PostgreSQL – Create or Copy New Superuser from Existing One

permissionspostgresqlusers

I have a superuser for a PostgreSQL database, let's call him userX.

How can I make a new superuser (let's call him userY) with all the same permissions, access, etc…?

Basically, I want a clone of everything about userX to userY and keep both users.

Best Answer

Well, if you have an existing superuser role called "super1", you could do:

CREATE ROLE super2 WITH SUPERUSER LOGIN;
GRANT super1 TO super2;

And, in theory at least, any of super1's privileges would be transferred over to super2. However, I'm not sure your question makes much sense, since superusers generally are allowed to override any privilege checks. As the documentation explains:

It should be noted that database superusers can access all objects regardless of object privilege settings. This is comparable to the rights of root in a Unix system. As with root, it's unwise to operate as a superuser except when absolutely necessary.

I'd be interested to hear what privileges your existing superuser role had which were not automatically granted to whatever new superuser role you created by default.

Edit: and if you're interested in copying over the per-role configuration parameters (i.e. those documented under configuration parameters), then you could use a function like this (demo only, you may need extra error handling, security considerations, etc. for production use):

CREATE OR REPLACE FUNCTION copy_role_configs(source_role text, target_role text)
RETURNS VOID AS 
$$
DECLARE
  setconfig_val text;
  eq_pos int;
  i int = 1;
BEGIN

  LOOP

    SELECT setconfig[i] INTO setconfig_val
    FROM pg_db_role_setting WHERE
      setdatabase = 0 AND setrole =
      (SELECT oid FROM pg_authid WHERE rolname = source_role);

    EXIT WHEN setconfig_val IS NULL;

    RAISE NOTICE 'Copying config % from % to %', setconfig_val, source_role,
                  target_role;
    SELECT strpos(setconfig_val, '=') INTO eq_pos;

    EXECUTE 'ALTER ROLE ' || target_role || ' SET ' ||
               substr(setconfig_val, 0, eq_pos + 1) || '''' ||
               substr(setconfig_val, eq_pos + 1) || '''' ;

    i := i + 1;

  END LOOP;


  RETURN;
END;
$$ LANGUAGE plpgsql strict;

-- Now call SELECT copy_role_configs('role1', 'role2') to copy configuration
-- parameters from role1 to role2.

Related Solutions

PostgreSQL : Restrict (another) superuser from accessing database

francs is entirely correct. superuser means just that. They're all-powerful. They can do anything, including load additional code into the database, modify tables on disk directly, etc. See CREATE ROLE and the documentation on client authentication for more information.

If you don't trust them, don't give them superuser rights. In this case, it sounds like you should've just done a CREATE DATABASE movies WITH OWNER the_other_user and given them a normal, non-superuser login. Or if they need to create their own databases, you could give them CREATEDB rights.

The only way to restrict a superuser is by changing the C code inside PostgreSQL directly. Even then you'd probably be wasting your time, as a determined user could get around restrictions like a ProcessUtility_hook filter if they have superuser access.

Remove their superuser access. Unless they've had the foresight to backdoor your system in a way that'll let them regain access (unlikely, and not trivial) you should be OK.

ALTER USER the_user WITH NOSUPERUSER;

You can add CREATEDB rights if you want them to have the ability to create databases.

PostgreSQL Permissions – How to View Query of Another Session in pg_stat_activity Without Super User

At this point, there's no right to grant, it's hardcoded to superuser. That's been discussed on the mailing list lately, and may change in 9.5 if someone finds the time to work on it.

As a workaround, you can create a SECURITY DEFINER function that is owned by the superuser, and runs the query you want. This will allow non-superusers to see the contents of pg_stat_activity by calling the function.

E.g., run as a superuser:

CREATE FUNCTION get_sa() RETURNS SETOF pg_stat_activity AS
$$ SELECT * FROM pg_catalog.pg_stat_activity; $$
LANGUAGE sql
VOLATILE
SECURITY DEFINER;

CREATE VIEW pg_stat_activity_allusers AS SELECT * FROM get_sa();

GRANT SELECT ON pg_stat_activity_allusers TO public;

Note that free access to pg_stat_activity is restricted for a reason. It's possible to snoop sensitive information from other people's queries - imagine for example if another user was using pgcrypto. Rather than granting rights to public you should grant them only to a specific user or role that is to act as a surrogate user for monitoring.

Best Answer

Related Solutions

PostgreSQL : Restrict (another) superuser from accessing database

PostgreSQL Permissions – How to View Query of Another Session in pg_stat_activity Without Super User

Related Question