpn03 TO kidsdpn03_ro; GRANT SELECT ON ALL TABLES
> IN SCHEMA kidsdpn03 TO kidsdpn03_ro; GRANT SELECT ON ALL SEQUENCES IN
> SCHEMA kidsdpn03 TO kidsdpn03_ro; ALTER DEFAULT PRIVILEGES IN SCHEMA
> kidsdpn03 GRANT SELECT ON TABLES TO kidsdpn03_ro; ALTER ROLE
> kidsdpn03_ro SET search_path TO kidsdpn03;

> but when i create new tables, i don't have read access to those new  tables.

You only showed us part of what you did ... but IIRC, ALTER DEFAULT PRIVILEGES only affects privileges for objects
subsequentlymade by the same user that issued the command. 
(Otherwise it'd be a security issue.)  So maybe you didn't make the tables as the same user?

            regards, tom lane



Ce message et toutes les pièces jointes (ci-après le 'Message') sont établis à l'intention exclusive des destinataires
etles informations qui y figurent sont strictement confidentielles. Toute utilisation de ce Message non conforme à sa
destination,toute diffusion ou toute publication totale ou partielle, est interdite sauf autorisation expresse. 

Si vous n'êtes pas le destinataire de ce Message, il vous est interdit de le copier, de le faire suivre, de le
divulguerou d'en utiliser tout ou partie. Si vous avez reçu ce Message par erreur, merci de le supprimer de votre
système,ainsi que toutes ses copies, et de n'en garder aucune trace sur quelque support que ce soit. Nous vous
remercionségalement d'en avertir immédiatement l'expéditeur par retour du message. 

Il est impossible de garantir que les communications par messagerie électronique arrivent en temps utile, sont
sécuriséesou dénuées de toute erreur ou virus. 
____________________________________________________

This message and any attachments (the 'Message') are intended solely for the addressees. The information contained in
thisMessage is confidential. Any use of information contained in this Message not in accord with its purpose, any
disseminationor disclosure, either whole or partial, is prohibited except formal approval. 

If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this
messagein error, please delete it and all copies from your system and notify the sender immediately by return message. 

E-mail communication cannot be guaranteed to be timely secure, error or virus-free.