Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sx6hr-007yZo-9T
	for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 15:28:31 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sx6gr-001DKL-Lq
	for pgsql-general@arkaria.postgresql.org; Sat, 05 Oct 2024 15:27:29 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1sx6gq-001DKD-9Q
	for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 15:27:29 +0000
Received: from fhigh-a5-smtp.messagingengine.com ([103.168.172.156])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1sx6gm-002epU-GZ
	for pgsql-general@lists.postgresql.org; Sat, 05 Oct 2024 15:27:26 +0000
Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45])
	by mailfhigh.phl.internal (Postfix) with ESMTP id 1CD8F1140127;
	Sat,  5 Oct 2024 11:27:23 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-05.internal (MEProxy); Sat, 05 Oct 2024 11:27:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm1; t=1728142043;
	 x=1728228443; bh=tR+qPKiU7+Xzob7UwGlTSII3L9Eh6UWOpYBS+CncwZM=; b=
	fN2Lzjim7kH0usySaJubdh6vgYSUZI7QHK72Jt0s+0T1ou+x31KoulUAp7vRwxuu
	pGP6Ol8MJVLRNUx2rLuR6J2JB6TgrJtE1pkdXz++bghHq5MXQxe5Qw9bib0ubs0n
	FFgINVYXG3wZmXA+vmXZUWyBU8mGYNTL2xE58/0BzPkT3QhGZ5yrbHR9pny8BEsm
	HAD9AsAhzfOhect8EEVmwf6/mzKF6Y/5ZmPRHaLxtkq5zmUL2lZRiODBEoqPbYGF
	6x8rFE+mDkC6O2i4AstJXa8nLIrWyiJO8OFmtwnyfgxvjKYK+5KYkvnORs+zIeGb
	umlocULYvcPhbMojFAkw3Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1728142043; x=
	1728228443; bh=tR+qPKiU7+Xzob7UwGlTSII3L9Eh6UWOpYBS+CncwZM=; b=D
	jBjiUUFyLBPn359FIDzkAbYgLUKJfyNX1CKZ6dV+SZmIasBuRvF0mBjoePUd/Qsz
	3AkGQk5Cpmk0B/bb3enoIOzgCDyKk1eS9boQJxKTy0hAREU3YBk0DN1CYdwP1U2i
	cJ4ykCtlHwSYMznx0S0DBH3TUWRPu8mMTslI7NSZ7NOyX148F03EohXdYBEyKHLV
	NYvI+7lCctBPdAd942jaO31PNKx9Qcxij0K+OSMtEEyn/xOuODtJbiyc/0r6P3OR
	Pb1QwN2zTpjDjXq4H1oVb66exUAOcz9SAQ/PO7Nofv98Y+qZTJbXTUwvN8FxgOCk
	gqusTX4qPCvbijkUmmaFQ==
X-ME-Sender: <xms:2loBZ3FtczMFzYM09FIfEKPTEgimg9IPJ_46qWDVjODt3Tqm_YUJXw>
    <xme:2loBZ0U7m8bh_pa-6oDvvjPQToVTiOirlH99NLIQ8XGQblPgNRL-eESq2QOxkT0SQ
    QiMls7rxZQQC_A>
X-ME-Received: <xmr:2loBZ5KSVHjAuPz6GTC08dTScsyAAdEuYN8lkyHOYALzUOREmj-f_1I_iYO7Oh1Cj1KDUvNEkk-Ril5YkLwmC4lzYZ6NSF8m>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrvddvhedgkeelucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnecujfgurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtvdej
    necuhfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrh
    esrghklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhepgfdufeekhfevfeelveei
    ueevhedvuddukeduvddvlefhueeuieejtdeuvdevvdeunecuffhomhgrihhnpehpohhsth
    hgrhgvshhqlhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr
    ihhlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmpdhnsg
    gprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehmiigrghhr
    rggsvgesugdruhhmnhdrvgguuhdprhgtphhtthhopegurghvihgurdhgrdhjohhhnhhsth
    honhesghhmrghilhdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvghnvghrrghlsehl
    ihhsthhsrdhpohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:2loBZ1EALTe8gvUhNeyPzGSHzB60C8xsIT4eUN26cxxegKJbC9jT7A>
    <xmx:2loBZ9WsYbG53eTBlnfrgQnQqlMFrIGP51TjtYXSQrG_FYt55Nvq0g>
    <xmx:2loBZwORINPC0Az779bPaPYLlUquPbvHJphvIWfrfXYZnZVHxqqU-A>
    <xmx:2loBZ80BiOLmG6ty2t4Cv8l1ynKcfAJk9L3ImNI6q5Or3_Hullwb_Q>
    <xmx:21oBZwT0WilEilHbCdxHnNHXi_sL96oAM-EcofZMhjEECpyPR2akWaDJ>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 5 Oct 2024 11:27:22 -0400 (EDT)
Message-ID: <cebb02fa-5487-4c06-8527-9c8ba29c13a9@aklaver.com>
Date: Sat, 5 Oct 2024 08:27:21 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: grant connect to all databases
To: Matt Zagrabelny <mzagrabe@d.umn.edu>,
 "David G. Johnston" <david.g.johnston@gmail.com>
Cc: "pgsql-generallists.postgresql.org" <pgsql-general@lists.postgresql.org>
References: <CAOLfK3Vj-PFBJi28y1170ZP3dGeW2qpG_8_9CbaJWvEgXQ8-jQ@mail.gmail.com>
 <CAKFQuwYG8uQhN50MgcF1seg8+dwvgTMFez=wA3Rg2rosob78cg@mail.gmail.com>
 <CAOLfK3XOHnyWsLv_CdFAegWg1FgM3AK3WsO_r+rXSNjp8TQXcg@mail.gmail.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <CAOLfK3XOHnyWsLv_CdFAegWg1FgM3AK3WsO_r+rXSNjp8TQXcg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/cebb02fa-5487-4c06-8527-9c8ba29c13a9%40aklaver.com>
Precedence: bulk

