Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sx7HE-0082bz-7l for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 16:05:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sx7HC-001eVg-Q7 for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 16:05:02 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sx7H8-001eVH-N5 for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 16:05:02 +0000 Received: from mta-p8.oit.umn.edu ([134.84.196.208]) by makus.postgresql.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sx7H4-002f27-Fr for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 16:04:57 +0000 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4XLVc55YxRz9vZq4 for ; Sat, 5 Oct 2024 16:04:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cQ-d3kXPqGm for ; Sat, 5 Oct 2024 11:04:53 -0500 (CDT) Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4XLVc53FDGz9vZq3 for ; Sat, 5 Oct 2024 11:04:52 -0500 (CDT) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4XLVc53FDGz9vZq3 DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4XLVc53FDGz9vZq3 Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-20b43186ac3so5842705ad.2 for ; Sat, 05 Oct 2024 09:04:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=d.umn.edu; s=google; t=1728144292; x=1728749092; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rm6xlirNICVgZ/e6RwnRkBGShyI6dvT3Xw7J5bGZnKY=; b=bgZAOw0iNDx7PyyF1rQhcdK/qhok27Jrjsv8ekkujjlLOOU7ExidGjR3fyVTiogYKs FaImGqzcSLWzKBLxXD0vJttnTrjNxcP5Tlga65sO4qZGLYd7XXASYlRpvwxBQ7Jt0RQF HDNuhvnK4g694jl4x7CFQcbik5Ka7eWmWnPyj4qqidq2Bfw90/EfHFx2G5E/COMOwpek MAkPqf0JZT2fHRfU69vB7mEmoNIX4JwKntke1QdFfHlzThCF1AoFaYKwV4TwebbxUpk6 JHDEBwkhsm+mNfEsG3ZkH2owjySYPQxsfzjAeax+tU+EjHNyWvoDeOxz8LxJFI9JH2qE 7Etg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728144292; x=1728749092; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rm6xlirNICVgZ/e6RwnRkBGShyI6dvT3Xw7J5bGZnKY=; b=KXDynGwVIscH0uSlzDRkeU1bPPYLJB+k5Wbwj+GPrtyU/LhgXKjXv+/y4GqD6XfWCK jR+CbaPYMA4XRVb2clp3rigUd97dbSzSARd22mDtgBQKmaN08vi0h7CxFJP7CnAk5Tzr hcpc+G/05jGpWRgvEU0JIqe2EBXh46dAPExwx7VrKbI7aPJyj47B/8G5M2cxpZNjiCXg SsLxUVAw7L9tecZoAD6D0JcEWgyHgiyjJQZkVgLO9mA6JLA1Mmgi8NB+I3ZjNfK4imi0 e2jWwtym1FA3VbumTlbLoRodJwV1necAH0CCouC5zHRHG1jMfam1mLEE0WTCWm1yRhq+ lahA== X-Forwarded-Encrypted: i=1; AJvYcCWs0n6LaKb7PegRs9XT/OhLpjxqpp5ixg1812beXFxNrVMnCMKi4IRSQWJSoNOPIawCOOw3CSGrJ6GE3ZdU@lists.postgresql.org X-Gm-Message-State: AOJu0Yxaf1+5WXRcIr/hjwx7wOIB/fi3tUnt4Qcomn1sS6aa49Aq63CC BxcFWu6Ytt8aRJLhTj98cZU/5weX253fLuJC0j/+8qNBnJPlyRKUxx8oFR+5ZCBPz6PZj1xJuOW Aa4fOym3vIWOGZt75oF9oiy+qRncivCPsQnPTlCpQ53BEHjaQ52IiZTO2ggn72jJ/JrpfqVSbam 0O4sh/Ms6nt8j45w2Kec2zmFLOw6aAuYRarViVJXRf5JG129c= X-Received: by 2002:a17:90b:1e49:b0:2db:87f0:2173 with SMTP id 98e67ed59e1d1-2e1e63b3f73mr3202440a91.9.1728144292115; Sat, 05 Oct 2024 09:04:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFwMH9o3ZdEKkcXlipNPASva1MduMgcALsCa4Hs9JllEZ9Wjqri6V00c0DSwPCyujHY6EuYPt60y1FlQx3vZn0= X-Received: by 2002:a17:90b:1e49:b0:2db:87f0:2173 with SMTP id 98e67ed59e1d1-2e1e63b3f73mr3202427a91.9.1728144291740; Sat, 05 Oct 2024 09:04:51 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matt Zagrabelny Date: Sat, 5 Oct 2024 11:04:39 -0500 Message-ID: Subject: Re: grant connect to all databases To: Adrian Klaver Cc: "David G. Johnston" , "pgsql-generallists.postgresql.org" Content-Type: