Access privileges¶
The instance
, role
and database
command line entry points expose a
privileges
command that will list access privileges.
In psql, \dp
and \ddp
commands can be used to access existing assignments
of privileges and default privileges respectively.
Listing privileges¶
At instance level, pglift instance privileges <instance name> [<version>]
would list privileges for all roles and databases of the instance, unless a
--role
and/or a --database
option is specified:
$ pglift instance privileges 13/main
Privileges on instance 13/main
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ database │ schema │ object_type │ role │ privileges │ object_name │ column_privileges │
└────────────┴────────┴─────────────┴──────────┴───────────────────────────────────────────────────────────────┴─────────────┴────────────────────────┘
│ myapp │ public │ TABLE │ dba │ │ persons │ name: SELECT, UPDATE │
│ myapp │ public │ TABLE │ postgres │ INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER │ persons │ │
│ myotherapp │ public │ TABLE │ dba │ TRUNCATE, INSERT, SELECT, UPDATE, DELETE, REFERENCES, TRIGGER │ city │ │
│ myotherapp │ public │ TABLE │ marion │ │ city │ name: SELECT │
│ │ │ │ │ │ │ postcode: UPDATE │
│ myotherapp │ public │ TABLE │ postgres │ REFERENCES, TRUNCATE, DELETE, UPDATE, SELECT, INSERT, TRIGGER │ city │ │
│ myotherapp │ public │ TABLE │ bob │ │ garden │ species: SELECT │
│ myotherapp │ public │ TABLE │ dba │ UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, INSERT, SELECT │ garden │ flower: SELECT, UPDATE │
│ myotherapp │ public │ TABLE │ marion │ UPDATE │ garden │ species: UPDATE │
│ │ │ │ │ │ │ flower: SELECT │
│ myotherapp │ public │ TABLE │ postgres │ TRUNCATE, DELETE, UPDATE, SELECT, REFERENCES, INSERT, TRIGGER │ garden │ │
└────────────┴────────┴─────────────┴──────────┴───────────────────────────────────────────────────────────────┴─────────────┴────────────────────────┘
$ pglift instance privileges 13/main --database=myapp -o json
[
{
"database": "myapp",
"schema": "public",
"object_type": "TABLE",
"role": "dba",
"privileges": null,
"object_name": "persons",
"column_privileges": {
"name": [
"SELECT",
"UPDATE"
]
}
},
{
"database": "myapp",
"schema": "public",
"object_type": "TABLE",
"role": "postgres",
"privileges": [
"INSERT",
"SELECT",
"UPDATE",
"DELETE",
"TRUNCATE",
"REFERENCES",
"TRIGGER"
],
"object_name": "persons",
"column_privileges": null
}
]
You can also access the privileges for a database or a role by using the dedicated commands.
For example, the following commands are equivalent:
$ pglift instance privileges 13/main -d myotherapp
$ pglift database -i 13/main privileges myotherapp
Alter privileges¶
To assign privileges settings to an object, sql query can be passed through the run command:
$ pglift database -i 13/main run -d myapp "GRANT UPDATE ON mytable TO dba" INFO running GRANT UPDATE ON mytable TO dba" on myapp database of 13/main INFO GRANT
Default privileges
PostgreSQL grants privileges on some types of objects to PUBLIC by default when the objects are created. No privileges are granted to PUBLIC by default on tables, table columns, sequences, foreign data wrappers, foreign servers, large objects, schemas, or tablespaces. [1]
To override default privileges settings, use the ALTER DEFAULT PRIVILEGES
command.
$ pglift database -i 13/main run -d myapp "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO dba"
INFO running "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO dba" on myapp database of 13/main
INFO ALTER DEFAULT PRIVILEGES
Different commands can be used to view the results :
$ pglift instance exec 13/main -- psql -d myapp -c '\ddp'
Droits d'accès par défaut
Propriétaire | Schéma | Type | Droits d'accès
--------------+--------+-------+----------------------
postgres | public | table | dba=arwdDxt/postgres
(1 ligne)
or
$ pglift database -i 13/main privileges myapp --default
────────────────────────────────────────────────────────────────────────────────────────
| database | schema | role | object_type | privileges |
└──────────┴────────┴──────┴─────────────┴───────────────────────────────────────────────┘
│ myapp │ public │ dba │ TABLE │ DELETE, INSERT, REFERENCES, SELECT, TRIGGER, │
│ │ │ │ │ TRUNCATE, UPDATE │
└──────────┴────────┴──────┴─────────────┴───────────────────────────────────────────────┘