[go: up one dir, main page]
Scribd
Upload
36 views9 pages

Case Study On User Roles

This document describes PostgreSQL role and privilege management. It shows how to: 1. Create roles like admin with specific privileges like CREATEROLE and CREATEDB. 2. View table privileges using \z and role attributes using \du. 3. Grant privileges on tables to roles. For example, granting ALL privileges on table t1 to roles admin and test1. 4. Revoke privileges, for example revoking DELETE on t1 from admin. 5. Set role and perform actions based on granted privileges, like test1 inserting into t1. 6. Implement row-level security policies to restrict data access based on current user.

Uploaded by

gurukarthick_dba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
36 views9 pages

Case Study On User Roles

This document describes PostgreSQL role and privilege management. It shows how to: 1. Create roles like admin with specific privileges like CREATEROLE and CREATEDB. 2. View table privileges using \z and role attributes using \du. 3. Grant privileges on tables to roles. For example, granting ALL privileges on table t1 to roles admin and test1. 4. Revoke privileges, for example revoking DELETE on t1 from admin. 5. Set role and perform actions based on granted privileges, like test1 inserting into t1. 6. Implement row-level security policies to restrict data access based on current user.

Uploaded by

gurukarthick_dba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

r -- SELECT ("read")

w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
* -- grant option for preceding privilege

-bash-4.2$ psql
psql.bin (10.7)
Type "help" for help.

/******* Creating role which has access to create other roles *****/

postgres=# CREATE ROLE admin WITH CREATEDB CREATEROLE;


CREATE ROLE

/**** List of tables with privillage ***/

postgres=# \z
Access privileges
Schema | Name | Type | Access privileges | Column
privileges | Policies
--------+----------------+-------+----------------------------
+-------------------+----------
public | dept | table | |
|
public | emp_assignment | table | |
|
public | emp_contact | table | |
|
public | employee | table | postgres=arwdDxt/postgres +|
|
| | | demo_role=awd/postgres +|
|
| | | test_user=arwdDxt/postgres |
|
public | hash | table | |
|
public | manager | table | postgres=arwdDxt/postgres +|
|
| | | test_user=arwdDxt/postgres |
|
public | thur | table | |
|
(7 rows)

postgres=# \du
List of roles
Role name | Attributes |
Member of
-----------+------------------------------------------------------------
+-------------
admin | Create role, Create DB, Cannot login |
{}
demo_role | |
{}
efm | Superuser |
{}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS |
{}
test_user | |
{demo_role}

postgres=# alter role admin with login;


ALTER ROLE

postgres=# \du
List of roles
Role name | Attributes |
Member of
-----------+------------------------------------------------------------
+-------------
admin | Create role, Create DB |
{}
demo_role | |
{}
efm | Superuser |
{}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS |
{}
test_user | |
{demo_role}

postgres=# \z
Access privileges
Schema | Name | Type | Access privileges | Column
privileges | Policies
--------+----------------+-------+----------------------------
+-------------------+----------
public | dept | table | |
|
public | emp_assignment | table | |
|
public | emp_contact | table | |
|
public | employee | table | postgres=arwdDxt/postgres +|
|
| | | demo_role=awd/postgres +|
|
| | | test_user=arwdDxt/postgres |
|
public | hash | table | |
|
public | manager | table | postgres=arwdDxt/postgres +|
|
| | | test_user=arwdDxt/postgres |
|
public | thur | table | |
|
(7 rows)

postgres=# set role admin;


SET

postgres=> create user test1;


CREATE ROLE

postgres=> GRANT all ON test1 TO admin;


ERROR: relation "test1" does not exist

postgres=> create table t1(id int);


CREATE TABLE

postgres=> GRANT all ON t1 TO admin;


GRANT

postgres=> GRANT all ON t1 TO test1;


GRANT

postgres=> insert into t1 values (1);


INSERT 0 1
postgres=> insert into t1 values (2);
INSERT 0 1
postgres=> insert into t1 values (3);
INSERT 0 1

postgres=> update t1 set id=4 where id=1;


UPDATE 1
postgres=> delete from t1 where id=2;
DELETE 1
postgres=> \q
-bash-4.2$ psql -U test1
psql.bin (10.7)
Type "help" for help.

postgres=> \z
Access privileges
Schema | Name | Type | Access privileges | Column
privileges | Policies
--------+----------------+-------+----------------------------
+-------------------+----------
public | dept | table | |
|
public | emp_assignment | table | |
|
public | emp_contact | table | |
|
public | employee | table | postgres=arwdDxt/postgres +|
|
| | | demo_role=awd/postgres +|
|
| | | test_user=arwdDxt/postgres |
|
public | hash | table | |
|
public | manager | table | postgres=arwdDxt/postgres +|
|
| | | test_user=arwdDxt/postgres |
|
public | t1 | table | admin=arwdDxt/admin +|
|
| | | test1=arwdDxt/admin |
|
public | thur | table | |
|
(8 rows)

postgres=> insert into t1 values (6);


INSERT 0 1
postgres=> update t1 set id=7 where id=2;
UPDATE 0
postgres=> delete from t1 where id=3;
DELETE 1
^
postgres=> \q
-bash-4.2$ psql
psql.bin (10.7)
Type "help" for help.

postgres=# REVOKE delete ON t1 FROM admin;


REVOKE

postgres=# set role admin;


SET

postgres=> delete from t1 where id=5;


ERROR: permission denied for relation t1

postgres=> update t1 set id=7 where id=1;


