Aw: Role for just read the data + avoid CREATE / ALTER / DROP

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>set default_transaction_read_only can help</div>

<div>&nbsp;</div>

<div>Karsten</div>

<div>&nbsp;
<div>&nbsp;
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b>&nbsp;Freitag, 25. August 2023 um 14:38 Uhr<br/>
<b>Von:</b>&nbsp;&quot;Durumdara&quot; &lt;durumdara(at)gmail(dot)com&gt;<br/>
<b>An:</b>&nbsp;&quot;Postgres General&quot; &lt;pgsql-general(at)postgresql(dot)org&gt;<br/>
<b>Betreff:</b>&nbsp;Role for just read the data + avoid CREATE / ALTER / DROP</div>

<div name="quoted-content">
<div>Dear Members!
<div>&nbsp;</div>

<div>Normally&nbsp;we use the &quot;db owner&quot; role for the connection, but this can do everything (DDL-DML).</div>

<div>Somewhere they want to access a DB through a Read Only connection.</div>

<div>&nbsp;</div>

<div>In MS-SQL&nbsp;Server it is simple, but in PG it seems to be some kind of &quot;hell&quot;.</div>

<div>Formerly we tried to use multiple roles with lower rights, but we had wrong experiences with them, so we stopped very soon.</div>

<div>&nbsp;</div>

<div>So: is there any easier way to make ReadOnly access to a database?</div>

<div>&nbsp;</div>

<div>I&#39;ve tried with this command:</div>

<div>&nbsp;</div>

<blockquote style="margin: 0 0 0 40.0px;border: none;padding: 0.0px;">
<div><font color="#0000ff" face="monospace">CREATE ROLE u_tdb_ro WITH LOGIN;</font></div>

<div>
<div><font color="#0000ff" face="monospace">REVOKE ALL PRIVILEGES ON SCHEMA public FROM u_tdb_ro;<br/>
REVOKE ALL ON DATABASE tdb FROM u_tdb_ro;<br/>
<br/>
GRANT CONNECT ON DATABASE tdb TO u_tdb_ro;<br/>
GRANT USAGE ON SCHEMA public TO u_tdb_ro;<br/>
<br/>
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM u_tdb_ro;<br/>
REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM u_tdb_ro;</font></div>

<div>&nbsp;</div>

<div><font face="monospace"><span style="color: rgb(0,0,255);">REVOKE CREATE ON SCHEMA public FROM u_tdb_ro;</span><br/>
<font color="#0000ff">REVOKE CREATE ON DATABASE tdb FROM u_tdb_ro;<br/>
REVOKE CREATE ON TABLESPACE pg_default FROM u_tdb_ro;<br/>
<br/>
GRANT SELECT ON ALL TABLES IN SCHEMA public TO u_tdb_ro;<br/>
<br/>
ALTER USER u_tdb_ro SET DEFAULT_TRANSACTION_READ_ONLY = ON;<br/>
<br/>
ALTER DEFAULT PRIVILEGES FOR role u_tdb GRANT SELECT ON TABLES TO u_tdb_ro;</font></font></div>

<div>&nbsp;</div>
</div>
</blockquote>

<div>&nbsp;</div>

<div>But: I can&#39;t avoid that the user can execute a CREATE TABLE command!</div>

<div>&nbsp;</div>

<div>
<blockquote style="margin: 0 0 0 40.0px;border: none;padding: 0.0px;">
<div><font color="#cc0000"><font face="monospace">set role to u_tdb_ro;<br/>
drop table if exists test_rororo;<br/>
create table if not exists test_rororo (roro int primary key);<br/>
select * from test_rororo;</font></font></div>
</blockquote>
</div>

<div>&nbsp;</div>

<div>I don&#39;t understand why these commands don&#39;t work?!</div>

<div>&nbsp;</div>

<div>
<blockquote style="margin: 0 0 0 40.0px;border: none;padding: 0.0px;">
<div><font face="monospace"><span style="color: rgb(0,0,255);"><b>REVOKE CREATE ON SCHEMA public FROM u_tdb_ro;</b></span><br/>
<font color="#0000ff"><b>REVOKE CREATE ON DATABASE tdb FROM u_tdb_ro;<br/>
REVOKE CREATE ON TABLESPACE pg_default FROM u_tdb_ro;</b></font></font></div>
</blockquote>
</div>

<div>&nbsp;</div>

<div>I read that the magic command is:</div>

<div>&nbsp;</div>

<div>
<blockquote style="margin: 0 0 0 40.0px;border: none;padding: 0.0px;">
<div>
<pre class="gmail-lang-sql gmail-s-code-block" style="margin-top: 0.0px;border: 0.0px;font-stretch: inherit;vertical-align: baseline;box-sizing: inherit;width: auto;max-height: 600.0px;overflow: auto;"><code class="gmail-hljs gmail-language-sql" style="margin: 0.0px;padding: 0.0px;border: 0.0px;font-style: inherit;font-variant: inherit;font-stretch: inherit;line-height: inherit;font-family: inherit;vertical-align: baseline;box-sizing: inherit;background-color: transparent;white-space: inherit;"><b><font color="#38761d"><span class="gmail-hljs-keyword" style="margin: 0.0px;padding: 0.0px;border: 0.0px;font-style: inherit;font-variant: inherit;font-stretch: inherit;line-height: inherit;font-family: inherit;font-size: 13.0px;vertical-align: baseline;box-sizing: inherit;">REVOKE</span> <span class="gmail-hljs-keyword" style="margin: 0.0px;padding: 0.0px;border: 0.0px;font-style: inherit;font-variant: inherit;font-stretch: inherit;line-height: inherit;font-family: inherit;font-size: 13.0px;vertical-align: baseline;box-sizing: inherit;">CREATE</span> <span class="gmail-hljs-keyword" style="margin: 0.0px;padding: 0.0px;border: 0.0px;font-style: inherit;font-variant: inherit;font-stretch: inherit;line-height: inherit;font-family: inherit;font-size: 13.0px;vertical-align: baseline;box-sizing: inherit;">ON</span> SCHEMA public <span class="gmail-hljs-keyword" style="margin: 0.0px;padding: 0.0px;border: 0.0px;font-style: inherit;font-variant: inherit;font-stretch: inherit;line-height: inherit;font-family: inherit;font-size: 13.0px;vertical-align: baseline;box-sizing: inherit;">FROM</span> PUBLIC;</font></b></code></pre>
</div>
</blockquote>
</div>

<div>Why does this work, and why are the 3 above not???</div>

<div>What is the meaning of these 3 if they don&#39;t work?</div>

<div>Why do the PGSQL developers create these statements if they do not work?</div>

<div>&nbsp;</div>

<div>I wanna understand this well, to know that Full Read Only mode is possible or not; or what are the limitations.</div>

<div>&nbsp;</div>

<div>Thank you for lighting my mind!</div>

<div>&nbsp;</div>

<div>Best regards</div>

<div>dd</div>
</div>
</div>
</div>
</div>
</div></div></body></html>