Simple ACL example
See original GitHub issueHi,
I would like to control permissions of the objects in Postgres. Our scenario is that we have one database and I would like all objects (tables, schemas …) to be accessible to all. My current conf is (the ACL bit is taken from the cookbook):
acls:
ro:
- __usage_on_schemas__
- __select_on_tables__
rw:
- ro
- __all_on_tables__
ddl:
- rw
- __create_on_schemas__
sync_map:
- roles:
- names: [owners, readers, writers]
options: NOLOGIN
database: company
- grant:
- acl: ro
database: company
schema: __all__
role: readers
- acl: rw
database: company
schema: __all__
role: writers
- acl: ddl
database: company
schema: __all__
role: owners
- ldap:
base: "OU=People,OU=company,DC=int,DC=company,DC=com"
attributes: sAMAccountName
role:
name_attribute: sAMAccountName
options: LOGIN NOSUPERUSER NOCREATEDB
parent: owners
grant:
- acl: ddl
role: owners
As you can see above, all LDAP users are being asinged to the ddl
group, however, when I run it it prevents users from logging in using pgadmin 4. I have tried a few variations of the above and got errors like (from postgresql.log):
1.
2018-01-25 18:28:06.141 UTC [20822] joshlk@postgres ERROR: permission denied for function version
2018-01-25 18:28:06.141 UTC [20822] joshlk@postgres STATEMENT: SELECT version()
2018-01-25 18:25:23.306 UTC [20810] joshlk@postgres ERROR: permission denied for schema pg_catalog at character 143
2018-01-25 18:25:23.306 UTC [20810] joshlk@postgres STATEMENT:
SELECT
oid as id, rolname as name, rolsuper as is_superuser,
rolcreaterole as can_create_role, rolcreatedb as can_create_db
FROM
pg_catalog.pg_roles
WHERE
rolname = current_user
2018-01-25 18:47:00.433 UTC [21181] joshlk@postgres ERROR: permission denied for schema pg_catalog
2018-01-25 18:47:00.433 UTC [21181] joshlk@postgres STATEMENT: SELECT CASE WHEN usesuper
THEN pg_is_in_recovery()
ELSE FALSE
END as inrecovery,
CASE WHEN usesuper AND pg_is_in_recovery()
THEN pg_is_xlog_replay_paused()
ELSE FALSE
END as isreplaypaused
FROM pg_user WHERE usename=current_user
It looks like it is because of its locking users out from accessing the postgres default database and objects within it. Can I ask ldap2pg to exclude revoking permissions on the posgres database?
Do you have any recommendations on what ACL rules to use? What I want to prevent is someone creating a table or schema and then the rest of the team not been able to access it. My team is small so something simple would suffice.
Bonus question… is there a way that when a user is created a schema of the same name is also created? So for user joshlk
it automatically creates a schema joshlk
?
Many thanks for your help and really appreciate your work and giving to the open source community!
Josh
Issue Analytics
- State:
- Created 6 years ago
- Comments:11 (6 by maintainers)
Top GitHub Comments
I need to document this. Dont forget to star
ldap2pg
😃@joshlk congrats, it’s fun 😃
A tip: by default,
ldap2pg
consider superusers as owers. You should customizeowers_query
:Checks this query before pasting it in the YAML !