Reputation: 1768
Why is Postgres Superuser Required for Access to My Database?
I have a common user, mygs_user, across three databases: mydatamodel, mygs, and Newdatabase (names changed to protect the innocent).
I've 'inherited' the first two databases, and have created a third (Newdatabase), whose security must closely replicate the original two--including using the same user-name and role.
The problem is while the two original databases do not have explicit privileges, the common user, mygs_user, can access them just fine. The third (Newdatabase) does not allow access unless I modify the common user to be a super-user, which obviously is not a best-practice.
Of course, I've tried setting the security settings of my NewDB to settings of the original ones with no dice.
Here are the two original databases:
mydatamodel
CREATE DATABASE mydatamodel
WITH OWNER = postgres
ENCODING = 'UTF8'
TABLESPACE = datamodel_tablespace
LC_COLLATE = 'English, United States'
LC_CTYPE = 'English, United States'
CONNECTION LIMIT = -1;
mygs
CREATE DATABASE mygs
WITH OWNER = postgres
ENCODING = 'UTF8'
TABLESPACE = mygs_tablespace
LC_COLLATE = 'English, United States'
LC_CTYPE = 'English, United States'
CONNECTION LIMIT = -1;
...and here is the new database:
CREATE DATABASE "NewDatabase"
WITH OWNER = postgres
ENCODING = 'UTF8'
TABLESPACE = pg_default
LC_COLLATE = 'English, United States'
LC_CTYPE = 'English, United States'
CONNECTION LIMIT = -1;
GRANT CONNECT, TEMPORARY ON DATABASE "NewDatabase" TO public;
GRANT ALL ON DATABASE "NewDatabase" TO postgres;
GRANT ALL ON DATABASE "NewDatabase" TO mygs_user;
The two original occupy separate tablespaces, while the new one doesn't:
CREATE TABLESPACE mygs_tablespace
OWNER postgres
LOCATION 'c:/MYGS_Database/PostgreSQL';
CREATE TABLESPACE datamodel_tablespace
OWNER postgres
LOCATION 'c:/MYGS_Database/MyDataModel';
This is the the commmon user:
CREATE ROLE mygs_user LOGIN
SUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE;
GRANT "MYGS" TO mygs_user;
...and the common role:
CREATE ROLE "MYGS"
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
Here are the pg_hba.conf file contents:
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# IPv4 local connections:
host all all 127.0.0.1/32 md5
How can I grant access to the common user for the third database without granting superuser privileges?
Upvotes: 1
Views: 1698
Answers (2)
Reputation: 1768
Upon further inspection, the privileges were set to authorize the the "MYGS" role at the object-level, with no explicit privileges at the database level. The problem is resolved by the following code, for each object-type:
Tables:
ALTER TABLE tableNameHere OWNER TO postgres;
GRANT ALL ON TABLE dtm_tableNameHereTO postgres;
GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE tableNameHere TO "MYGS";
...functions:
ALTER FUNCTION functionNameHere(..) OWNER TO postgres;
GRANT EXECUTE ON FUNCTION functionNameHere(..) TO postgres;
GRANT EXECUTE ON FUNCTION functionNameHere(..) TO "MYGS";
...and sequences:
ALTER TABLE sequenceNameHere OWNER TO postgres;
GRANT ALL ON TABLE sequenceNameHere TO postgres;
GRANT SELECT, UPDATE ON TABLE sequenceNameHere TO "MYGS";
Although, the postgres user is not necessary for the solution to work.
Upvotes: 0
Reputation: 23890
I think you forgot to allow connecting to this database in pg_hba.conf configuration file.
You should probably add there something like:
# TYPE DATABASE USER ADDRESS METHOD
local Newdatabase MYGS md5
Upvotes: 2
Related Questions
- What is a postgres superuser
- ERROR: must be superuser to alter superusers
- No super user for postgresql
- Superuser nologin roles?
- Can't access superuser in postgresql
- How to specify the superuser of a PostgreSQL database?
- Superuser expired and is the only user
- What is the difference between user postgres and a superuser?
- PostgreSQL - Readonly "SuperUser"
- Postgresql database superuser