multipart/alternative; boundary="000000000000a159610623bcf24e" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000a159610623bcf24e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, Oct 5, 2024 at 10:27=E2=80=AFAM Adrian Klaver wrote: > On 10/5/24 07:13, Matt Zagrabelny wrote: > > Hi David (and others), > > > > Thanks for the info about Public. > > > > I should expound on my original email. > > > > In our dev and test environments our admins (alice, bob, eve) are > > superusers. In production environments we'd like the admins to be > read-only. > > What are the REVOKE and GRANT commands you use to achieve that? > GRANT alice TO pg_read_all_data; ...and then I could do something like this: -- for $database in $databases; GRANT CONNECT ON database $database TO alice; ...but I'd like to achieve it without the `for` loop. > > > > > Is the Public role something I can leverage to achieve this desire? > > You should read: > > https://www.postgresql.org/docs/current/ddl-priv.html Will do. > > > > From your original post: > > "but I cannot connect to my database" > > Was that due to a GRANT issue or a pg_hba.conf issue? > It was due to the missing GRANT CONNECT from above. pg_hba looks OK. > What was the actual complete error? > alice$ psql foo psql: error: connection to server at "db.example.com" (fe80:100), port 5432 failed: FATAL: permission denied for database "foo" ...after I GRANT CONNECT, I can connect. However, I don't want to have to iterate over all the databases to achieve the GRANT CONNECT. I guess I was hoping that the pg_read_all_data would also allow connecting. Or if it didn't, there could/would be a pg_connect_all_databases role. Cheers, -m --000000000000a159610623bcf24e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Sat, Oct 5, 2024 at 10:27=E2=80=AF= AM Adrian Klaver <adrian.kl= aver@aklaver.com> wrote:
On 10/5/24 07:13, Matt Zagrabelny wrote:
> Hi David (and others),
>
> Thanks for the info about Public.
>
> I should expound on my original email.
>
> In our dev and test environments our admins (alice, bob, eve) are
> superusers. In production environments we'd like the admins to be = read-only.

What are the REVOKE and GRANT commands you use to achieve that?

GRANT alice TO pg_read_all_data;

...and then I could do something like this:
-- for $d= atabase in $databases;
GRANT CONNECT ON database $database TO ali= ce;

...but I'd like to achieve it without the = `for` loop.
=C2=A0

>
> Is the Public role something I can leverage to achieve this desire?
You should read:

https://www.postgresql.org/docs/current/ddl-pri= v.html

Will do.
=C2=A0



=C2=A0From your original post:

"but I cannot connect to my database"

Was that due to a GRANT issue or a pg_hba.conf issue?
=
It was due to the missing GRANT CONNECT from above. pg_hba l= ooks OK.
=C2=A0
What was the actual complete error?

ali= ce$ psql foo
psql: error: connection to server at "db.example.com" (fe80:100), port 5432= failed: FATAL: =C2=A0permission denied for database "foo"
=C2=A0
...after I GRANT CONNECT, I can connect. However, = I don't want to have to iterate over all the databases to achieve the G= RANT CONNECT.

I guess I was hoping that the pg_rea= d_all_data would also allow connecting. Or if it didn't, there could/wo= uld be a pg_connect_all_databases role.

Cheers= ,

-m
--000000000000a159610623bcf24e--