List the database privileges using psql
-
16-10-2019 - |
Question
I'm in the middle of a database server migration and I can't figure (after googling and searching here) how can I list the database privileges (or all the privileges across the server) on PostgreSQL using the psql
command line tool?
I'm on Ubuntu 11.04 and my PostgreSQL version is 8.2.x.
Solution
postgres=> \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+----------+----------+-------------+-------------+-----------------------
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
The docs on GRANT
give an explanation of how to interpret the output. For specific privileges on a table of the current database, use \z myTable
.
OTHER TIPS
perhaps you mean listing users and their privileges for a database - I can't quite tell from the question:
postgres=> \du
List of roles
Role name | Attributes | Member of
-----------------+--------------+------------------------------------------------
dba | Create role | {util_user,helpdesk_user,helpdesk_admin}
helpdesk_admin | Cannot login | {helpdesk_user}
helpdesk_user | Cannot login | {helpdesk_reader}
jack | | {helpdesk_admin}
postgres | Superuser | {}
: Create role
: Create DB
You can do that by following:
SELECT grantee, privilege_type
FROM information_schema.role_table_grants
WHERE table_name='mytable'
This gives you this kind of output:
mail=# select grantee, privilege_type from information_schema.role_table_grants where table_name='aliases';
grantee | privilege_type
--------------+-----------------
mailreader | INSERT
mailreader | SELECT
mailreader | UPDATE
mailreader | DELETE
mailreader | TRUNCATE
mailreader | REFERENCES
mailreader | TRIGGER
(7 rows)
mail=#
Using psql
meta-commands:
https://www.postgresql.org/docs/current/static/app-psql.html
Going over the page with Ctrl+F gives:
\ddp [ pattern ]
Lists default access privilege settings.
\dp [ pattern ]
Lists tables, views and sequences with their associated access privileges.
\l[+] [ pattern ]
List the databases in the server and show .... access privileges.
Also mentioned above, but not found with word "privileges" on the manual page:
\du+
for roles with login and \dg+
for roles without - will have a filed "Member of"
where you find roles granted to roles.
I deliberately skip function and language privileges here, found in psql
manual as barely manipulated (and if you do use those privileges you wont come here for an advise). same for user defined types, domains and so on - using "+" after the meta-command will show you privileges if applicable.
A little extreme way to check the privileges is dropping the user in transaction, e.g.:
s=# begin; drop user x;
BEGIN
Time: 0.124 ms
ERROR: role "x" cannot be dropped because some objects depend on it
DETAIL: privileges for type "SO dT"
privileges for sequence so
privileges for schema bin
privileges for table xx
privileges for table "csTest"
privileges for table tmp_x
privileges for table s1
privileges for table test
Time: 0.211 ms
s=# rollback;
ROLLBACK
Time: 0.150 ms
When the list is longer than N, (at least in 9.3), warning with list of privileges is collapsed, but you still can find it full in logs...
Undercovers psql uses the bellow query when you issue \du
command.
SELECT r.rolname, r.rolsuper, r.rolinherit,
r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
r.rolconnlimit, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
WHERE r.rolname !~ '^pg_'
ORDER BY 1;
A (possibly obvious) additional step is become the postgres user, otherwise you may get errors about roles not existing.
sudo su - postgres
psql -l
or
psql
postgres=> \l
-- file: src/sql/pgsql/list-table-priviledges.sql
-- usage:
-- alias psql="PGPASSWORD=${postgres_db_useradmin_pw:-} psql -v -q -t -X -w -U ${postgres_db_useradmin:-}"
-- psql -d dev_qto < src/sql/pgsql/list-table-priviledges.sql | less
SELECT grantee, table_name , privilege_type
FROM information_schema.role_table_grants
WHERE 1=1
AND grantee = 'usrqtoapp'
AND table_name='readme_doc'
;
-- purpose:
-- list the priveledges per user or for user in a database
-- eof file: src/sql/pgsql/list-table-priviledges.sql
output
usrqtoapp | readme_doc | INSERT
usrqtoapp | readme_doc | SELECT
usrqtoapp | readme_doc | UPDATE
usrqtoapp | readme_doc | DELETE