Skip to main content

Default privileges Don't work when owner changes

One of the first things you learn in postgres is the importance of getting the default privileges configured. Coming from the SQLserver background, I found having to assign default privileges a little precarious but once I got over that hump it has become more obvious for its place in PG. 

The other day I discovered that default privileges don't get inherited of the new owner when the ownership changes of an object.

1.) login as postgres 
create table tab(id int) 

2.) login as d_owner 
create table taba(id int)

3.) Grant permission for readonly role access data from the public schema owned by d_owner
grant select on all tables in schema public to readrole;
alter default privileges for user  d_owner   in schema public grant select on tables to feedsapi_readonly_role

4.) Change the owner of tab from postgres to d_owner
      Alter table tab owner d_owner 
5.) login as readrole
     select 1 from tab;  --> can access 
      select 1 from taba;  --> permission issue 

6.)  Login as  d_owner  
      create table tabb(id int)
    
7.)   login as readrole   
        select 1 from tabb;  --> can access   

8.)  Login as  d_owner   
       grant select on all tables in schema public to readrole;

9.)  login as readrole   
     select 1 from taba;  -->  can access     


Comments

Post a Comment

Popular posts from this blog

High Watermarks For Incremental Models in dbt

The last few months it’s all been dbt. Dbt is a transform and load tool which is provided by fishtown analytics. For those that have created incremental models in dbt would have found the simplicity and easiness of how it drives the workload. Depending on the target datastore, the incremental model workload implementation changes. But all that said, the question is, should the incremental model use high-watermark as part of the implementation. How incremental models work behind the scenes is the best place to start this investigation. And when it’s not obvious, the next best place is to investigate the log after an test incremental model execution and find the implementation. Following are the internal steps followed for a datastore that does not support the merge statements. This was observed in the dbt log. - As the first step, It will copy all the data to a temp table generated from the incremental execution. - It will then delete all the data from the base table th
4 comments
Read more

Create a dacpac To Compare Schema Differences

It's been some time since i added anything to the blog and a lot has happened in the last few months. I have run into many number of challenging stuff at Xero and spread my self to learn new things. As a start i want to share a situation where I used a dacpac to compare the differences of a database schema's. - This involves of creating the two dacpacs for the different databases - Comparing the two dacpacs and generating a report to know the exact differences - Generate a script that would have all the changes How to generate a dacbpac The easiest way to create a dacpac for a database is through management studio ( right click on the databae --> task --> Extract data-tier-application). This will work under most cases but will error out when the database has difffrent settings. ie. if CDC is enabled To work around this blocker, you need to use command line to send the extra parameters. Bellow is the command used to generate the dacpac. "%ProgramFiles
9 comments
Read more

How To Execute A SQL Job Remotely

One of the clients needed its users to remotely execute a SQL job and as usual I picked this up hoping for a quick brownie point. Sure enough there was a catch and there was something to learn. Executing the job through SQLCMD was a no-brainer but getting it to execute on the remote machine was bit of challenge. On the coding Front 1    1.)     The bat file included the following code                 SQLCMD -S "[ServerName] " -E -Q "EXEC MSDB.dbo.sp_start_job @Job_Name = ' '[JobName]" 2    2.)     The Individual users were given minimum permissions  to execute the SQL job Ex. use msdb EXECUTE sp_addrolemember @rolename = 'SQLAgentOperatorRole', @membername = ' Domain\UserLogin ' At the client machine              This took a fair bit of time till our sysadmin got me an empty VM machine.  Thanks Michael G                   I’m just going to copy the exact instructions that I copied to OneNote and passed on
Post a Comment
Read more