Reputation: 23
Cannot query except when user set superuser
I'm using PHP to query a PostgreSQL database (PHP5, PostgreSQL 9.3.9). I have an existing database that has an owner. I'm trying to make a secondary user have full access to the database to be used by PHP. When this user is set SUPERUSER it can query the database. Otherwise he cannot. I granted all privileges to the user with the postgres superuser for the database in question with:
GRANT ALL PRIVILEGES ON DATABASE mydatabase TO phpuser;
And when I look at the database list, phpuser=CTc is listed on Access Privileges. The user also has a password set.
What am I missing? I want this user to access the database with full privileges through PHP.
Upvotes: 0
Views: 150
Answers (1)
Reputation: 32316
You should not only grant privileges on the database (CTc means the user can connect to the database and create new and temp databases), but also on the database objects.
GRANT ROLE
The absolutely easiest way to do this is to grant the owner role to the phpuser role:
GRANT owner_role TO phpuser;
This may, however, introduce all manner of security problems and is not generally recommended for any scenario unless you are very confident about your network security.
GRANT privilege
Now for the hard way.
To begin with, your phpuser most likely does not have to create new or temporary database, so revoke these privileges:
REVOKE CREATE, TEMP ON DATABASE mydatabase FROM phpuser;
If you have tables or other objects in schemas other than public, grant access to those schemas (you need to be connected to database mydatabase when you issue these commands):
GRANT USAGE ON SCHEMA myschema TO phpuser;
Now you can grant the privileges to all tables, sequences, functions, etc inside the schemas, so for each schema, including public, do:
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA myschema TO phpuser;
GRANT ALL ON ALL SEQUENCES IN SCHEMA myschema TO phpuser;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA myschema TO phpuser;
If you have some more exotic objects, use the appropriate command. Views are included in the table grant and indexes are automatically included with the tables.
Network access
Note that the phpuser role should also be permitted access in the pg_hba.conf file. There should be a line like (modify to match your network configuration):
host mydatabase phpuser 127.0.0.1/32 md5
Upvotes: 1
Related Questions
- ERROR: must be superuser to alter superusers
- No super user for postgresql
- Superuser nologin roles?
- PostGIS only works with root user
- Can't access superuser in postgresql
- How to specify the superuser of a PostgreSQL database?
- Superuser expired and is the only user
- Alter user with superuser not working
- Postgresql database superuser
- Why is Postgres Superuser Required for Access to My Database?