List the database privileges using psql

dba.stackexchange https://dba.stackexchange.com/questions/4286

Question

I'm in the middle of a database server migration and I can't figure (after googling and searching here) how can I list the database privileges (or all the privileges across the server) on PostgreSQL using the psql command line tool?

I'm on Ubuntu 11.04 and my PostgreSQL version is 8.2.x.

Was it helpful?

Solution 

postgres=> \l
                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------+----------+----------+-------------+-------------+-----------------------
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres

The docs on GRANT give an explanation of how to interpret the output. For specific privileges on a table of the current database, use \z myTable.

OTHER TIPS

perhaps you mean listing users and their privileges for a database - I can't quite tell from the question:

postgres=> \du
                             List of roles
    Role name    |  Attributes  |                    Member of
-----------------+--------------+------------------------------------------------
 dba             | Create role  | {util_user,helpdesk_user,helpdesk_admin}
 helpdesk_admin  | Cannot login | {helpdesk_user}
 helpdesk_user   | Cannot login | {helpdesk_reader}
 jack            |              | {helpdesk_admin}
 postgres        | Superuser    | {}
                 : Create role
                 : Create DB

You can do that by following:

SELECT grantee, privilege_type 
FROM information_schema.role_table_grants 
WHERE table_name='mytable'

This gives you this kind of output:

mail=# select grantee, privilege_type from information_schema.role_table_grants where table_name='aliases';
   grantee    |  privilege_type
--------------+-----------------
 mailreader   |  INSERT
 mailreader   |  SELECT
 mailreader   |  UPDATE
 mailreader   |  DELETE
 mailreader   |  TRUNCATE
 mailreader   |  REFERENCES
 mailreader   |  TRIGGER
(7 rows)

mail=#

Using psql meta-commands:

https://www.postgresql.org/docs/current/static/app-psql.html

Going over the page with Ctrl+F gives:

\ddp [ pattern ] Lists default access privilege settings.

\dp [ pattern ] Lists tables, views and sequences with their associated access privileges.

\l[+] [ pattern ] List the databases in the server and show .... access privileges.

Also mentioned above, but not found with word "privileges" on the manual page:

\du+ for roles with login and \dg+ for roles without - will have a filed "Member of" where you find roles granted to roles.

I deliberately skip function and language privileges here, found in psql manual as barely manipulated (and if you do use those privileges you wont come here for an advise). same for user defined types, domains and so on - using "+" after the meta-command will show you privileges if applicable.

A little extreme way to check the privileges is dropping the user in transaction, e.g.:

s=# begin; drop user x;
BEGIN
Time: 0.124 ms
ERROR:  role "x" cannot be dropped because some objects depend on it
DETAIL:  privileges for type "SO dT"
privileges for sequence so
privileges for schema bin
privileges for table xx
privileges for table "csTest"
privileges for table tmp_x
privileges for table s1
privileges for table test
Time: 0.211 ms
s=# rollback;
ROLLBACK
Time: 0.150 ms

When the list is longer than N, (at least in 9.3), warning with list of privileges is collapsed, but you still can find it full in logs...

Undercovers psql uses the bellow query when you issue \du command.

SELECT r.rolname, r.rolsuper, r.rolinherit,
  r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
  r.rolconnlimit, r.rolvaliduntil,
  ARRAY(SELECT b.rolname
        FROM pg_catalog.pg_auth_members m
        JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
        WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
WHERE r.rolname !~ '^pg_'
ORDER BY 1;

A (possibly obvious) additional step is become the postgres user, otherwise you may get errors about roles not existing.

sudo su - postgres
psql -l

or

psql
postgres=> \l

-- file: src/sql/pgsql/list-table-priviledges.sql
-- usage:
-- alias psql="PGPASSWORD=${postgres_db_useradmin_pw:-} psql -v -q -t -X -w -U ${postgres_db_useradmin:-}"
-- psql -d dev_qto < src/sql/pgsql/list-table-priviledges.sql | less
SELECT grantee, table_name , privilege_type
FROM information_schema.role_table_grants
WHERE 1=1
AND grantee = 'usrqtoapp'
AND table_name='readme_doc'
;

-- purpose:
-- list the priveledges per user or for user in a database
-- eof file: src/sql/pgsql/list-table-priviledges.sql

output 

usrqtoapp | readme_doc | INSERT
usrqtoapp | readme_doc | SELECT
usrqtoapp | readme_doc | UPDATE
usrqtoapp | readme_doc | DELETE
Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
scroll top