Postgres Pro
Downloads
Home   >   mailing lists

Re: How to remove user specific grant and revoke - Mailing list pgsql-general

From Erik Wienhold
Subject Re: How to remove user specific grant and revoke
Date
Msg-id 2140448238.796716.1685796376553@office.mailbox.org
Whole thread Raw
In response to How to remove user specific grant and revoke  (Andrus <kobruleht2@hot.ee>)
Responses Re: How to remove user specific grant and revoke
List pgsql-general
Tree view 
> On 03/06/2023 09:16 CEST Andrus <kobruleht2@hot.ee> wrote:
>
> User groups table is defined as
>
> CREATE TABLE IF NOT EXISTS public.kaspriv
> (
> id serial primary key,
> user character(10) NOT NULL,
> group character(35) NOT NULL
> ...
> )
>
> There are hundreds of users. Earlier time grant and revoke commands were
> executed for every user separately. Later revoke and grant commands for
> public were added:
>
> REVOKE ALL ON TABLE public.kaspriv FROM PUBLIC;
> GRANT SELECT ON TABLE public.kaspriv TO PUBLIC;
>
> pgAdmin SQL tab still shows revoke and grant commands for every user also:
>
> REVOKE ALL ON TABLE public.kaspriv FROM PUBLIC;
> REVOKE ALL ON TABLE public.kaspriv FROM someuser;
> REVOKE ALL ON TABLE public.kaspriv FROM someotheruser;
> ...
> GRANT SELECT ON TABLE public.kaspriv TO PUBLIC;
> GRANT SELECT ON TABLE public.kaspriv TO someuser;
> GRANT SELECT ON TABLE public.kaspriv TO someother;
> ...
>
> How to remove those unnecessary user-specific GRANT and REVOKE commands to
> make rights cleaner? pgAdmin does not have delete option for those.

When you run

    REVOKE SELECT ON TABLE public.kaspriv FROM someuser;

does it also remove the accompanying REVOKE ALL statement for that user?
That REVOKE SELECT should remove the ACL for someuser from pg_class.relacl and
pgAdmin should no longer find any ACL for that role and thus no longer emit
REVOKE ALL.

> Something like
>
> DROP REVOKE ALL ON TABLE public.kaspriv FROM all EXCEPT public;
> DROP GRANT SELECT ON TABLE public.kaspriv FROM all EXCEPT public;
>
> This will be one-time action. It can be done manually in pgadmin or using
> some script running once.

Automate this with aclexplode[0] to get the privileges for specific grantees.
Loop over the result set in a DO block, generate the REVOKE commands, and
EXECUTE them.

    SELECT acl.grantee::regrole, acl.privilege_type
    FROM pg_class, aclexplode(relacl) acl
    WHERE oid = 'public.kaspriv'::regclass;

> Using
>
> PostgreSQL 12.2 (Debian 12.2-2.pgdg100+1) on x86_64-pc-linux-gnu,
> compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
>
> and latest pgAdmin 7.2

[0] https://www.postgresql.org/docs/12/functions-info.html#FUNCTIONS-ACLITEM-FN-TABLE

--
Erik

pgsql-general by date:

Previous
From: Rajiv Harlalka
Date:
Subject: Number of dashes in the expanded view of psql
Next
From: Erik Wienhold
Date:
Subject: Re: How to remove user specific grant and revoke