PostgreSQL – Cannot Revoke Default Privileges from User

permissionspostgresqlpsql

I am using the psql tool:

Command:

my_db=# \ddp

Result:

                         Default access privileges
     Owner      | Schema |   Type   |          Access privileges
----------------+--------+----------+--------------------------------------
 postgres       | kpi    | function | kpi_updater=X/postgres              +
                |        |          | intranet2=X/postgres
 postgres       | kpi    | sequence | kpi_updater=rwU/postgres            +
                |        |          | intranet2=rwU/postgres
 postgres       | kpi    | table    | kpi_updater=arwdDxt/postgres        +
                |        |          | intranet2=arwdDxt/postgres
 postgres       | kpi    | type     | kpi_updater=U/postgres              +
                |        |          | intranet2=U/postgres

Next I use the following command, that returns without error:

ALTER DEFAULT PRIVILEGES IN SCHEMA kpi REVOKE EXECUTE ON FUNCTIONS FROM intranet2;

I run \ddp one more time and… I get exactly the same result: default privileges were not modified.

What am I missing here ?

Thanks !

Best Answer

Edited to answer the question related to the \ddp command not the \dp command as @personne3000 pointed out in the comment below.

You probably want to use ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA kpi REVOKE EXECUTE ON FUNCTIONS FROM intranet2;

This is because postgres is the user that was granted the default privilege of execute on the functions in the schema kpi and is granting it to intranet2, as noted by the permissions of intranet2=X/postgres

I created a small example to illustrate what's going on.

pgsql@[local]:5432:pgsql:=# CREATE ROLE bob;
CREATE ROLE
Time: 0.526 ms
pgsql@[local]:5432:pgsql:=# CREATE SCHEMA we_like_bob;
CREATE SCHEMA
Time: 0.608 ms

pgsql@[local]:5432:pgsql:=# ALTER DEFAULT PRIVILEGES FOR ROLE bob IN SCHEMA we_like_bob GRANT EXECUTE ON FUNCTIONS TO pgsql;
ALTER DEFAULT PRIVILEGES
Time: 1.480 ms
pgsql@[local]:5432:pgsql:=# \ddp
             Default access privileges
 Owner |   Schema    |   Type   | Access privileges 
-------+-------------+----------+-------------------
 bob   | we_like_bob | function | pgsql=X/bob
(1 row)

User pgsql has the execute privilege, X, granted by bob.

Try to revoke the execute privilege for the role pgsql, as pgsql (a superuser).

pgsql@[local]:5432:pgsql:=# ALTER DEFAULT PRIVILEGES FOR ROLE pgsql IN SCHEMA we_like_bob REVOKE EXECUTE ON FUNCTIONS FROM pgsql;
ALTER DEFAULT PRIVILEGES
Time: 0.176 ms
pgsql@[local]:5432:pgsql:=# \ddp
             Default access privileges
 Owner |   Schema    |   Type   | Access privileges 
-------+-------------+----------+-------------------
 bob   | we_like_bob | function | pgsql=X/bob
(1 row)

Didn't work because the command is not removing the bob role's default ability to grant execute on functions to role pgsql, it is removing the pgsql role's ability to revoke execute on functions from pgsql.

If we change it to remove the privilege of execute from the bob role for the role pgsql, then it works.

pgsql@[local]:5432:pgsql:=# ALTER DEFAULT PRIVILEGES FOR ROLE bob IN SCHEMA we_like_bob REVOKE EXECUTE ON FUNCTIONS FROM pgsql;
ALTER DEFAULT PRIVILEGES
Time: 0.644 ms
pgsql@[local]:5432:pgsql:=# \ddp
         Default access privileges
 Owner | Schema | Type | Access privileges 
-------+--------+------+-------------------
(0 rows)

pgsql@[local]:5432:pgsql:=#

Related Solutions

PostgreSQL Privileges – Database Owner and Application User

You want ALTER DEFAULT PRIVILEGES.

Give the rds_superuser default access rights to all new tables.

This only affects tables created after the ALTER. For existing tables you must GRANT rights.

PostgreSQL – pg_restore Error: Schema ‘public’ Already Exists

The error is harmless but to get rid of it, I think you need to break this restore into two commands, as in:

dropdb -U postgres mydb && \
 pg_restore --create --dbname=postgres --username=postgres pg_backup.dump

The --clean option in pg_restore doesn't look like much but actually raises non-trivial problems.

For versions up to 9.1

The combination of --create and --clean in pg_restore options used to be an error in older PG versions (up to 9.1). There is indeed some contradiction between (quoting the 9.1 manpage):

--clean Clean (drop) database objects before recreating them

and

--create Create the database before restoring into it.

Because what's the point of cleaning inside a brand-new database?

Starting from version 9.2

The combination is now accepted and the doc says this (quoting the 9.3 manpage):

--clean Clean (drop) database objects before recreating them. (This might generate some harmless error messages, if any objects were not present in the destination database.)

--create Create the database before restoring into it. If --clean is also specified, drop and recreate the target database before connecting to it.

Now having both together leads to this kind of sequence during your restore:

DROP DATABASE mydb;
...
CREATE DATABASE mydb WITH TEMPLATE = template0... [other options]
...
CREATE SCHEMA public;
...
CREATE TABLE...

There is no DROP for each individual object, only a DROP DATABASE at the beginning. If not using --create this would be the opposite.

Anyway this sequence raises the error of public schema already existing because creating mydb from template0 has imported it already (which is normal, it's the point of a template database).

I'm not sure why this case is not handled automatically by pg_restore. Maybe this would cause undesirable side-effects when an admin decides to customize template0 and/or change the purpose of public, even if we're not supposed to do that.

Best Answer

Related Solutions

PostgreSQL Privileges – Database Owner and Application User

PostgreSQL – pg_restore Error: Schema ‘public’ Already Exists

Related Question