Re: permissions on tables - Mailing list pgsql-admin

From Vishal Arora
Subject Re: permissions on tables
Date
Msg-id BLU110-W2436096647179BFE8F1D71A9070@phx.gbl
Whole thread Raw
In response to Re: permissions on tables  (Vishal Arora <aroravishal22@hotmail.com>)
List pgsql-admin


While creating roles using PgAdmin, there is a check box stating "Inherits rights from parent roles" if you do not check that option that implicitly means you need NOINHERIT. If you create a role using CL, and do not mention anything, then INHERIT is the default option.


Subject: Re: [ADMIN] permissions on tables
Date: Tue, 18 Mar 2008 08:30:31 -0400
From: Gordon.Hyatt@joslin.harvard.edu
To: pgsql-admin@postgresql.org

.ExternalClass .EC_shape {;} .ExternalClass EC_p.MsoNormal, .ExternalClass EC_li.MsoNormal, .ExternalClass EC_div.MsoNormal {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass a:link, .ExternalClass EC_span.MsoHyperlink {color:blue;text-decoration:underline;} .ExternalClass a:visited, .ExternalClass EC_span.MsoHyperlinkFollowed {color:purple;text-decoration:underline;} .ExternalClass EC_span.EmailStyle17 {font-family:Arial;color:windowtext;} .ExternalClass EC_div.Section1 {page:Section1;} .ExternalClass EC_p.MsoNormal, .ExternalClass EC_li.MsoNormal, .ExternalClass EC_div.MsoNormal {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass a:link, .ExternalClass EC_span.MsoHyperlink {color:blue;text-decoration:underline;} .ExternalClass a:visited, .ExternalClass EC_span.MsoHyperlinkFollowed {color:blue;text-decoration:underline;} .ExternalClass p {margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass EC_span.EmailStyle18 {font-family:Arial;color:navy;} @page Section1 {size:8.5in 11.0in;} .ExternalClass EC_div.Section1 {page:Section1;}

Thanks for your response.

 

I did not explicitly use NOINHERIT (in fact I used the PgAdmin v1.6.3 New Login Role and new Group Role wizard to create the user).  I see that NOINHERIT is specified when I look at the SQL pane in PgAdmin for that login role.

 

I’ll remove and recreate that user allowing permissions to inherit from parent roles. 

 

It seems to me that one would usually (not always) want user roles to inherit privileges from parent roles (including group roles).  Do you know why PgAdmin defaults to NOINHERIT on user roles? 

 

Please use PgAdmin Support (pgadmin-support@postgresql.org) mailing list for PgAdmin related queries.



 

 

Thanks, again.

 

Gord

 

 


From: Vishal Arora [mailto:aroravishal22@hotmail.com]
Sent: Tuesday, March 18, 2008 4:33 AM
To: Hyatt, Gordon; pgsql-admin@postgresql.org
Subject: RE: [ADMIN] permissions on tables

 





Subject: [ADMIN] permissions on tables
Date: Mon, 17 Mar 2008 16:26:27 -0400
From: Gordon.Hyatt@joslin.harvard.edu
To: pgsql-admin@postgresql.org

Forgive me if this is not the correct list for this type of question.

 

I thought I understood PostgreSQL’s privileges well enough, but I’m running into problems, so I must misunderstand something. 

 

I have a website that I’m adding functionality to, and therefore need to expand the database.  The database already contains around 30 populated tables with 1 group role (group_reader) and 1 user role (user_reader).  To all existing tables, I’d assigned PUBLIC and group_reader SELECT privilege. 

 

Everything is working fine.

 

Now, I created one more group role (called group_writer) and another user role (user_writer) and make sure that user_writer is a member of group_writer.

 

Did you use NOINHERIT while creating the user role? if yes, please create it without this parameter.

 

I then explicitly grant group_writer SELECT privilege on all tables.  (I know this is technically not necessary as PUBLIC has already been assigned SELECT privilege.)

 

I created (tbl_batch) and deliberately decided to not grant PUBLIC access to this table.  Instead, I granted group_writer SELECT, INSERT, UPDATE, and DELETE privileges to this table.  Looking at the ACL list for this table confirms this.

 

When I attempt to access this table as user_writer, I’m denied access.  I’m access this through Tomcat and verifying the connected user as user_writer.

 

I shouldn’t have to grant the PUBLIC  group full access to this table as well, should I?

 

From what I understand of the manual, a user’s privileges are the SUM of the privileges of all groups of which that user is a member.  Therefore, user_writer’s privileges should be {SELECT, INSERT, UPDATE, DELETE} from group_writer plus {} from PUBLIC, which should yield {SELECT, INSERT, UPDATE, DELETE}.

 

 

BTW, I’m running 8.2.6 on WinXP x64 SP2.

 

 

Thanks,

 

Gord

 

 


Detailed profiles 4 marriage! Only at Shaadi.com Try it!



Post free auto ads on Yello Classifieds now! Try it now!


Live the life in style with MSN Lifestyle. Check out! Try it now!

pgsql-admin by date:

Previous
From: Vishal Arora
Date:
Subject: Re: Locks with no database or relation
Next
From: Jan-Peter.Seifert@gmx.de
Date:
Subject: LATIN1 with German Locale on Windows