At times we need to do a DROP USER and are unable to do so, because of existing "DEFAULT PRIVILEGES" that exist associated to the user, which disallow a DROP USER to go ahead.
Common SQL such as this do not give DEFAULT PRIVILEGES.
You can find DEFAULT PRIVILEGES by using \ddp in psql. If you haven't heard of psql, probably that'd be a good place to start.
Once you have the privileges, you need to understand how permissions are assigned, some detailing on the cryptic letters and their meanings is given here.
Once you have that, you need to essentially revert the GRANTs (using REVOKE command) and remove those default privileges one by one.
A sample is given below:
pg postgres2@t3=> create group dbuser;
CREATE ROLE
pg postgres2@t3=> alter group dbuser add user jacob;
ALTER ROLE
pg postgres2@t3=> alter group dbuser add user postgres2;
ALTER ROLE
pg postgres2@t3=> alter default privileges for user dbuser grant select on tables to jacob;
ALTER DEFAULT PRIVILEGES
pg postgres2@t3=> \ddp
Default access privileges
┌────────┬────────┬───────┬───────────────────────┐
│ Owner │ Schema │ Type │ Access privileges │
├────────┼────────┼───────┼───────────────────────┤
│ dbuser │ │ table │ jacob=r/dbuser │
│ │ │ │ dbuser=arwdDxt/dbuser │
└────────┴────────┴───────┴───────────────────────┘
(1 row)
pg postgres2@t3=> alter default privileges for user dbuser grant select on sequences to jacob;
ALTER DEFAULT PRIVILEGES
pg postgres2@t3=> alter default privileges for user dbuser grant usage on sequences to jacob;
ALTER DEFAULT PRIVILEGES
pg postgres2@t3=> \ddp
Default access privileges
┌────────┬────────┬──────────┬───────────────────────┐
│ Owner │ Schema │ Type │ Access privileges │
├────────┼────────┼──────────┼───────────────────────┤
│ dbuser │ │ sequence │ jacob=rU/dbuser │
│ │ │ │ dbuser=rwU/dbuser │
│ dbuser │ │ table │ jacob=r/dbuser │
│ │ │ │ dbuser=arwdDxt/dbuser │
└────────┴────────┴──────────┴───────────────────────┘
(2 rows)
pg postgres2@t3=> drop user jacob;
ERROR: 2BP01: role "jacob" cannot be dropped because some objects depend on it
DETAIL: privileges for default privileges on new sequences belonging to role dbuser
privileges for default privileges on new relations belonging to role dbuser
LOCATION: DropRole, user.c:1045
pg postgres2@t3=> ALTER DEFAULT PRIVILEGES FOR USER dbuser REVOKE SELECT ON tables FROM jacob;
ALTER DEFAULT PRIVILEGES
pg postgres2@t3=> ALTER DEFAULT PRIVILEGES FOR USER dbuser REVOKE SELECT ON sequences FROM jacob;
ALTER DEFAULT PRIVILEGES
pg postgres2@t3=> ALTER DEFAULT PRIVILEGES FOR USER dbuser REVOKE USAGE ON sequences FROM jacob;
ALTER DEFAULT PRIVILEGES
pg postgres2@t3=> \du
List of roles
┌─────────────────┬────────────────────────────────────────────────────────────┬─────────────────────────────────────┐
│ Role name │ Attributes │ Member of │
├─────────────────┼────────────────────────────────────────────────────────────┼─────────────────────────────────────┤
│ dbuser │ Cannot login │ {} │
│ jacob │ │ {dbuser} │
│ postgres2 │ Create role, Create DB │ {rds_superuser,dbuser} │
│ rds_superuser │ Cannot login │ {rds_replication} │
└─────────────────┴────────────────────────────────────────────────────────────┴─────────────────────────────────────┘
pg postgres2@t3=> \ddp
Default access privileges
┌───────┬────────┬──────┬───────────────────┐
│ Owner │ Schema │ Type │ Access privileges │
├───────┼────────┼──────┼───────────────────┤
└───────┴────────┴──────┴───────────────────┘
(0 rows)
pg postgres2@t3=> drop user jacob;
DROP ROLE
This method should allow you to remove all DEFAULT PRIVILEGEs (only) for this User.
Note: Importantly, you'd need to repeat the above step for *each* database!
Subscribe to:
Post Comments (Atom)
On-Prem AI chatbot - Hello World!
In continuation of the recent posts... Finally got a on-premise chat-bot running! Once downloaded, the linux box is able to spin up / down t...
-
(Please scroll down to the read the entire-post to know more) Documents required for Christian Marriage Registration (a.k.a. Documents...
-
My patch (allowing a non-super-user to dump Globals) just got committed to Postgres 10.0. Besides the use mentioned above, this patch al...
-
pg_tle - A Must-Know for Developers PostgreSQL is a fantastic database, packed with features. But sometimes, you need to add a little somet...
1 comment:
Post a Comment