On 10/5/24 07:13, Matt Zagrabelny wrote:
> Hi David (and others),
> 
> Thanks for the info about Public.
> 
> I should expound on my original email.
> 
> In our dev and test environments our admins (alice, bob, eve) are 
> superusers. In production environments we'd like the admins to be read-only.

What are the REVOKE and GRANT commands you use to achieve that?

> 
> Is the Public role something I can leverage to achieve this desire?

You should read:

https://www.postgresql.org/docs/current/ddl-priv.html


 From your original post:

"but I cannot connect to my database"

Was that due to a GRANT issue or a pg_hba.conf issue?

What was the actual complete error?

> 
> Thanks for the help!
> 
> -m
> 
> 
> 
> On Sat, Oct 5, 2024 at 9:02 AM David G. Johnston 
> <david.g.johnston@gmail.com <mailto:david.g.johnston@gmail.com>> wrote:
> 
>     On Saturday, October 5, 2024, Matt Zagrabelny <mzagrabe@d.umn.edu
>     <mailto:mzagrabe@d.umn.edu>> wrote:
> 
>         Hello,
> 
>         I'd like to have a read-only user for all databases.
> 
>         I found the pg_read_all_data role predefined role, which I
>         granted to my RO user:
> 
>         GRANT pg_read_all_data TO ro_user;
> 
>         ...but I cannot connect to my database(s).
> 
>         I'd like to not have to iterate over all the databases and
>         "GRANT CONNECT...".
> 
>         Is there a way to do this with just one GRANT or equivalent command?
> 
> 
> 
>     The pseudo-role Public exists for just this kind of thing.  In fact,
>     in a default installation it already is given connect privileges on
>     all databases created by the bootstrap superuser.
> 
>     David J.
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com