1

I have a common user, mygs_user, across three databases: mydatamodel, mygs, and Newdatabase (names changed to protect the innocent).

I've 'inherited' the first two databases, and have created a third (Newdatabase), whose security must closely replicate the original two--including using the same user-name and role.

The problem is while the two original databases do not have explicit privileges, the common user, mygs_user, can access them just fine. The third (Newdatabase) does not allow access unless I modify the common user to be a super-user, which obviously is not a best-practice.

Of course, I've tried setting the security settings of my NewDB to settings of the original ones with no dice.

Here are the two original databases:

mydatamodel

CREATE DATABASE mydatamodel
  WITH OWNER = postgres
       ENCODING = 'UTF8'
       TABLESPACE = datamodel_tablespace
       LC_COLLATE = 'English, United States'
       LC_CTYPE = 'English, United States'
       CONNECTION LIMIT = -1;

mygs

CREATE DATABASE mygs
  WITH OWNER = postgres
       ENCODING = 'UTF8'
       TABLESPACE = mygs_tablespace
       LC_COLLATE = 'English, United States'
       LC_CTYPE = 'English, United States'
       CONNECTION LIMIT = -1;

...and here is the new database:

CREATE DATABASE "NewDatabase"
  WITH OWNER = postgres
       ENCODING = 'UTF8'
       TABLESPACE = pg_default
       LC_COLLATE = 'English, United States'
       LC_CTYPE = 'English, United States'
       CONNECTION LIMIT = -1;
GRANT CONNECT, TEMPORARY ON DATABASE "NewDatabase" TO public;
GRANT ALL ON DATABASE "NewDatabase" TO postgres;
GRANT ALL ON DATABASE "NewDatabase" TO mygs_user;

The two original occupy separate tablespaces, while the new one doesn't:

CREATE TABLESPACE mygs_tablespace
  OWNER postgres
  LOCATION 'c:/MYGS_Database/PostgreSQL';



CREATE TABLESPACE datamodel_tablespace
  OWNER postgres
  LOCATION 'c:/MYGS_Database/MyDataModel';

This is the the commmon user:

CREATE ROLE mygs_user LOGIN
  SUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE;
GRANT "MYGS" TO mygs_user;

...and the common role:

CREATE ROLE "MYGS"
  NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;

Here are the pg_hba.conf file contents:

# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
# IPv4 local connections:
host    all         all         127.0.0.1/32            md5

How can I grant access to the common user for the third database without granting superuser privileges?

Improve this question
2
  • 1
    Because of GRANT CONNECT, TEMPORARY ON DATABASE "NewDatabase" TO public any user should be able to connect to it. Please provide the error message if that's not the case. Commented Jun 1, 2012 at 14:33
  • The error was "Can't connect to this relation, tablename". You're right, the access privileges were set at the table-level for the two original databases. Commented Jun 1, 2012 at 14:49

2 Answers 2

Reset to default
2

I think you forgot to allow connecting to this database in pg_hba.conf configuration file.

You should probably add there something like:

# TYPE  DATABASE        USER            ADDRESS                 METHOD
local   Newdatabase     MYGS                                    md5
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Tometzky, Great thought! However, we already have open access configured in the pg_hba: host all all 127.0.0.1/32 md5
Tometzky, I've updated my question with the pg_hba.conf file.
0

Upon further inspection, the privileges were set to authorize the the "MYGS" role at the object-level, with no explicit privileges at the database level. The problem is resolved by the following code, for each object-type:

Tables:

ALTER TABLE tableNameHere OWNER TO postgres;
GRANT ALL ON TABLE dtm_tableNameHereTO postgres;
GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE tableNameHere TO "MYGS";

...functions:

ALTER FUNCTION functionNameHere(..) OWNER TO postgres;
GRANT EXECUTE ON FUNCTION functionNameHere(..) TO postgres;
GRANT EXECUTE ON FUNCTION functionNameHere(..) TO "MYGS";

...and sequences:

ALTER TABLE sequenceNameHere OWNER TO postgres;
GRANT ALL ON TABLE sequenceNameHere TO postgres;
GRANT SELECT, UPDATE ON TABLE sequenceNameHere TO "MYGS";

Although, the postgres user is not necessary for the solution to work.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.