What PostgreSQL query or view can determine who set a users permissions?
-
16-06-2021 - |
Question
I am trying to revoke a database user's permissions and it seems that permissions can only be revoked by the user who granted them. There is thread here discussing the issue. http://archives.postgresql.org/pgsql-bugs/2007-05/msg00234.php
The thread dates back to 2007 and I am not quite sure whether it is viewed as bug and whether that problem is still present in PostgreSQL 8.4 which I am using.
Is there a query or a view that can display that information? That way I can use set session authorization
and revoke it.
Solution
PostgreSQL 8.4 is outdated. Check out the versioning policy for details. But since it is the standard behavior of SQL (as Tom Lane states in the linked discussion you provided), it's not likely to have changed.
Privileges are stored in the system catalog with the respective object. For instance, for a table:
SELECT n.nspname, c.relname, c.relacl
FROM pg_catalog.pg_class c
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
WHERE c.oid = 'myschema.mytbl'::regclass -- your tablename here
Would produce something like:
nspname | relname | relacl
----------+---------+---------------------------------------------
myschema | mytbl | {postgres=arwdDxt/postgres,fuser=r/fadmin}
The rolename after the slash is the grantor. To revoke, as user fadmin
(or any superuser):
REVOKE SELECT ON TABLE myschema.mytbl FROM fuser;
There are similar *acl
columns in other system tables. pg_namespace
for schemas etc. See the list of system tables in the manual.
A simpler way would be to use pgAdmin and select an object in the object browser to the left. The ACL will be displayed in the properties pane, top right.