Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sx7by-0084sf-RX for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 16:26:30 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sx7bw-001wp9-A6 for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 16:26:28 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sx7bv-001wp1-QZ for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 16:26:27 +0000 Received: from fhigh-a6-smtp.messagingengine.com ([103.168.172.157]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sx7bs-002fAe-PL for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 16:26:26 +0000 Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45]) by mailfhigh.phl.internal (Postfix) with ESMTP id EF3D9114012B; Sat, 5 Oct 2024 12:26:23 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Sat, 05 Oct 2024 12:26:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1728145583; x=1728231983; bh=sSdcTY6NCAOhshEuh80thHQqotU4cjoXm00/becvxVo=; b= qjYhRvz3RJ54WX8gsYSaKjTJASqLv9V7gI9WrAgWl7vrhUddl1oOkiVxNJ9TA4gS HG9sj6LVMqJAzd23X3T6tMudo9TNEei+wFtuQCKWtW2j2QpMLx671Whwf7eGLTD8 T4rg8wiFujBHnkS1KROGJ0BYV3AsahE3zzOehSTKs8oNpsB42Y/95TuKb6bgC/cz D4ozNLg9+TjZ/E2dePVimfNgD4Es3BGC08hgPYGlg552G7HWXpIoYgfJgPyhDuY6 BcY+pcNHTwUyyPfh84gcYZpSARUjSK4B0rOfA/m8G3R7v4mZrIsu82PtnPjK79ac +OCJTMF7iHEcr3v4I6/lNg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1728145583; x= 1728231983; bh=sSdcTY6NCAOhshEuh80thHQqotU4cjoXm00/becvxVo=; b=A VG/lvhMQ2/EmEN0BiJkmQW1N1bTeeCIcxv1ugpjMHueKtLlaCwRSfnJM32lGfU87 MwcCmdXhJC/+/aAjGXfFbu2M7pBwOeHRqD89nExvT0+W9Upd19F38Oq2y5rx0UHV 8scVy1ayyhtuS+aDVPBgHjS1Qhe8tVCQC69DYHWlT+h3eDU8PVSr6IYbUHluSuiR TMyJiDI6hQkTbkIrci3jgQOeMGTWAVnDhLCxHnMgtMZBnFXF2qcAuDXk/nXqwzzV NV+q1DhsTOQ6W41lJ0KVM39Tf0KVNq27SUVEjvBGV3pooPXOjKouk3U06KtyrCV6 PWOwYisQYp6rp0Y+3M6/w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrvddvhedguddttdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg hnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfevfhfhjggtgfesthekredttddv jeenucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvg hrsegrkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeevueekgfduveekieef gfevkefgkeffvdeijeegkeeliedtteekjeegffehfefgveenucffohhmrghinhepphhosh htghhrvghsqhhlrdhorhhgpdgvgigrmhhplhgvrdgtohhmnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrg hklhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhht pdhrtghpthhtohepmhiirghgrhgrsggvsegurdhumhhnrdgvughupdhrtghpthhtohepug grvhhiugdrghdrjhhohhhnshhtohhnsehgmhgrihhlrdgtohhmpdhrtghpthhtohepphhg shhqlhdqghgvnhgvrhgrlheslhhishhtshdrphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 5 Oct 2024 12:26:23 -0400 (EDT) Message-ID: <0c089041-d4eb-4bf4-bfcb-6451224190c9@aklaver.com> Date: Sat, 5 Oct 2024 09:26:22 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: grant connect to all databases To: Matt Zagrabelny Cc: "David G. Johnston" , "pgsql-generallists.postgresql.org" References: Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 10/5/24 09:04, Matt Zagrabelny wrote: > > > On Sat, Oct 5, 2024 at 10:27 AM Adrian Klaver > wrote: > > On 10/5/24 07:13, Matt Zagrabelny wrote: > > Hi David (and others), > > > > Thanks for the info about Public. > > > > I should expound on my original email. > > > > In our dev and test environments our admins (alice, bob, eve) are > > superusers. In production environments we'd like the admins to be > read-only. > > What are the REVOKE and GRANT commands you use to achieve that? > > > GRANT alice TO pg_read_all_data; Does alice have existing GRANTs? I would try: GRANT pg_read_all_data TO alice; As example: psql -d test -U postgres List of role grants Role name | Member of | Options | Grantor ------------+----------------------+--------------+---------- aklaver | app_admin | INHERIT, SET | postgres aklaver | production | INHERIT, SET | postgres dd_admin | dd_owner | ADMIN, SET | postgres dd_user | dd_admin | INHERIT, SET | postgres pg_monitor | pg_read_all_settings | INHERIT, SET | postgres pg_monitor | pg_read_all_stats | INHERIT, SET | postgres pg_monitor | pg_stat_scan_tables | INHERIT, SET | postgres postgres | dd_owner | INHERIT, SET | postgres grant pg_read_all_data to adrian; GRANT ROLE test=# \drgS List of role grants Role name | Member of | Options | Grantor ------------+----------------------+--------------+---------- adrian | pg_read_all_data | INHERIT, SET | postgres aklaver | app_admin | INHERIT, SET | postgres aklaver | production | INHERIT, SET | postgres dd_admin | dd_owner | ADMIN, SET | postgres dd_user | dd_admin | INHERIT, SET | postgres pg_monitor | pg_read_all_settings | INHERIT, SET | postgres pg_monitor | pg_read_all_stats | INHERIT, SET | postgres pg_monitor | pg_stat_scan_tables | INHERIT, SET | postgres postgres | dd_owner | INHERIT, SET | postgres \dt csv_test List of relations Schema | Name | Type | Owner --------+----------+-------+---------- public | csv_test | table | postgres test=# \q psql -d test -U adrian test=> select * from csv_test ; id | val ----+------ 1 | test 2 | dog 3 | cat 4 | test 5 | fish > > ...and then I could do something like this: > -- for $database in $databases; > GRANT CONNECT ON database $database TO alice; > > ...but I'd like to achieve it without the `for` loop. > > > > > > Is the Public role something I can leverage to achieve this desire? > > You should read: > > https://www.postgresql.org/docs/current/ddl-priv.html > > > > Will do. > > > > >  From your original post: > > "but I cannot connect to my database" > > Was that due to a GRANT issue or a pg_hba.conf issue? > > > It was due to the missing GRANT CONNECT from above. pg_hba looks OK. > > What was the actual complete error? > > > alice$ psql foo > psql: error: connection to server at "db.example.com > " (fe80:100), port 5432 failed: FATAL: >  permission denied for database "foo" > ...after I GRANT CONNECT, I can connect. However, I don't want to have > to iterate over all the databases to achieve the GRANT CONNECT. > > I guess I was hoping that the pg_read_all_data would also allow > connecting. Or if it didn't, there could/would be a > pg_connect_all_databases role. > > Cheers, > > -m -- Adrian Klaver adrian.klaver@aklaver.com