Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

can't revoke a custom privilege

See original GitHub issue

I follow an example from https://ldap2pg.readthedocs.io/en/latest/privileges/#defining-custom-privilege to define a custom privilege:

inspect query for datacl must return a rowset with two columns, the first is unused, the second is the name of grantee.

privileges:
  my_grant_all_on_database_privilege:
    type: datacl
    grant: GRANT ALL ON DATABASE {database} TO {role};
    revoke:  REVOKE ALL ON DATABASE {database} FROM {role};
    inspect: SELECT 1, 'admin'; 

sync_map:
- grant:
    database: mydb
    schema: public
    privilege: my_grant_all_on_database_privilege
    role: admin

The privilege does get granted, but it can’t be revoked. My question is what would be a proper “inspect” definition in this case?

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:8 (5 by maintainers)

github_iconTop GitHub Comments

2reactions
bersacecommented, Nov 16, 2018

@ankravch oh, yes, you’re right. schema is not actually ignore. I must fix that ! Thanks for pointing it.

and now I am able to revoke my_grant_all_on_database_privilege.

Good ! 😃 I’m listing here what should be done to help other users in you’re situation. Please let me know if something is missing or wrong :

Tasks

  • Fix schema not ignored in datacl privileges inspect.
  • Update Cookbook about revocation of privileges.
  • Detect grants on users not yet in managed roles (in dry run).
0reactions
bersacecommented, Nov 16, 2018

Ok, let’s close. @ankravch don’t hesitate to comment #251 if you find the doc is not clear enough. Thanks !

Read more comments on GitHub >

github_iconTop Results From Across the Web

I can't revoke execute from function in custom schema
REVOKE ALL ON SCHEMA PUBLIC FROM PUBLIC; ALTER DEFAULT PRIVILEGES ... Revoking the privilege from some other role will have no effect.
Read more >
Cannot revoke default privileges from postgresql user
Try to revoke the execute privilege for the role pgsql, as pgsql (a superuser). pgsql@[local]:5432:pgsql:=# ALTER DEFAULT PRIVILEGES FOR ROLE ...
Read more >
No privileges could be revoked for "public" warning in RDS ...
When you revoke the CREATE privilege on the public schema for an Amazon RDS PostgreSQL DB instance, you can receive a warning message...
Read more >
REVOKE
The REVOKE statement can revoke only privileges and roles that were previously granted directly with a GRANT statement. You cannot use this statement...
Read more >
REVOKE statement - IBM
Use the REVOKE statement to cancel access privileges or roles that are held by users, by roles, or by PUBLIC, or to cancel...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Query for databases not scraped properly?

Next page

Generate role with sAMAccountName from each user of a group: Bad search filter