UPDATE 0

postgres=> insert into t1 values (7);


INSERT 0 1
postgres=>

GRANT ALL ON ALL TABLES IN SCHEMA public TO admin ;

GRANT ALL ON SCHEMA public TO admin;

-bash-4.2$ psql
psql.bin (10.7)
Type "help" for help.

postgres=# set role admin;


SET

postgres=> create role f1;


CREATE ROLE

postgres=> grant admin to f1;


GRANT ROLE

postgres=> set role f1;


SET

postgres=> insert into t1 values(7);


INSERT 0 1

postgres=> insert into y1 values(7);


INSERT 0 1

postgres=> set role to admin;


SET

postgres=> create table g1(id int);


CREATE TABLE
postgres=> set role f1;
SET

postgres=> insert into g1 values(1);


INSERT 0 1
postgres=>

#################### RLS ######################


[root@localhost ~]# su - postgres
Last login: Tue Aug 20 14:15:12 IST 2019 on pts/0
-bash-4.2$ psql
psql.bin (10.7)
Type "help" for help.

postgres=# CREATE TABLE account (manager text, company text, contact_email


text);
CREATE TABLE
postgres=# insert into account values('a','a','a');
INSERT 0 1
postgres=# table account;
manager | company | contact_email
---------+---------+---------------
a | a | a
(1 row)
postgres=# ALTER TABLE account ENABLE ROW LEVEL SECURITY;
ALTER TABLE
postgres=# CREATE POLICY account_managers ON account TO admin
USING (manager = current_user);
CREATE POLICY
postgres=# GRANT SELECT, INSERT, UPDATE, DELETE ON account TO admin;
GRANT
postgres=# set role admin;
SET
postgres=> update account set manager ='b' where manager='a';
UPDATE 0
postgres=> insert into account values('c','c','c');
ERROR: new row violates row-level security policy for table "account"

postgres=> set role user1;


SET
postgres=> update account set manager ='b' where manager='a';
ERROR: permission denied for relation account
Case Study :-

postgres=# create role readuser login;


CREATE ROLE
postgres=# create role adduser with password '123';
CREATE ROLE
postgres=# create role suser with createdb;
CREATE ROLE
postgres=# create role test with admin adduser;
CREATE ROLE

postgres=# grant select on accounts to readuser ;


GRANT
postgres=# grant select(employee_name) on employee to readuser;
GRANT
postgres=# grant select(name), update(id) on test1 to readuser;
GRANT
postgres=# grant all on employee to suser;
GRANT
postgres=# grant insert on employee to adduser;
GRANT
postgres=# grant select,insert,update on accounts to adduser;
GRANT
postgres=# grant select,update(id) on test1 to adduser;
GRANT

postgres=# \du+
List of roles
Role name | Attributes |
Member of | Description
-----------+------------------------------------------------------------
+-----------+-------------
adduser | Cannot login |
{test} |
admin | Create role, Create DB |
{} |
demo_role | |
{} |
efm | Superuser |
{} |
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS |
{} |
readuser | |
{} |
suser | Create DB, Cannot login |
{} |
test | Cannot login |
{} |
zabbix | |
{} |
postgres=# \z
Access privileges
Schema | Name | Type | Access privileges | Column
privileges | Policies
--------+----------+-------+---------------------------
+-----------------------+-----------------------------------------
public | accounts | table | postgres=arwdDxt/postgres+| id:
+| test (w): +
| | | readuser=r/postgres +|
adduser=w/postgres | (u): ((CURRENT_USER)::text = manager)+
| | | adduser=arw/postgres |
| (c): ((id >= 1) AND (id <= 5))
public | employee | table | postgres=arwdDxt/postgres+| employee_name:
+|
| | | suser=arwdDxt/postgres +|
readuser=r/postgres |
| | | adduser=a/postgres |
|
public | test1 | table | | id:
+|
| | | |
readuser=w/postgres+|
| | | | name:
+|
| | | |
readuser=r/postgres |
public | test2 | table | |
|
(4 rows)

postgres=# set role readuser ;


SET

postgres=> select employee_name from employee;


employee_name
---------------
JONES
Ramya
abc
(3 rows)

postgres=> select * from employee;


ERROR: permission denied for relation employee

postgres=> update test1 set id=5 where name='a';


UPDATE 1
postgres=> update test1 set name='ramya' where name='a';
ERROR: permission denied for relation test1

postgres=> delete from test1 where id=5;


ERROR: permission denied for relation test1

postgres=> set role suser;


SET
postgres=> select * from employee ;
employee_id | employee_name | employee_age | employee_dept | employee_mgr
-------------+---------------+--------------+---------------
+--------------
5 | JONES | 20 | IT | a
1 | Ramya | 30 | IT | a
2 | abc | 30 | IT | a
(3 rows)

postgres=> update employee set employee_id=15 where employee_name='Ramya';


UPDATE 1

postgres=# set role adduser ;


SET
postgres=> insert into accounts values(5,'aa','d','r');
INSERT 0 1
postgres=> update accounts set id=10 where id=5;
UPDATE 1
postgres=> delete from accounts where id=10;
ERROR: permission denied for relation accounts
postgres=> select * from accounts ;
id | manager | company | contact_email
----+---------+---------+---------------
1 | c | c | c
10 | aa | d | r
(2 rows)

postgres=> select * from test1;


id | name
----+------
2 | b
5 | a
(2 rows)

postgres=> update test1 set name='p' where id=2;


ERROR: permission denied for relation test1

You might also like