Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sx5Y4-007qyV-Py
	for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 14:14:20 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sx5Y3-000PNy-AT
	for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 14:14:19 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <mzagrabe@d.umn.edu>)
	id 1sx5Y2-000PNI-VF
	for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 14:14:18 +0000
Received: from mta-p8.oit.umn.edu ([134.84.196.208])
	by makus.postgresql.org with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <mzagrabe@d.umn.edu>)
	id 1sx5Y0-002eKv-2O
	for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 14:14:17 +0000
Received: from localhost (unknown [127.0.0.1])
	by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4XLS8Q0WqJz9vCCG
	for <pgsql-general@lists.postgresql.org>; Sat,  5 Oct 2024 14:14:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p8.oit.umn.edu ([127.0.0.1])
 by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id o9kYvES_NEIQ for <pgsql-general@lists.postgresql.org>;
 Sat,  5 Oct 2024 09:14:13 -0500 (CDT)
Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com [209.85.215.198])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4XLS8P5P8cz9vCCL
	for <pgsql-general@lists.postgresql.org>; Sat,  5 Oct 2024 09:14:13 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4XLS8P5P8cz9vCCL
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4XLS8P5P8cz9vCCL
Received: by mail-pg1-f198.google.com with SMTP id 41be03b00d2f7-7e6a3a8441fso356696a12.3
        for <pgsql-general@lists.postgresql.org>; Sat, 05 Oct 2024 07:14:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=d.umn.edu; s=google; t=1728137653; x=1728742453; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=vWs3inlBoyjRvwTN+TASMelSjIOfTuqVMoXdx9If9wc=;
        b=UyBwLPAziZdYbcFXEulKZDqyuMZDvb9syldfyinZBPXWcqqNJYiIyKgDiD2yDDiOQw
         prgyZaboRK60gmVUo/h0t6PifjhzU2lizsDwQCXMSvzXVw9YsoP2bJLeNjDvBesLygze
         ob+otDrXTwz4oYKEYUB61xy9WT/8r1JVp4Koc0MFpWoAbu9UBoYs3/Zm4TgC9XOeeP2O
         vdHmVGb0U5Tg6IZmzZkKaB8b5xDg1zGHch7F4NEm0s8fSCMm5ugJfjOzTbrjmcOZdSDY
         2/ngZLA8oXEYpQ78FDLFXMD3LLq+aclF0y56UmVmbhJ0MkLlHKj7qWgR5kLy9fj+INEf
         l0Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728137653; x=1728742453;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vWs3inlBoyjRvwTN+TASMelSjIOfTuqVMoXdx9If9wc=;
        b=NmsOQlIzaXDGm7RBKtSdRoi2rZIUHxnX9Yw08aKOlL2AP3nVh86EkUgYxaUSKyUSM8
         7RJDqc0tPL6gYMmGVw26+qpQsGdxRGubfAoUGm22y9G+IRGjODPTWqnbIoKM4Dk4RT2z
         bAVfxn5Dh/ElQf3wSg2P/HF7yueIt99fsVPT9j78dR/l87T5clIQL4KoLTbp+kS95DbM
         3xLQC61QfKPIL55LnqbY3dcRAoTAvHrhgTb1YMShdO80hMmo8so4eSiZaQODxRBPdTxI
         d61eR2d6cZQMewkY6C63mTXriFOzU9VB1XBuxvFDWDm49g8/DVbV/upKI0AwIdOJahp6
         T/Gw==
X-Gm-Message-State: AOJu0YzkHTTt/Fize7gUVJWT6N0+qPx7bfbmuGZbmj4531jlnKBPo9pe
	EhifXpu3wjaXJPyH++Ysfik0hS9HXJXC0iRXXLEMVgMZGgfznrR9UPaHdUa/Upv5VBbVReQKy6x
	3TRoGYEgk0X6EOkPD2btgwMhNiov6c1MFuWhPPzln6WnC7EZ7aA9BsnSUtByBxYiSLC73ornlBP
	NWcTXQ/p9waWySWD3NbYE6xTZqV872q37HASf4wvijlnhGIq4=
X-Received: by 2002:a17:902:e806:b0:207:da7:bd0d with SMTP id d9443c01a7336-20bff20f820mr32495615ad.15.1728137652740;
        Sat, 05 Oct 2024 07:14:12 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IH1Mj7wLP9U4dTy1/pxbZqx7YORbSm0s60wMZyt5LMd4/QVNhQssKr1nNN6QP5B1Vksi4meWTwgjRvtpTqk03Y=
X-Received: by 2002:a17:902:e806:b0:207:da7:bd0d with SMTP id
 d9443c01a7336-20bff20f820mr32495485ad.15.1728137652352; Sat, 05 Oct 2024
 07:14:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAOLfK3Vj-PFBJi28y1170ZP3dGeW2qpG_8_9CbaJWvEgXQ8-jQ@mail.gmail.com>
 <CAKFQuwYG8uQhN50MgcF1seg8+dwvgTMFez=wA3Rg2rosob78cg@mail.gmail.com>
In-Reply-To: <CAKFQuwYG8uQhN50MgcF1seg8+dwvgTMFez=wA3Rg2rosob78cg@mail.gmail.com>
From: Matt Zagrabelny <mzagrabe@d.umn.edu>
Date: Sat, 5 Oct 2024 09:13:59 -0500
Message-ID: <CAOLfK3XOHnyWsLv_CdFAegWg1FgM3AK3WsO_r+rXSNjp8TQXcg@mail.gmail.com>
Subject: Re: grant connect to all databases
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: "pgsql-generallists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000e45f080623bb66a9"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAOLfK3XOHnyWsLv_CdFAegWg1FgM3AK3WsO_r%2BrXSNjp8TQXcg%40mail.gmail.com>
Precedence: bulk

