Postgresql – how do you revoke create table from a user on postgresql 9.4

permissionspostgresqlpostgresql-9.4

I'm trying to create a postgresql user that can select but can't create or drop, insert and so on on a database but I cannot for the life of me figure out how to prevent a user from creating its own tables.

What I've done so far:

create database test;
create role readonly;
alter role readonly with login;
alter role readonly with encrypted password 'test';
revoke all on schema public from public;
revoke all on schema public from readonly;
revoke all on database test from public;
revoke all on database test from readonly;
grant connect on database test to readonly;

Yet when I log in to the database as readonly I'm still able to create tables with impunity. What am I missing?

Best Answer

According to the documentation, what one needs for creating tables in a schema is CREATE on that schema. This you think you revoked, but as you experience it didn't really happen - the only plausible explanation is that from Daniel's comment: you are revoking access on the schemas of another database.

When you clear this up, you'll still need to grant/revoke the following:

GRANT USAGE ON SCHEMA public TO readonly; to be able to access the objects in there
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM public, readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
and, if you plan to add new objects (tables) later, you have to set the default privileges, too.

Related Solutions

PostgreSQL – Why New User Can Create Table

When you create a new database, any role is allowed to create objects in the public schema. To remove this possibility, you may issue immediately after the database creation:

REVOKE ALL ON schema public FROM public;

Edit: after the above command, only a superuser may create new objects inside the public schema, which is not practical. Assuming a non-superuser foo_user should be granted this privilege, this should be done with:

GRANT ALL ON schema public TO foo_user;

To know what ALL means for a schema, we must refer to GRANT in the doc, (in PG 9.2 there are no less than 14 forms of GRANT statements that apply to different things...). It appears that for a schema it means CREATE and USAGE.

On the other hand, GRANT ALL PRIVILEGES ON DATABASE... will grant CONNECT and CREATE and TEMP, but CREATE in this context relates to schemas, not permanent tables.

Regarding this error: ERROR: no schema has been selected to create in, it happens when trying to create an object without schema qualification (as in create table foo(...)) while lacking the permission to create it in any schema of the search_path.

Sql-server – SQL Server user cannot select from a table it just created

Granting schema modification is not, and should not be, the same as granting DML rights. Grant the user the exact rights that user needs, including 'SELECT', etc, as necessary.

See https://msdn.microsoft.com/en-us/library/ms178569.aspx for details.

Best Answer

Related Solutions

PostgreSQL – Why New User Can Create Table

Sql-server – SQL Server user cannot select from a table it just created

Related Question