I recently wanted to share regular access rights with one user of a server and I realized that a simple CREATE USER and GRANT ALL ON DATABASE commands didn't let him run a simple SELECT on the data.
I would like to grant rights to all tables from a given database to a specified user, but I am not sure if it is the best idea to grant him access to whole schema public as I don't know if it would allow some kind of privilege escalation. Is there any other way?
... adds the predefined role pg_read_all_data to make this simple:
GRANT pg_read_all_data TO myuser;
pg_read_all_dataRead all data (tables, views, sequences), as if having
SELECTrights on those objects, andUSAGErights on all schemas, even without having it explicitly. This role does not have the role attributeBYPASSRLSset. If RLS is being used, an administrator may wish to setBYPASSRLSon roles which this role isGRANTed to.
The privilege on DATABASE only grants general connection rights to the database and no more. A user with just that privilege can only see what the general public is allowed to see.
To grant read access to all tables, you also need privileges on all schemas and tables:
GRANT USAGE ON SCHEMA public TO myuser; -- more schemas?
GRANT SELECT ON ALL TABLES IN SCHEMA public TO myuser;
You may also want to set default privileges for future schemas and tables. Run for every role that creates objects in your db
ALTER DEFAULT PRIVILEGES FOR ROLE mycreating_user IN SCHEMA public
GRANT SELECT ON TABLES TO myuser;
But you really need to understand the whole concept first.
And it's almost always better to bundle privileges in group roles and then grant/revoke the group role to/from user roles. Related: