Postgresql – Despite of using GRANT … ON ALL TABLES (or ALL SEQUENCES) TO user, user cannot access newly created tables (or sequences)

permissionspostgresql

For a production server, I wanted to separate the super user, admin and app roles to limit scope of mistakes.

So I've created an account that our app uses to access the DB, and an admin account. The admin account is also used to run migrations to create tables.

I thought I'd ironed out all the issues, the app user can access all existing tables (which were created by the super user), however having now run a migration that creates a table, the app has no access to that table.

The users were granted access with the following commands:

GRANT CREATE, CONNECT ON DATABASE test TO admin;
GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES ON ALL TABLES IN SCHEMA public 
  TO admin;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO admin;

GRANT CONNECT ON DATABASE test TO api;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public
  TO api;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO api;

Then the admin user ran CREATE TABLE new_table; and trying to access that table, the app gets permission denied for relation new_table

1) What grant am I missing to allow api access to the new table
2) Out of curiousity, if I didn't have a record of the previous grants, how would I examine the grants of the users and discover the privilege that's missing

Best Answer

ALL TABLES/ALL SEQUENCES in that context means all tables/sequences that exist now, at the time the grant is issued. It doesn't include tables/sequences created after the grant was issued.

Your first option is to include the grants explicitly in the migrate scripts. Every time you create a table/sequence also issue the respective grants to api.

Or you can alter the default privileges. In Postgres default privileges can be stored, that will be applied to a newly created object automatically. You can change them with ALTER DEFAULT PRIVILEGES.

In your case your probably after

ALTER DEFAULT PRIVILEGES IN SCHEMA public
                            GRANT SELECT,
                                  INSERT,
                                  UPDATE,
                                  DELETE
                                  ON TABLES
                                  TO api;

and

ALTER DEFAULT PRIVILEGES IN SCHEMA public
                            GRANT USAGE,
                                  SELECT
                                  ON SEQUENCES
                                  TO api;

Note that the migration scripts need to run under the same user, that did the ALTER DEFAULT PRIVILEGES for them to take effect.

The privileges on objects can be obtained via the pg_class catalog table. For example, if you wanted to query all regular tables in the schema public you could do:

SELECT rel.relname,
       rel.relacl
       FROM pg_class rel
            INNER JOIN pg_namespace nsp
                       ON nsp.oid = rel.relnamespace
       WHERE nsp.nspname = 'public'
             AND rel.relkind = 'r';

For sequences the relkind is S instead of r, so

SELECT rel.relname,
       rel.relacl
       FROM pg_class rel
            INNER JOIN pg_namespace nsp
                       ON nsp.oid = rel.relnamespace
       WHERE nsp.nspname = 'public'
             AND rel.relkind = 'S';

would give you the sequences in public.

The column relname displays the object's name and relacl holds an array of the privileges on the object in form of an aclitem. An ACL is represented by a string of the form <grantee>=<privileges>/<grantor>. <grantee> can be empty if the privileges are granted to public. <privileges> encodes the privileges in form of a string of letters. In your case you want to see api=arwd/admin for a regular table and api=rU/admin for sequences.

a is for "append" (INSERT),
r for "read" (SELECT),
w for "write" (UPDATE),
d for DELETE and
U for USAGE.

More details on the ACLs can be found in the manual on GRANT

Explicit granting is more "secure" in the way, that you don't "forget" the default privileges are in place one day when creating a table api shouldn't be able to access. You'd have to explicitly revoke the privileges after the creation of the object in such a case.

Using default privileges is more convenient of course.

Related Solutions

Postgresql – Created user can access all databases in PostgreSQL without any grants

At the SQL level, every user can indeed connect to a newly created database, until the following SQL command is issued:

REVOKE connect ON DATABASE database_name FROM PUBLIC;

Once done, each user or role that should be able to connect has to be granted explicitly the connect privilege:

GRANT connect ON DATABASE database_name TO rolename;

Edit: In a multi-tenant scenario, more than just the connect privilege would be removed. For multi-tenancy tips and best practices, you may want to read on the postgresql public wiki: Shared Database Hosting and Managing rights in PostgreSQL.

Postgresql – Granting access to all tables for a user

First, you have to be able to connect to the database in order to run queries. This can be achieved by

REVOKE CONNECT ON DATABASE your_database FROM PUBLIC;

GRANT CONNECT
ON DATABASE database_name 
TO user_name;

The REVOKE is necessary because

The key word PUBLIC indicates that the privileges are to be granted to all roles, including those that might be created later. PUBLIC can be thought of as an implicitly defined group that always includes all roles. Any particular role will have the sum of privileges granted directly to it, privileges granted to any role it is presently a member of, and privileges granted to PUBLIC.

If you really want to restrict your user to DML statements, then you have a little more to do:

REVOKE ALL
ON ALL TABLES IN SCHEMA public 
FROM PUBLIC;

GRANT SELECT, INSERT, UPDATE, DELETE
ON ALL TABLES IN SCHEMA public 
TO user_name;

These assume that you will have only one schema (which is named 'public' by default).

As Jack Douglas pointed out, the above only gives the privileges for the already existing tables. To achieve the same for future tables, you have to define default privileges:

ALTER DEFAULT PRIVILEGES 
    FOR ROLE some_role   -- Alternatively "FOR USER"
    IN SCHEMA public
    GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO user_name;

Here, some_role is a role that creates the tables, while user_name is the one who gets the privileges. Defining this, you have to be logged in as some_role or a member of it.

And, finally, you have to do the same for the sequences (thanks to PlaidFan for pointing it out) - here it is the USAGE privilege that you need.

Best Answer

Related Solutions

Postgresql – Created user can access all databases in PostgreSQL without any grants

Postgresql – Granting access to all tables for a user

Related Question