--000000000000e45f080623bb66a9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi David (and others),

Thanks for the info about Public.

I should expound on my original email.

In our dev and test environments our admins (alice, bob, eve) are
superusers. In production environments we'd like the admins to be read-only=
.

Is the Public role something I can leverage to achieve this desire?

Thanks for the help!

-m



On Sat, Oct 5, 2024 at 9:02=E2=80=AFAM David G. Johnston <david.g.johnston@=
gmail.com>
wrote:

> On Saturday, October 5, 2024, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
>
>> Hello,
>>
>> I'd like to have a read-only user for all databases.
>>
>> I found the pg_read_all_data role predefined role, which I granted to my
>> RO user:
>>
>> GRANT pg_read_all_data TO ro_user;
>>
>> ...but I cannot connect to my database(s).
>>
>> I'd like to not have to iterate over all the databases and "GRANT
>> CONNECT...".
>>
>> Is there a way to do this with just one GRANT or equivalent command?
>>
>
>
> The pseudo-role Public exists for just this kind of thing.  In fact, in a
> default installation it already is given connect privileges on all
> databases created by the bootstrap superuser.
>
> David J.
>
>

--000000000000e45f080623bb66a9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi David (and others),<br></div><div><br></div><div>T=
hanks for the info about Public.</div><div><br></div><div>I should expound =
on my original email.</div><div><br></div><div>In our dev and test environm=
ents our admins (alice, bob, eve) are superusers. In production environment=
s we&#39;d like the admins to be read-only.</div><div><br></div><div>Is the=
 Public role something I can leverage to achieve this desire?</div><div><br=
></div><div>Thanks for the help!</div><div><br></div><div>-m<br></div><div>=
<br></div><div><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Sat, Oct 5, 2024 at 9:02=E2=80=AFAM David G. Jo=
hnston &lt;<a href=3D"mailto:david.g.johnston@gmail.com">david.g.johnston@g=
mail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex">On Saturday, October 5, 2024, Matt Zagrabelny &lt;<a href=3D"mailto=
:mzagrabe@d.umn.edu" target=3D"_blank">mzagrabe@d.umn.edu</a>&gt; wrote:<br=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>He=
llo,</div><div><br></div><div>I&#39;d like to have a read-only user for all=
 databases.</div><div><br></div><div>I found the pg_read_all_data role pred=
efined role, which I granted to my RO user:</div><div><br></div><div>GRANT =
pg_read_all_data TO ro_user;</div><div><br></div><div>...but I cannot conne=
ct to my database(s).</div><div><br></div><div>I&#39;d like to not have to =
iterate over all the databases and &quot;GRANT CONNECT...&quot;.</div><div>=
<br></div><div>Is there a way to do this with just one GRANT or equivalent =
command?</div></div></blockquote><div><br></div><div><br></div><div>The pse=
udo-role Public exists for just this kind of thing.=C2=A0 In fact, in a def=
ault installation it already is given connect privileges on all databases c=
reated by the bootstrap superuser.</div><div><br></div><div>David J.</div><=
div><br></div>
</blockquote></div>

--000000000000e45f080623bb66a9--