PostgreSQL – How to Grant DROP TABLE/FUNCTION Privileges to a Role

permissionspostgresql

I want to grant drop privileges on all tables and functions (not only those owned by the user) in certain schema of a specific database to a specific role. However, GRANT ALL PRIVILEGES is not enough and I didn't find how to do without making the role a superuser – superuser has rights over other databases on the same server, which is not what I want. I wouldn't mind superuser privileges limited to a specific database, but I'm not sure how to do it.

My code:

CREATE USER _administrator PASSWORD 'pwd12345';
CREATE ROLE administrator NOLOGIN ADMIN _administrator;

GRANT ALL PRIVILEGES ON DATABASE "myDB" TO administrator;
GRANT ALL PRIVILEGES ON SCHEMA public TO administrator;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO administrator;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO administrator;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO administrator;

administrator is the group of myDB database administrators, _administrator is the most powerful role my client app will be able to log in as.

What I did miss or do wrong?

Best Answer

Only the owner (and superusers) can drop objects. Per documentation:

The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege; it is inherent in the owner, and cannot be granted or revoked. (However, a similar effect can be obtained by granting or revoking membership in the role that owns the object; see below.) The owner implicitly has all grant options for the object, too.

So, make administrator own such objects that users should be able to drop.

ALTER FUNCTION foo() OWNER TO administrator;
ALTER TABLE foo      OWNER TO administrator;

And you remembered to actually grant group membership, right?

GRANT administrator TO _administrator;

Answer to question asked

To look for the function in the error message and its owner:

SELECT oid::regprocedure AS function
     , pg_get_userbyid(proowner) AS owner
FROM   pg_proc
WHERE  oid = 'text(boolean)'::regprocedure;

DROP FUNCTION without knowing the number/type of parameters?

Actual problem

The error message says:

DETAIL: privileges for function text(boolean)

It's not about ownership but about privileges.

The manual for DROP ROLE:

Before dropping the role, you must drop all the objects it owns (or reassign their ownership) and revoke any privileges the role has been granted on other objects.

And for ALTER DEFAULT PRIVILEGES:

If you wish to drop a role for which the default privileges have been altered, it is necessary to reverse the changes in its default privileges or use DROP OWNED BY to get rid of the default privileges entry for the role.

It also looks like you only executed REASSIGN OWNED in one DB, but the manual instructs:

Because REASSIGN OWNED does not affect objects within other databases, it is usually necessary to execute this command in each database that contains objects owned by a role that is to be removed.

Bold emphasis mine.

And you restricted your commands with IN SCHEMA public. Drop that clause to target the whole DB. But don't bother, there is a ...

Simple solution with `DROP OWNED`

REASSIGN OWNED BY user1 TO postgres;
DROP OWNED BY user1;

All the role's objects changed ownership to postgres with the first command and are safe now. The wording of DROP OWNED is a bit misleading, since it also gets rid of all privileges and default privileges. The manual for DROP OWNED:

DROP OWNED drops all the objects within the current database that are owned by one of the specified roles. Any privileges granted to the given roles on objects in the current database and on shared objects (databases, tablespaces) will also be revoked.

Repeat in all relevant DBs, then you can move in for the kill:

DROP ROLE user1;

PostgreSQL – How to Grant Privileges as Superuser

ALTER DEFAULT PRIVILEGES without a FOR ROLE clause alters the default privileges for objects created by only the current role (the role executing the ALTER DEFAULT PRIVILEGES). So in the first case, you altered the superuser's default privileges, which has no effect on testuser's default privileges.

Best Answer

Related Solutions

PostgreSQL – Find Objects Linked to a Role

Answer to question asked

Actual problem

Simple solution with DROP OWNED

PostgreSQL – How to Grant Privileges as Superuser

Related Question

Simple solution with `DROP OWNED`