Обсуждение: Req for some help in figuring out table create grants

Поиск
Список
Период
Сортировка

Req for some help in figuring out table create grants

От
"Tharmarajah, Sam"
Дата:

Hi

 

I am new to postgres and I am lost in figuring out how the privilege grants are dealt with.

 

I have a two roles my_connect role has

 

GRANT CONNECT ON DATABASE mydb TO my_connect;

 

And my_developer with the following grants:

 

GRANT SELECT ON ALL TABLES IN SCHEMA PUBLIC TO my_developer;

GRANT SELECT ON ALL SEQUENCES IN SCHEMA PUBLIC TO my_developer;

GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA PUBLIC TO my_developer;

 

 

Now when I create a user with no privs and grant only these roles with inherit, what does allow the user to create a table in the public schema? Shouldn’t these privs limit the table creation for the user?

 

If I want to limit the user’s ability of operation to the role, that were granted, how do I accomplish that?

 

Any help will be much appreciated. Thanks for all your responses in advance.

 

Thanx,

Sam

Re: Req for some help in figuring out table create grants

От
Rui DeSousa
Дата:

On Apr 27, 2020, at 4:22 PM, Tharmarajah, Sam <sambavan.tharmarajah@usask.ca> wrote:


Now when I create a user with no privs and grant only these roles with inherit, what does allow the user to create a table in the public schema? Shouldn’t these privs limit the table creation for the user?
 
If I want to limit the user’s ability of operation to the role, that were granted, how do I accomplish that?
 

There is a special public role that all users belong to.  The public schema is setup already with grants to the public role.  You would have to remove privileges from the public role to public schema. 

i.e. 

revoke create on schema public from public;
etc.

Personally, I drop the public schema and create users with noinherit option. 

Here is a good read by Tomas Vondra from 2ndQuadrant on the topic: