Thread: Shared postgres-cluster / permissions
Hi
using postgres 14.2 on RHEL.
I am working on a shared postgres-cluster where users should not be able to use other users databases. I followed this guide to achieve my goal (https://wiki.postgresql.org/wiki/Shared_Database_Hosting) and it mostly works.
When creating a new database i create two roles (dbname_rw and dbnabe_ro) where the _rw-role is owner of the database. I also create a s_databse serviceuser and append it to the _rw role. More users can be created on request and are appended on the rw or ro-role.
There is a "alter default privileges in schema public" in place which grants ALL to the rw-role for new tables and select to the ro-role. but it only does it, if the rw-role is creating the table. if the user (for example serviceuser) is creating new items, it does not add this default privs. (which is by design, but bad because other users won't be able to access the table).
do you have a good way to work around this? is my role-setup "correct" or do you have a better idea how to do this? as i understood, there is no possibility to have a wildcard-default-privilege-setting, right?
thanks for any help with this!
Hi Christian, You can use event triggers for this: https://www.postgresql.org/docs/current/event-triggers.html Regards, Holger Am 17.03.22 um 11:48 schrieb Christian Lehmann: > Hi > using postgres 14.2 on RHEL. > > I am working on a shared postgres-cluster where users should not be > able to use other users databases. I followed this guide to achieve my > goal (https://wiki.postgresql.org/wiki/Shared_Database_Hosting) and it > mostly works. > > When creating a new database i create two roles (dbname_rw and > dbnabe_ro) where the _rw-role is owner of the database. I also create > a s_databse serviceuser and append it to the _rw role. More users can > be created on request and are appended on the rw or ro-role. > > There is a "alter default privileges in schema public" in place which > grants ALL to the rw-role for new tables and select to the ro-role. > but it only does it, if the rw-role is creating the table. if the user > (for example serviceuser) is creating new items, it does not add this > default privs. (which is by design, but bad because other users won't > be able to access the table). > > do you have a good way to work around this? is my role-setup "correct" > or do you have a better idea how to do this? as i understood, there is > no possibility to have a wildcard-default-privilege-setting, right? > > thanks for any help with this! -- Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012
Attachment
On Thu, 2022-03-17 at 11:48 +0100, Christian Lehmann wrote: > There is a "alter default privileges in schema public" in place which grants ALL > to the rw-role for new tables and select to the ro-role. but it only does it, if > the rw-role is creating the table. if the user (for example serviceuser) is creating > new items, it does not add this default privs. (which is by design, but bad because > other users won't be able to access the table). > > do you have a good way to work around this? is my role-setup "correct" or do you > have a better idea how to do this? as i understood, there is no possibility to have > a wildcard-default-privilege-setting, right? You can run an ALTER DEFAULT PRIVILEGES for each user. But often it is better to have only one role own the tables. If all roles that may create tables are members of the rw-role, you can give CREATE on the schema only to that role, and anybody who wants to create an object has to SET ROLE "rw-role". Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com