PostgreSQL – Granting SELECT Inside SCHEMA

permissionspostgresql

I have created a database, role and schema with this script:

-- -----------------------------------------------------------------------------
-- set variables ---------------------------------------------------------------
-- -----------------------------------------------------------------------------
\set dbname keycloak
\set schemaname :dbname
\set rolename :dbname

-- -----------------------------------------------------------------------------
-- create ROLE and Database ----------------------------------------------------
-- -----------------------------------------------------------------------------
CREATE ROLE :rolename WITH LOGIN ;
CREATE DATABASE :dbname WITH OWNER :rolename ;

-- -----------------------------------------------------------------------------
-- connect to DB, create SCHEMA & set privileges -------------------------------
-- -----------------------------------------------------------------------------
\c :dbname
REVOKE ALL ON SCHEMA public FROM PUBLIC ;
CREATE SCHEMA :schemaname AUTHORIZATION :rolename ;
ALTER ROLE :rolename SET search_path=:schemaname ;
GRANT ALL ON ALL TABLES IN SCHEMA :schemaname TO :rolename ;
REVOKE ALL ON DATABASE :dbname FROM PUBLIC ;

This all seems to work in regards to what the keycloak ROLE can do on the keycloak Database.

Now I want to GRANT SELECT to a ROLE keycloak_reader ON ALL TABLES inside that SCHEMA keycloak. Further more that role should be granted to other roles (which should inherit those SELECT ability [ideally including the search_path]).

I tried

GRANT CONNECT ON DATABASE keycloak TO keycloak_reader ;
\c keycloak
GRANT SELECT ON ALL TABLES IN SCHEMA keycloak TO keycloak_reader ;
ALTER ROLE keycloak SET search_path=keyckloak ;

I can connect, but can not SELECT anything (permission denied). Neither as keycloak_reader, nor as any of the roles which a members of keycloak_reader group.

What am I doing wrong?

Best Answer

In addition to permissions at the level of an object in the database (table, sequence, function, etc.), the user should have USAGE privilege on this schema to actually use any object within schema.

So you need to add:

grant usage on schema keyckloak to keycloak_reader;

It's pretty easy to miss, the error message will only say you don't have permissions on schema if you specify the table name along with the schema (not relying on search_path).

Configuration settings for a role cannot be inherited. This is mentioned in the documentation here:

Note that role-specific defaults attached to roles without LOGIN privilege are fairly useless, since they will never be invoked.

Related Solutions

Oracle 12c – Problem Granting User Privileges via Roles

You did not mention it, but this is quite typical when using PL/SQL.

Privileges granted through roles are disabled for named PL/SQL blocks that are defined to execute with definer's rights.

How Roles Work in PL/SQL Blocks

All roles are disabled in any named PL/SQL block (stored procedure, function, or trigger) that executes with definer's rights. Roles are not used for privilege checking and you cannot set roles within a definer's rights procedure.

More details you can find in the documentation referenced above.

Possible workarounds involve granting the privileges directly (as you already did) or define the PL/SQL program unit to execute with invoker's rights.

Another possibility starting with 12c, you can grant roles to PL/SQL program units. So if you create tables with the procedure called p1 using dynamic SQL, you can grant the above role to it as:

grant wertyq_usr_role to procedure p1;

Choose the one that suits your needs.

SQL Server 2008 R2 – How to Deny DBO Schema Permission

Restarting Management Studio fixed it.

It looks like it was some sort of glitch - for some reason, it was acting like I was using AppUser to run the query. I double checked and I was definitely logged in using sa, so I'm not sure what happened.

I realised when I tried to change permissions for the new schema, which had previously completed successfully and was now giving the same message. I tried to remove the login and just try setting it up again, and it gave the error that the user was still logged in, despite me closing all instances of Management Studio aside from the one I was currently using with the sa account. I tried to kill the session using the advice from this post, but it gave an error about not having permission (at this point I double checked yet again that I was definitely using the sa account). In the end I closed the current instance too, logged back in as sa, and it has worked fine since - I can grant/deny on the new schema and dbo for AppUser.

Best Answer

Related Solutions

Oracle 12c – Problem Granting User Privileges via Roles

SQL Server 2008 R2 – How to Deny DBO Schema Permission

Related Question