Revoke Connect Privilege from Database not working

From: "Ing(dot) Marijo Kristo" <marijo(dot)kristo(at)icloud(dot)com>
To: pgsql-sql(at)lists(dot)postgresql(dot)org
Subject: Revoke Connect Privilege from Database not working
Date: 2025-03-31 15:26:13
Message-ID: 6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql


> Hello,
>
> we are using Vault to provision temporary users which get deleted after a
> while by the same user.
> For this purpose we have created a vault_admin user.
>
> postgres=# \du vault_admin
> List of roles
> Role name | Attributes
> -------------+------------------------
> vault_admin | Superuser, Create role
>
> postgres=# \l "disp_db"
>
> List of databases
> Name | Owner | Encoding | Locale Provider | Collate |
> Ctype | ICU Locale | ICU Rules | Access
> privileges
> ---------+-------------------+----------+-----------------+------------+------------+------------+-----------+--------------------------------------------------------------------------------
> disp_db | app_disp_db_admin | UTF8 | libc | en_US.utf8 |
> en_US.utf8 | | |
> app_disp_db_admin=CTc/app_disp_db_admin
> +
> | | | | |
> | | | app_disp_db=Tc/app_disp_db_admin
> +
> | | | | |
> | | | pg_database_owner=CTc/app_disp_db_admin
> +
> | | | | |
> | | | vault_admin=c*/app_disp_db_admin
> +
> | | | | |
> | | |
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"=c/vault_admin
> +
> | | | | |
> | | | app_disp_db_readonly=c/app_disp_db_admin
>
>
> Removing the connect privilege with the Postgres Superuser and with the
> Vault Admin user does not work.
>
> postgres=# select current_user;
> current_user
> --------------
> postgres
>
> postgres=# revoke connect on database "disp_db" from
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> REVOKE
>
> postgres=# drop user
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> ERROR: role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"
> cannot be dropped because some objects depend on it
> DETAIL: privileges for database disp_db
>
> Same happens when trying to revoke with the vault admin user:
>
> disp_db=# select current_user;
> current_user
> --------------
> vault_admin
> (1 row)
>
> disp_db=# revoke connect on database "disp_db" from
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> REVOKE
> disp_db=# drop user
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> ERROR: role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"
> cannot be dropped because some objects depend on it
> DETAIL: privileges for database disp_db
>
> Does not work via PSQL nor with pgadmin.
>
> Best Regards
> Marijo Kristo
>

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Tom Lane 2025-04-01 14:13:49 Re: Revoke Connect Privilege from Database not working
Previous Message Tchouante, Merlin 2025-02-12 21:05:51 Database Query to find content location