Postgres Pro
Downloads
Home   >   mailing lists

Thread: Grant privs on entire database, not table-by-table-by-table

Grant privs on entire database, not table-by-table-by-table

From
James Long
Date:
Under a normal role, I am the owner of a database.

CREATE DATABASE buddy_db WITH TEMPLATE = template0 ENCODING = 'SQL_ASCII';

ALTER DATABASE buddy_db OWNER TO james;


As superuser, I have granted all privs on that database to
another role:

$ psql -U pgsql buddy_db
Welcome to psql 8.3.15, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

buddy_db=# grant all on database buddy_db to buddy;
GRANT
buddy_db=#


But now when I use that role to connect to that database, I don't
have privs:

$ psql -U buddy buddy_db
Welcome to psql 8.3.15, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

buddy_db=> \d
              List of relations
 Schema |        Name         | Type  | Owner
--------+---------------------+-------+-------
 public | colors              | table | james
 public | shapes              | table | james
 public | sounds              | table | james
(3 rows)

buddy_db=> select sum(1) from sounds;
ERROR:  permission denied for relation sounds
buddy_db=>

What am I doing wrong?

Thank you!


Jim

Re: Grant privs on entire database, not table-by-table-by-table

From
Jaime Casanova
Date:
On Mon, Nov 21, 2011 at 10:57 PM, James Long
<pgsql-novice@museum.rain.com> wrote:
>
> buddy_db=# grant all on database buddy_db to buddy;
> GRANT
> buddy_db=#
>

this is not for granting privileges on all objects in the database but
for granting all types of privileges on the database to this user.
types of privileges for a database are: CREATE | CONNECT | TEMPORARY |
TEMP

what you're looking for is not possible in 8.3, the ability to grant
privileges to several objects in 1 command was introduced in 9.0 and
even there is limited to one kind of object in one schema at a time.

a workaround in 8.3 would be to read the catalogs and generate a
script, below sql would generate such a script for tables you should
try to make your own for other objects:
"""
copy
(select 'GRANT ALL ON TABLE ' || table_schema || '.' || table_name ||
' TO buddy; '
    from information_schema.tables
  where table_schema not in ('pg_catalog', 'information_schema')
     and table_type = 'BASE TABLE'
) to '/tmp/grants.sql';
"""
--
Jaime Casanova         www.2ndQuadrant.com
Professional PostgreSQL: Soporte 24x7 y capacitación