From: | Erik Jones <erik(at)myemma(dot)com> |
---|---|
To: | Webb Sprague <webb(dot)sprague(at)gmail(dot)com> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Making a schema "read-only" (was Unexpected message in grant/revoke script) |
Date: | 2008-03-14 21:16:03 |
Message-ID: | 037ED821-8C8E-481A-8156-A5ACE88B0A7C@myemma.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Mar 14, 2008, at 3:43 PM, Webb Sprague wrote:
> On Fri, Mar 14, 2008 at 1:30 PM, Erik Jones <erik(at)myemma(dot)com> wrote:
>>
>>
>> On Mar 14, 2008, at 3:22 PM, Webb Sprague wrote:
>>
>>>>> Start with
>>>>> revoke all on schema public from public
>>>>> and then grant only what you want.
>>>
>>> Oh -- to grant select permissions on all the tables in the public
>>> schema, do I have to do it table-by-table? I know I can write a
>>> loop
>>> an use information_schema if necessary, but if I don't have to I
>>> would
>>> like to know.
>>>
>>> Thx
>>
>> Typically what's done is to do that for one user "group" and then
>> make
>> all of your actual login users members of that group.
>
> Oh -- I guess overlapping groups would work, but wouldn't I still have
> to give select permissions to this collective role by going
> table-by-table? And I want a separate role for each person, so that
> they can't stomp all over each others data.
Yes. The best way to handle this is to grant permissions to those
groups when the tables are created rather than doing it retroactively,
although the latter isn't really that difficult. Assuming you've
revoked privileges from public to the public schema but then want to
grant SELECT privileges to some group, using this function would work
nicely:
CREATE OR REPLACE FUNCTION grant_select_for_group_to_public(rolename
varchar, tablename varchar)
RETURNS VOID AS $$
BEGIN
EXECUTE 'GRANT SELECT TO ' || rolename || ' ON ' || tablename || ';';
END;
Then you can do:
SELECT grant_select_for_group_to_public('some_group_name', c.relname)
FROM pg_class c, pg_namespace n
WHERE c.relnamespace=n.oid
AND n.nspname='public';
Hopefully from that you can see how to use this type of setup for
further specialization.
> And now I have a new problem -- what could be wrong with the alter
> schema owner to line below:
>
> revoke all on schema public from public;
> create or replace function new_student (text) returns void as $$
> declare
> t_name text;
> begin
> -- personal schema
> execute 'create role ' || $1 || ' LOGIN';
> execute 'create schema ' || $1;
> execute 'alter schema ' || $1 || ' owner to ' || $1; -- THIS
> THROWS AN ERROR see below
> execute 'grant all on schema ' || $1 || ' to ' || $1 || '
> with grant option';
>
> for t_name in select table_name from information_schema.tables
> where table_schema = 'public' order by table_name loop
> raise notice 'granting select to %s on %s', $1, t_name;
> execute 'grant select on ' || t_name || ' to ' || $1;
> end loop;
>
> end;
> $$ language plpgsql ;
>
> oregon=# select new_student('foobarbar');
> ERROR: unrecognized node type: 1651470182
> CONTEXT: SQL statement "alter schema foobarbar owner to foobarbar"
> PL/pgSQL function "new_student" line 7 at EXECUTE statement
Not sure about the nodetype bit but I do know that the user execute
the ALTER SCHEMA .. OWNER TO .. must be a member of the new owner
role, either directly or indirectly. Could this be your problem.
Btw, I typically do schema level creation and grants as superuser
which would let you specify the schema's owner when you create the
schema
CREATE SCHEMA foobar AUTHORIZATION foobar;
Also, you don't need to grant privileges on a schema to its owner.
Erik Jones
DBA | Emma®
erik(at)myemma(dot)com
800.595.4401 or 615.292.5888
615.292.0777 (fax)
Emma helps organizations everywhere communicate & market in style.
Visit us online at http://www.myemma.com
From | Date | Subject | |
---|---|---|---|
Next Message | Kynn Jones | 2008-03-14 21:38:04 | shared memory/max_locks_per_transaction error |
Previous Message | Webb Sprague | 2008-03-14 20:43:17 | Re: Making a schema "read-only" (was Unexpected message in grant/revoke script) |