Postgresql – postgres: “alter default privileges” issue

postgresql

I am implementing a schema access model on postgres (I know oracle). Using guidance from http://bonesmoses.org/2016/02/26/pg-phriday-corralling-the-hordes/ I created a data owner account and two roles (_ro and _rw), and a second user account which is granted the _rw role.
I created a table in the Owner account which I expect to be automatically accessible via the roles because I issued a "ALTER DEFAULT PRIVILEGES" command to automatically issue GRANTs in future-created tables. However, when I log in as the user account, a select on the table returns "ERROR: permission denied for relation checklist1new"

Create the Owner account

CREATE   USER access1 WITH PASSWORD 'whatever';
CREATE SCHEMA access1 AUTHORIZATION access1;
ALTER USER access1 SET search_path = access1;
ALTER SCHEMA access1 OWNER TO access1;

CREATE GROUP access1_ro;
CREATE GROUP access1_rw;

GRANT USAGE ON SCHEMA access1 TO access1_ro;
GRANT USAGE ON SCHEMA access1 TO access1_rw;

ALTER DEFAULT PRIVILEGES FOR USER access1
   IN SCHEMA access1 GRANT SELECT ON TABLES TO access1_ro;

ALTER DEFAULT PRIVILEGES FOR USER access1
   IN SCHEMA access1 GRANT INSERT, UPDATE, DELETE ON TABLES TO access1_rw;

ALTER DEFAULT PRIVILEGES FOR USER access1 IN SCHEMA access1
GRANT USAGE ON SEQUENCES TO access1_rw;

ALTER DEFAULT PRIVILEGES FOR USER access1 IN SCHEMA access1
REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;

CREATE TABLE TEST_TABLE_access1(col1 integer);

Create the user account

CREATE USER user1 WITH PASSWORD 'whatever';
GRANT CONNECT on DATABASE rwinkwavu to user1;
GRANT access1_rw to user1;

Attempt to query the table, logged in as user1

select * from access1.TEST_TABLE_access1
ERROR:  permission denied for relation TEST_TABLE_access1

I expected this query to return 0 rows. What am I doing wrong?
Postgres 9.4 on macOS.

Best Answer

Either you've forgot to add a permission to SELECT in the GRANT below, quoted from the question:

ALTER DEFAULT PRIVILEGES FOR USER access1
   IN SCHEMA access1 GRANT INSERT, UPDATE, DELETE ON TABLES TO access1_rw;

... or, if you really meant that having the role access1_rw doesn't let read the tables even tough it lets write to them, then you must grant the role access1_ro to user1 (in addition to granting the role access1_rw).

Not having either of those has the consequence that user1 was never granted the right to SELECT from tables in the mentioned schema.

Related Solutions

Postgresql – Alter default privileges for role

janerole has been granted ALL privileges and johnrole has only been granted the SELECT privilege.

You got at least one aspect of the command backwards in all your attempts:
Alter default privileges for the role that creates objects - which in turn grants privileges to another role. I.e.:

ALTER DEFAULT PRIVILEGES FOR ROLE janerole IN SCHEMA public
GRANT SELECT ON TABLES TO johnrole;

Do this while logged in as janerole (or a member of the role).

Note that default privileges only apply to the target role, not to members of this role.

And don't forget to GRANT USAGE ON SEQUENCES as well if you have any serial columns. Possibly SELECT and UPDATE, too.

There may be more problems, the question is not completely clear.

Note: There is an open bug in pgAdmin, the display can be incorrect (still kicking in the current pgAdmin 1.22).

Postgresql – ALTER DEFAULT PRIVILEGES – permission denied

The problem here is the ALTER DEFAULT PRIVILEGES statement you issued will apply only to tables that are created by user_name:

You can change default privileges only for objects that will be created by yourself or by roles that you are a member of.

and

target_role

The name of an existing role of which the current role is a member. If FOR ROLE is omitted, the current role is assumed.

So in your case you either use

ALTER DEFAULT PRIVILEGES 
    IN SCHEMA schema_name
    GRANT SELECT ON TABLES TO user_name;

(without the FOR USER clause), or create the table as user_name (in which case they'll be the owner, therefore no need to grant anything).

In any case, it's a good practice to always create DB objects as a given user, so that the access privileges are predictable.

Best Answer

Related Solutions

Postgresql – Alter default privileges for role

Postgresql – ALTER DEFAULT PRIVILEGES – permission denied

Related Question