Postgresql – Default Postgres privileges not showing on \ddp

postgresql-9.5

As far as I understand there are set of default Postgres public privileges. I have created user and granted him privilege using:

CREATE USER foo WITH PASSWORD 'foo';
\connect bar;
GRANT SELECT ON ALL TABLES IN SCHEMA public to foo;

and I can connect to DB with no issues. Then I taught I must have connection privilege in the default privilege set, since I didn't grant connect on database explicitly.

When I do \ddp I get 0 rows, and as far as I understood it is a way of checking default privileges per this page.

Can someone help me understand how connecting to the DB is permitted when I haven't explicitly allowed it?

Best Answer

According to the documentation, PostgreSQL does the following for PUBLIC:

PostgreSQL grants privileges on some types of objects to PUBLIC by default when the objects are created. No privileges are granted to PUBLIC by default on tables, table columns, sequences, foreign data wrappers, foreign servers, large objects, schemas, or tablespaces. For other types of objects, the default privileges granted to PUBLIC are as follows: CONNECT and TEMPORARY (create temporary tables) privileges for databases; EXECUTE privilege for functions and procedures; and USAGE privilege for languages and data types (including domains).

This implies that to prevent a new user to be able to connect to any database following must be run for each database:

revoke connect on database <db_name> from public;

Related Solutions

Postgresql – pgAdmin 9.5 not showing all databases

Can you log into your games database using psql?

What I can see is that the first image has you connecting to localhost:5432, the second (the psql connection), you're connecting to jkalancic@vps73162 - on what appears to be a telnet session - are you sure that you're looking at the same database on the same machine?

[Following OP's answer]

A tip for next time - you could install from source and not be messing with /etc/postgresql - you can never be absolutely sure that you're not mixing clients, servers and ports unless you do this. I do this all the time for installs - on Linux and I see that you're on Ubuntu, so that should be a piece of cake.

PostgreSQL is really excellent for this kind of thing. Works first time straight - and you can tailor your prompt to point to your various installs - be sure to have a shutdown (in your startup script) if you want to put more than one server on port 5432.

Postgresql – Alter default privileges for role

janerole has been granted ALL privileges and johnrole has only been granted the SELECT privilege.

You got at least one aspect of the command backwards in all your attempts:
Alter default privileges for the role that creates objects - which in turn grants privileges to another role. I.e.:

ALTER DEFAULT PRIVILEGES FOR ROLE janerole IN SCHEMA public
GRANT SELECT ON TABLES TO johnrole;

Do this while logged in as janerole (or a member of the role).

Note that default privileges only apply to the target role, not to members of this role.

And don't forget to GRANT USAGE ON SEQUENCES as well if you have any serial columns. Possibly SELECT and UPDATE, too.

There may be more problems, the question is not completely clear.

Note: There is an open bug in pgAdmin, the display can be incorrect (still kicking in the current pgAdmin 1.22).

Best Answer

Related Solutions

Postgresql – pgAdmin 9.5 not showing all databases

Postgresql – Alter default privileges for role

Related Question