PostgreSQL – Can’t Alter Default Privileges

permissionspostgresql

I followed the steps below.

I installed PostgreSQL.
I logged in as postgres via (sudo -i -u postgres)
I created new user new_user via shell script createuser --interactive
I granted that user permission to create databases.
I created database: createdb new_db.

Now I want to give new_user privileges be able to perform all default DML operations on tables created by himself (command bellow taken from this question), so I typed:

postgres=# ALTER DEFAULT PRIVILEGES FOR new_user IN SCHEMA 
    public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO new_user;

But got an error:

ERROR:  syntax error at or near "new_user"
LINE 1: ALTER DEFAULT PRIVILEGES FOR new_user IN SCHEMA public GRANT...

I have no idea why this command is not working.

Best Answer

A key word is missing. It must be:

ALTER DEFAULT PRIVILEGES FOR ROLE new_user IN SCHEMA public GRANT...

The documentation:

ALTER DEFAULT PRIVILEGES
    [ FOR { ROLE | USER } target_role [, ...] ]

One of both ({ ROLE | USER }) is required.

Note that the particular command does not make any sense to begin with because (per documentation):

There is no need to grant privileges to the owner of an object (usually the user that created it), as the owner has all privileges by default.

If you want that to grant permissions for objects that a different user created, like postgres, then use:

And you probably wouldn't want to restrict that to a particular schema.

ALTER DEFAULT PRIVILEGES FOR ROLE postgres
GRANT ALL ON TABLES TO new_user;

And you typically want to grant privileges on sequences as well

ALTER DEFAULT PRIVILEGES FOR ROLE postgres
GRANT ALL ON SEQUENCES TO new_user;

Related Solutions

PostgreSQL – Created User Can Access All Databases Without Grants

At the SQL level, every user can indeed connect to a newly created database, until the following SQL command is issued:

REVOKE connect ON DATABASE database_name FROM PUBLIC;

Once done, each user or role that should be able to connect has to be granted explicitly the connect privilege:

GRANT connect ON DATABASE database_name TO rolename;

Edit: In a multi-tenant scenario, more than just the connect privilege would be removed. For multi-tenancy tips and best practices, you may want to read on the postgresql public wiki: Shared Database Hosting and Managing rights in PostgreSQL.

PostgreSQL – Resolving ‘Alter Default Privileges’ Issue

Either you've forgot to add a permission to SELECT in the GRANT below, quoted from the question:

ALTER DEFAULT PRIVILEGES FOR USER access1
   IN SCHEMA access1 GRANT INSERT, UPDATE, DELETE ON TABLES TO access1_rw;

... or, if you really meant that having the role access1_rw doesn't let read the tables even tough it lets write to them, then you must grant the role access1_ro to user1 (in addition to granting the role access1_rw).

Not having either of those has the consequence that user1 was never granted the right to SELECT from tables in the mentioned schema.

Best Answer

Related Solutions

PostgreSQL – Created User Can Access All Databases Without Grants

PostgreSQL – Resolving ‘Alter Default Privileges’ Issue

Related Question