From: | Erik Wienhold <ewie(at)ewie(dot)name> |
---|---|
To: | Andrus <kobruleht2(at)hot(dot)ee>, pgsql-general <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: How to remove user specific grant and revoke |
Date: | 2023-06-03 12:46:16 |
Message-ID: | 2140448238.796716.1685796376553@office.mailbox.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
> On 03/06/2023 09:16 CEST Andrus <kobruleht2(at)hot(dot)ee> wrote:
>
> User groups table is defined as
>
> CREATE TABLE IF NOT EXISTS public.kaspriv
> (
> id serial primary key,
> user character(10) NOT NULL,
> group character(35) NOT NULL
> ...
> )
>
> There are hundreds of users. Earlier time grant and revoke commands were
> executed for every user separately. Later revoke and grant commands for
> public were added:
>
> REVOKE ALL ON TABLE public.kaspriv FROM PUBLIC;
> GRANT SELECT ON TABLE public.kaspriv TO PUBLIC;
>
> pgAdmin SQL tab still shows revoke and grant commands for every user also:
>
> REVOKE ALL ON TABLE public.kaspriv FROM PUBLIC;
> REVOKE ALL ON TABLE public.kaspriv FROM someuser;
> REVOKE ALL ON TABLE public.kaspriv FROM someotheruser;
> ...
> GRANT SELECT ON TABLE public.kaspriv TO PUBLIC;
> GRANT SELECT ON TABLE public.kaspriv TO someuser;
> GRANT SELECT ON TABLE public.kaspriv TO someother;
> ...
>
> How to remove those unnecessary user-specific GRANT and REVOKE commands to
> make rights cleaner? pgAdmin does not have delete option for those.
When you run
REVOKE SELECT ON TABLE public.kaspriv FROM someuser;
does it also remove the accompanying REVOKE ALL statement for that user?
That REVOKE SELECT should remove the ACL for someuser from pg_class.relacl and
pgAdmin should no longer find any ACL for that role and thus no longer emit
REVOKE ALL.
> Something like
>
> DROP REVOKE ALL ON TABLE public.kaspriv FROM all EXCEPT public;
> DROP GRANT SELECT ON TABLE public.kaspriv FROM all EXCEPT public;
>
> This will be one-time action. It can be done manually in pgadmin or using
> some script running once.
Automate this with aclexplode[0] to get the privileges for specific grantees.
Loop over the result set in a DO block, generate the REVOKE commands, and
EXECUTE them.
SELECT acl.grantee::regrole, acl.privilege_type
FROM pg_class, aclexplode(relacl) acl
WHERE oid = 'public.kaspriv'::regclass;
> Using
>
> PostgreSQL 12.2 (Debian 12.2-2.pgdg100+1) on x86_64-pc-linux-gnu,
> compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
>
> and latest pgAdmin 7.2
[0] https://www.postgresql.org/docs/12/functions-info.html#FUNCTIONS-ACLITEM-FN-TABLE
--
Erik
From | Date | Subject | |
---|---|---|---|
Next Message | Erik Wienhold | 2023-06-03 13:07:52 | Re: How to remove user specific grant and revoke |
Previous Message | Rajiv Harlalka | 2023-06-03 10:12:00 | Number of dashes in the expanded view of psql |