Postgres Pro
Downloads
Home   >   mailing lists

Thread: Baffled by basic permission issue.

Baffled by basic permission issue.

From
Wells Oliver
Date:
I have a view that does this:

create view stats.v
select * from stats.t
join alias.i ON t.id = i.id
join alias.i2 ON t.id2 = i2.id;

And when I do: SELECT * FROM stats.v I receive: ERROR:  permission denied for table i

However, if I paste the contents of the view as a query and run it manually, it works fine.

I can also query alias.i as I please.

The role I am using to connect has USAGE on both stats and alias, it also has SELECT on the table as well as the view.

The only difference is that the view is owned by a different user than the tables, though the SELECT permissions are definitely granted.

psql 13.2

--

Re: Baffled by basic permission issue.

From
Holger Jakobs
Date:
If you want to use a view, you need the permissions for it. Not for the underlying tables

Am 16. Juni 2021 22:56:17 MESZ schrieb Wells Oliver <wells.oliver@gmail.com>:
I have a view that does this:

create view stats.v
select * from stats.t
join alias.i ON t.id = i.id
join alias.i2 ON t.id2 = i2.id;

And when I do: SELECT * FROM stats.v I receive: ERROR:  permission denied for table i

However, if I paste the contents of the view as a query and run it manually, it works fine.

I can also query alias.i as I please.

The role I am using to connect has USAGE on both stats and alias, it also has SELECT on the table as well as the view.

The only difference is that the view is owned by a different user than the tables, though the SELECT permissions are definitely granted.

psql 13.2

--

--
Holger Jakobs, Bergisch Gladbach
+49 178 9759012
- sent from mobile, therefore short -

Re: Baffled by basic permission issue.

From
Wells Oliver
Date:
The role has SELECT perm on the view and on the underlying tables and I am received a permission denied table on the table while trying to select from the view. The view is owned by a different user but SELECT perms are very clearly granted to my role.

On Wed, Jun 16, 2021 at 1:58 PM Holger Jakobs <holger@jakobs.com> wrote:
If you want to use a view, you need the permissions for it. Not for the underlying tables

Am 16. Juni 2021 22:56:17 MESZ schrieb Wells Oliver <wells.oliver@gmail.com>:
I have a view that does this:

create view stats.v
select * from stats.t
join alias.i ON t.id = i.id
join alias.i2 ON t.id2 = i2.id;

And when I do: SELECT * FROM stats.v I receive: ERROR:  permission denied for table i

However, if I paste the contents of the view as a query and run it manually, it works fine.

I can also query alias.i as I please.

The role I am using to connect has USAGE on both stats and alias, it also has SELECT on the table as well as the view.

The only difference is that the view is owned by a different user than the tables, though the SELECT permissions are definitely granted.

psql 13.2

--

--
Holger Jakobs, Bergisch Gladbach
+49 178 9759012
- sent from mobile, therefore short -


--

Re: Baffled by basic permission issue.

From
Wells Oliver
Date:
To follow up a bit, it seems clear to me that after I restored to a new server, there's some setting (maybe?) preventing folks from querying objects owned by other users EVEN if they have SELECT perms on the object, and USAGE on the schema. Is this a possibility?

On Wed, Jun 16, 2021 at 2:01 PM Wells Oliver <wells.oliver@gmail.com> wrote:
The role has SELECT perm on the view and on the underlying tables and I am received a permission denied table on the table while trying to select from the view. The view is owned by a different user but SELECT perms are very clearly granted to my role.

On Wed, Jun 16, 2021 at 1:58 PM Holger Jakobs <holger@jakobs.com> wrote:
If you want to use a view, you need the permissions for it. Not for the underlying tables

Am 16. Juni 2021 22:56:17 MESZ schrieb Wells Oliver <wells.oliver@gmail.com>:
I have a view that does this:

create view stats.v
select * from stats.t
join alias.i ON t.id = i.id
join alias.i2 ON t.id2 = i2.id;

And when I do: SELECT * FROM stats.v I receive: ERROR:  permission denied for table i

However, if I paste the contents of the view as a query and run it manually, it works fine.

I can also query alias.i as I please.

The role I am using to connect has USAGE on both stats and alias, it also has SELECT on the table as well as the view.

The only difference is that the view is owned by a different user than the tables, though the SELECT permissions are definitely granted.

psql 13.2

--

--
Holger Jakobs, Bergisch Gladbach
+49 178 9759012
- sent from mobile, therefore short -


--


--

Re: Baffled by basic permission issue.

From
Wells Oliver
Date:
As one last follow up, and I apologize for the volume, but this might be related to RDS: our DBs were in a 'Modifying...' state and being backed up, and now something has changed, and we can query these views again. I don't understand. Maybe the underlying tables were temporarily locked during some RDS backup process. 

Anyone run into that kind of thing?

On Wed, Jun 16, 2021 at 2:10 PM Wells Oliver <wells.oliver@gmail.com> wrote:
To follow up a bit, it seems clear to me that after I restored to a new server, there's some setting (maybe?) preventing folks from querying objects owned by other users EVEN if they have SELECT perms on the object, and USAGE on the schema. Is this a possibility?

On Wed, Jun 16, 2021 at 2:01 PM Wells Oliver <wells.oliver@gmail.com> wrote:
The role has SELECT perm on the view and on the underlying tables and I am received a permission denied table on the table while trying to select from the view. The view is owned by a different user but SELECT perms are very clearly granted to my role.

On Wed, Jun 16, 2021 at 1:58 PM Holger Jakobs <holger@jakobs.com> wrote:
If you want to use a view, you need the permissions for it. Not for the underlying tables

Am 16. Juni 2021 22:56:17 MESZ schrieb Wells Oliver <wells.oliver@gmail.com>:
I have a view that does this:

create view stats.v
select * from stats.t
join alias.i ON t.id = i.id
join alias.i2 ON t.id2 = i2.id;

And when I do: SELECT * FROM stats.v I receive: ERROR:  permission denied for table i

However, if I paste the contents of the view as a query and run it manually, it works fine.

I can also query alias.i as I please.

The role I am using to connect has USAGE on both stats and alias, it also has SELECT on the table as well as the view.

The only difference is that the view is owned by a different user than the tables, though the SELECT permissions are definitely granted.

psql 13.2

--

--
Holger Jakobs, Bergisch Gladbach
+49 178 9759012
- sent from mobile, therefore short -


--


--


--

Re: Baffled by basic permission issue.

From
Tom Lane
Date:
Wells Oliver <wells.oliver@gmail.com> writes:
> The role has SELECT perm on the view and on the underlying tables and I am
> received a permission denied table on the table while trying to select from
> the view. The view is owned by a different user but SELECT perms are very
> clearly granted to my role.

When you select from a view, you need permissions only on the view.
The view's owner needs permissions on the underlying table(s).
This is so that views can act as permission gateways.

            regards, tom lane

Re: Baffled by basic permission issue.

From
Wim Bertels
Date:
Tom Lane schreef op wo 16-06-2021 om 17:21 [-0400]:
> 
> When you select from a view, you need permissions only on the view.
> The view's owner needs permissions on the underlying table(s).
> This is so that views can act as permission gateways.

additionally,
if you want to allow modifications through this view,
have a look at 'with check option' to avoid unwanted permission side-
effects

> 
>             regards, tom lane
> 
> 
-- 
mvg,
Wim Bertels