From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
---|---|
To: | Nicolas Paris <nicolas(dot)paris(at)riseup(dot)net>, pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re: Default Privilege Table ANY ROLE |
Date: | 2018-11-14 20:04:44 |
Message-ID: | 306e4be880a264c701be5dfa667a1e95de76e175.camel@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Nicolas Paris wrote:
> I d'like my user be able to select on any new table from other users.
>
> > ALTER DEFAULT PRIVILEGES FOR ROLE "theowner1" IN SCHEMA "myschema" GRANT select ON TABLES TO "myuser"
> > ALTER DEFAULT PRIVILEGES FOR ROLE "theowner2" IN SCHEMA "myschema" GRANT select ON TABLES TO "myuser"
> > ...
>
>
> Do I really have to repeat the command for all users ?
>
> The problem is I have many user able to create tables and all of them
> have to read each other.
This is one setup that I can come up with:
CREATE ROLE tableowner NOINHERIT;
CREATE ROLE tablereader;
ALTER DEFAULT PRIVILEGES FOR ROLE tableowner IN SCHEMA myschema GRANT SELECT ON TABLES TO tablereader;
CREATE ROLE alice LOGIN IN ROLE tableowner, tablereader;
CREATE ROLE bob LOGIN IN ROLE tableowner, tablereader;
Now whenever "alice" has to create a table, she runs
SET ROLE tableowner;
CREATE TABLE myschema.newtable(x integer);
RESET ROLE;
Then all these tables belong to "tableowner", and each user in group "tablereader"
can SELECT from them:
\z myschema.newtable
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
----------+----------+-------+-------------------------------+-------------------+----------
myschema | newtable | table | tableowner=arwdDxt/tableowner+| |
| | | tablereader=r/tableowner | |
(1 row)
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
From | Date | Subject | |
---|---|---|---|
Next Message | Nicolas Paris | 2018-11-14 20:23:00 | Re: Default Privilege Table ANY ROLE |
Previous Message | Konstantin Knizhnik | 2018-11-14 19:57:25 | libpq to JDBC adapter |