Hi I'm trying to create a login role (user) with a fairly minimal ability to modify the database. They should be able to select, delete, create triggers, insert and update. I would then like to have multiple accounts which are members of user so they have the same permissions but I can log edits for individual users.
I'm using pgadmin for my database design and my program accesses this with QtSQL.
The error message I get is caught by Qt when trying to select some data as a test. When I run the same code as the database owner and superuser I have no problems.
bool run_query(const QString & q){
QSqlDatabase db = QSqlDatabase::database("default");
QSqlQuery query(db);
query.exec(q);
if (!query.isActive()){
QMessageBox::warning(0, QObject::tr("Database Error"),
query.lastError().text());
return false;
}
while (query.next()){
QString title = query.value(0).toString();
std::cerr << qPrintable(title) << std::endl;
}
return true;
}
run_query("Select forename from contacts;");
ERROR: permission denied for relation contacts
QPSQL: Unable to create query
So far I've created the role (user).
-- Role: user
-- DROP ROLE "user";
CREATE ROLE "user" LOGIN
ENCRYPTED PASSWORD 'md54d45974e13472b5a0be3533de4666414'
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
COMMENT ON ROLE "user" IS 'Low level user';
As this gave the previous problems. I tried adding permissions for public for the database but this didn't work either.
Now I've no idea where to look for a solution. Any help is much appreciated.
Thanks.
Best Answer
GRANT
ingALL
permissions for public to the database is mostly redundant (as public has connect, temporary by default, so you'd only be addingCREATE
which you probably don't want to do). You probably expected aGRANT ALL
on the database to result in a recursiveGRANT ALL
to contained schemas and tables.GRANT
is not recursive, so this doesn't happen; aGRANT ALL
on a database just grantsCONNECT
andTEMPORARY
rights to the database, with no effect on contained schemas and tables.The default
GRANT
s are, from the docs on GRANT:So you can see you don't need to
GRANT
anything on the database unless you want the user to be able to create schemas, etc. You need to:GRANT USAGE ON SCHEMA myschema TO theuser;
for any schema other thanpublic
.CREATE
can be granted if you want the user to be able to make tables, views, etc.GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE sometable TO theuser;
for tables. I've omitted theTRUNATE
,REFERENCES
andTRIGGER
rights as you probably don't want to grant them.GRANT USAGE ON SEQUENCE sometable_somecolumn_seq TO theuser;
for any sequences that are used in table defaults, either explicitly or via aSERIAL
orBIGSERIAL
column.... etc. See the manual for
GRANT
linked above for full definitions of what the privileges do, which are available on which objects, etc. Take note of the wildcardALL TABLES
andALL SEQUENCES
options.If this seems like too much hassle to do for each table, view, schema, sequence, etc, you can in Pg 9.1 and above use
ALTER DEFAULT PRIVILEGES
to change the defaultGRANT
s on new objects.GRANT
ALTER DEFAULT PRIVILEGES