PostgreSQL – Grant Privileges to Tables in All Dynamic Schemas

amazon-rdspermissionspostgresql

We've setup an AWS Database Migration Service which migrates schema and tables from multiple sources.

The rule for migrating from source can be a wildcard on schema, meaning a schema could 'pop up' arbitrarily as it is created in the source.

From all the various granting of privileges I've seen in PostgreSQL, all seem to specify a specific schema, or loops through each existing schema.

Is there not a way to grant certain privileges to every current and future schema in a given database?

Ideally something like this would be great:

ALTER DEFAULT PRIVILEGES FOR ROLE my_role IN SCHEMA "*" GRANT SELECT ON TABLES TO my_role;

I'm aware the super_user role can be granted to a user to make this happen, but that seems awfully dirty for someone who should only have read permissions.

Appreciate the help.

Best Answer

Just omit the IN SCHEMA clause, and it applies to all schemas, so no wildcard capability for schemas is needed.

ALTER DEFAULT PRIVILEGES FOR ROLE my_role GRANT SELECT ON TABLES TO my_role;

Your real problem is likely to be the FOR ROLE clause. The above is kind of useless, as it applies only to tables (in any schema) created by my_role. But the creator of tables automatically has select privileges, so this doesn't do anything useful. Your FOR ROLE clause needs to specify who will be creating the tables (if you omit it, it means the current user). If you have multiple such creating roles, you have little option but to repeat the ALTER DEFAULT PRIVILEGES for each one. This is where the wildcard capability is really needed, but sadly does not exist.

Related Solutions

Configure Oracle user in Enterprise Manager to CREATE VIEW on any of his tables

I'm not sure if I'm understanding your question properly. I created a user with the ability to create views for his own schema.

SQL> create user view_user identified by password default tablespace users quota unlimited on users;

User created.

SQL> grant create session, create table, create view to view_user;

Grant succeeded.

SQL> connect view_user
Enter password: 
Connected.
SQL> CREATE TABLE Members (ID number(10), Name varchar2(100), Street_No varchar2(100), ZIP number(5), City varchar2(100));

Table created.

SQL> CREATE VIEW MembersNamesOnly AS SELECT ID, Name FROM Members;

View created.

SQL>

Postgresql – GRANT USAGE on all schemas in a database

You have at least two options.

The first one makes use of a small query and a text editor. We have to collect the schemata of our interest:

SELECT nspname
  FROM pg_namespace;

You can add a WHERE clause if you want to limit the scope. Copy the output and amend it, so you get a number of GRANT USAGE ON SCHEMA ... TO your_role; commands. Then just feed it to psql, for example:

psql -f multigrant.sql

A usual variant of this could be a shell script that loops over the collected names and calls psql, passing the constructed GRANT statement to the -c option.

The other solution does basically the same in one pl/pgsql block, building a dynamic query. The core is the same - we have to collect the schemata. Then we loop over all of them, granting the permissions schema by schema:

DO $do$
DECLARE
    sch text;
BEGIN
    FOR sch IN SELECT nspname FROM pg_namespace
    LOOP
        EXECUTE format($$ GRANT USAGE ON SCHEMA %I TO your_role $$, sch);
    END LOOP;
END;
$do$;

Notes:

unlike for tables, sequences, functions and types, one cannot set default privileges for schemata (as of 9.4). You will have to grant this privilege for any newly added schema manually.
here I am using dollar quoting when building the dynamic query. This allows me to use 'normal' syntax, as opposed to multiplicating single quotes, for example (not present in this example). This way most editors will highlight the statements nicely.
I also use format() with the %I format specifier to have the object name properly quoted if necessary. This approach is far more readable than building the query with concatenation of string constants and some quote_ident() calls.
pg_namespace can be found in the pg_catalog schema. Check out the other objects in there - they store every aspect of your schemas, tables and so on.

Best Answer

Related Solutions

Configure Oracle user in Enterprise Manager to CREATE VIEW on any of his tables

Postgresql – GRANT USAGE on all schemas in a database

Related Question