public inbox for [email protected]
help / color / mirror / Atom feedcreate read-only and revoke create function?
2+ messages / 2 participants
[nested] [flat]
* create read-only and revoke create function?
@ 2023-08-14 15:19 Ron Watkins <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: Ron Watkins @ 2023-08-14 15:19 UTC (permalink / raw)
To: [email protected]
Management has requested to setup a group of users as READ-ONLY, and to
revoke their ability to create tables, views, procedures, functions, etc...
I looked around, and did the following, but it's not working as expected.
CREATE ROLE "RO_Role" WITH
NOLOGIN
NOSUPERUSER
INHERIT
NOCREATEDB
NOCREATEROLE
NOREPLICATION;
COMMENT ON ROLE "RO_Role" IS 'Read-Only role.';
GRANT "RO_Role" to <users>;
GRANT SELECT ON TABLE <tablename> TO "RO_Role";
GRANT EXECUTE ON FUNCTION <functions> TO "RO_ROLE";
On one server, this seems to have limited the users ability to write to
tables, but on the other server it didn't work, they can still write to
tables.
As for the functions, they can still create. Not sure how to prevent this
from happening.
Suggestions?
--
Ron Watkins, K7DOG
602.743.5272
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: create read-only and revoke create function?
@ 2023-08-14 18:04 David G. Johnston <[email protected]>
parent: Ron Watkins <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: David G. Johnston @ 2023-08-14 18:04 UTC (permalink / raw)
To: Ron Watkins <[email protected]>; +Cc: [email protected]
On Mon, Aug 14, 2023 at 8:20 AM Ron Watkins <[email protected]> wrote:
>
> GRANT "RO_Role" to <users>;
> GRANT SELECT ON TABLE <tablename> TO "RO_Role";
> GRANT EXECUTE ON FUNCTION <functions> TO "RO_ROLE";
>
> On one server, this seems to have limited the users ability to write to
> tables, but on the other server it didn't work, they can still write to
> tables.
>
Then the other server has permissions being granted to those users roles
that the first one doesn't. Fix that.
> As for the functions, they can still create. Not sure how to prevent this
> from happening.
> Suggestions?
>
>
You seem to be missing default privileges for the PUBLIC group - in
particular I suspect you are seeing the ability to create stuff on the
public schema by PUBLIC. If you revoke that you should be good.
Every role is read-only (in the sense of being unable to modify schema
directly) by default, aside from whatever it inherits from PUBLIC and any
other default privileges you may have setup. If you are able to do
something you shouldn't, you need to figure out where that privilege is
coming from and either remove it or remove the membership (you cannot
remove membership in PUBLIC).
David J.
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2023-08-14 18:04 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2023-08-14 15:19 create read-only and revoke create function? Ron Watkins <[email protected]>
2023-08-14 18:04 ` David G. Johnston <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox