Postgresql – How to grant only functions while revoking tables

permissionspostgresql

I am a newbie to PostgreSQL, and configuring a new database.

I wrote several functions for indirect access(read/write) to data, and I want to prohibit all direct access to table.

GRANT CONNECT ON DATABASE db1 TO role1;
GRANT USAGE ON SCHEMA schema1 TO role1;

REVOKE ALL ON table1 FROM role1;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA schema1 TO role1;

If I don't REVOKE table privilege, direct table access will be allowed. If I REVOKE table privilege, and GRANT functions, Users access the functions but see table access restriction error.

psql:./test1.psql:6: ERROR:  permission denied for relation table1

How can I make user role1 can access data using only functions while disallowing all direct access to table? I think I missed something, but I can't figure it out.

P.S. I am using Postgres 9.2.x.

Best Answer

You want to make your functions SECURITY DEFINER and have them owned by a user that does have the requisite rights.

Be very careful when coding SECURITY DEFINER functions. Don't make them owned by a superuser and read the manual carefully. Create a role that has only the rights required and no more; give it ownership of the SECURITY DEFINER functions. Where appropriate create multiple roles for different access levels.

See CREATE FUNCTION.

Related Solutions

SQL Server Permissions – Grant Select Access to a User in a View Without Table Access

If you want users to select from the view, why are you granting to the table? By "revoke" do you mean explicitly revoke/deny? Deny will override grant so there's your problem... you should be able to accomplish this by adding grant to the view and not doing anything either way on the tables.

Here's a quick example where SELECT has not been explicitly granted on the table, but has been on the view. The user can select from the view but not the table.

CREATE USER foo WITHOUT LOGIN;
GO
CREATE TABLE dbo.a(id INT);
CREATE TABLE dbo.b(id INT);
GO
CREATE VIEW dbo.v 
AS 
  SELECT a.id FROM a INNER JOIN b ON a.id = b.id;
GO
GRANT SELECT ON dbo.v TO foo;
GO
EXECUTE AS USER = N'foo';
GO
-- works:
SELECT id FROM dbo.v;
GO
-- Msg 229, SELECT denied:
SELECT id FROM dbo.a;
GO
REVERT;

Note that this assumes foo has not been granted elevated privileges through explicit permissions on the schema or database, or through role or group membership.

Since you are using tables in multiple databases (sorry I missed the end of that first sentence initially), you also may need explicit grants on the table(s) in the database where the view does not exist. In order to avoid granting select to the table(s), you could create a view in each database, and then join the views.

Create two databases and a login:

CREATE DATABASE d1;
GO
CREATE DATABASE d2;
GO
USE [master];
GO
CREATE LOGIN blat WITH PASSWORD = 'x', CHECK_POLICY = OFF;
GO

In database d1, create a user, then create a table and a simple view against that table. Grant select to the user only against the view:

USE d1;
GO
CREATE USER blat FROM LOGIN blat;
GO
CREATE TABLE dbo.t1(id INT);
GO
CREATE VIEW dbo.v1
AS
  SELECT id FROM dbo.t1;
GO
GRANT SELECT ON dbo.v1 TO blat;
GO

Now, in the second database, create the user, then create another table and a view that joins that table to the view in d1. Grant select only to the view.

USE d2;
GO
CREATE USER blat FROM LOGIN blat;
GO
CREATE TABLE dbo.t2(id INT);
GO
CREATE VIEW dbo.v2
AS
  SELECT v1.id FROM dbo.t2 
    INNER JOIN d1.dbo.v1 AS v1
    ON t2.id = v1.id;
GO
GRANT SELECT ON dbo.v2 TO blat;
GO

Now launch a new query window and change the credentials to be for the login blat (EXECUTE AS does not work here). Then run the following from the context of either database, and it should work fine:

SELECT id FROM d1.dbo.v2;

These should both yield Msg 229 errors:

SELECT id FROM d1.dbo.t1;
GO
SELECT id FROM d2.dbo.t2;

Results:

Msg 229, Level 14, State 5, Line 1
The SELECT permission was denied on the object 't1', database 'd1', schema 'dbo'.
Msg 229, Level 14, State 5, Line 3
The SELECT permission was denied on the object 't2', database 'd2', schema 'dbo'.

SQL Server 2008 R2 – How to Deny DBO Schema Permission

Restarting Management Studio fixed it.

It looks like it was some sort of glitch - for some reason, it was acting like I was using AppUser to run the query. I double checked and I was definitely logged in using sa, so I'm not sure what happened.

I realised when I tried to change permissions for the new schema, which had previously completed successfully and was now giving the same message. I tried to remove the login and just try setting it up again, and it gave the error that the user was still logged in, despite me closing all instances of Management Studio aside from the one I was currently using with the sa account. I tried to kill the session using the advice from this post, but it gave an error about not having permission (at this point I double checked yet again that I was definitely using the sa account). In the end I closed the current instance too, logged back in as sa, and it has worked fine since - I can grant/deny on the new schema and dbo for AppUser.

Best Answer

Related Solutions

SQL Server Permissions – Grant Select Access to a User in a View Without Table Access

SQL Server 2008 R2 – How to Deny DBO Schema Permission

Related Question