How to find privileges granted to a user in postgresql

Question

How to find privileges granted to a user in postgresql

I am using redshift cluster db.

Version:

PostgreSQL 8.0.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3), Redshift 1.0.735

I just need to delete one user. The following is the error message:

redshiftpocdb=# drop user test_55;
ERROR:  user "test_55" cannot be dropped because the user has a privilege on some object

i pasing \ dp output:

redshiftpocdb=# \dp
              Access privileges
 schema |  name   | type  | access privileges
--------+---------+-------+-------------------
 public | company | table |
 public | test2   | table |
 public | test22  | table |
 public | test222 | table |
 public | v_date  | table |
(5 rows)

in the physical postgresql environment, we have the DROP OWNED BY command. but this command does not work in redshift.

So again, how do you know the rights granted to TEST_55? are there any representations for the query (for e..g in Oracle, we have DBA_ROLE_PRIVS, DBA_TAB_PRIVS ... DBA_SYS_PRIVS.etc)

thank

+3

postgresql amazon-redshift

user3258784 Feb 05 '14 at 21:37

source share

3 answers

mike_pdb · Answer 1 · 2014-02-06T07:12:45+0000

To remove a user, you must (at least)

if they have any objects, change the owner to another user
remove grants from any objects
remove them from groups.

, ( "alter table owner to" ):

select * from pg_tables where tableowner = 'test_55'

, script :

select relacl , 
'revoke ' || substring(
            case when charindex('r',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',select ' else '' end 
          ||case when charindex('w',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',update ' else '' end 
          ||case when charindex('a',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',insert ' else '' end 
          ||case when charindex('d',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',delete ' else '' end 
          ||case when charindex('R',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',rule ' else '' end 
          ||case when charindex('x',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',references ' else '' end 
          ||case when charindex('t',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',trigger ' else '' end 
          ||case when charindex('X',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',execute ' else '' end 
          ||case when charindex('U',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',usage ' else '' end 
          ||case when charindex('C',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',create ' else '' end 
          ||case when charindex('T',split_part(split_part(array_to_string(relacl, '|'),pu.usename,2 ) ,'/',1)) > 0 then ',temporary ' else '' end 
       , 2,10000)
|| ' on '||namespace||'.'||item ||' from "'||pu.usename||'";' as grantsql
from 
(SELECT 
 use.usename as subject, 
 nsp.nspname as namespace, 
 c.relname as item, 
 c.relkind as type, 
 use2.usename as owner, 
 c.relacl 
 FROM 
 pg_user use 
 cross join pg_class c 
 left join pg_namespace nsp on (c.relnamespace = nsp.oid) 
 left join pg_user use2 on (c.relowner = use2.usesysid)
 WHERE 
 c.relowner = use.usesysid  
 and  nsp.nspname NOT IN ('pg_catalog', 'pg_toast', 'information_schema')
 ORDER BY   subject,   namespace,   item 
) join pg_user pu on array_to_string(relacl, '|') like '%'||pu.usename||'%' 
where relacl is not null
 and pu.usename='test_55'

, , - ( "alter group drop user" ):

select usesysid, usename, nvl(groname,'default') from pg_user u 
left join pg_group g on ','||array_to_string(grolist,',')||','
  like '%,'||cast(usesysid as varchar(10))||',%' 
where usename='test_55' order by 2,1;

, , - :

select * from pg_namespace where nspowner > 1 and array_to_string(nspacl,',') like '%test_55%';

drtf · Answer 2 · 2016-04-10T13:15:07+0000

, :

WITH 
usrs as (SELECT * FROM pg_user),
objs as (
  SELECT 
    schemaname, 't' AS obj_type,
    tablename AS objectname,
    schemaname + '.' + tablename AS fullobj
  FROM pg_tables
  WHERE schemaname not in ('pg_internal')
  UNION
  SELECT 
    schemaname, 'v' AS obj_type, 
    viewname AS objectname, 
    schemaname + '.' + viewname AS fullobj 
  FROM pg_views
  WHERE schemaname NOT IN ('pg_internal')
),
query as (
  SELECT 
    schemaname,
    objectname,
    usename,
    HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'select') AS sel,
    HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'insert') AS ins,
    HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'update') AS upd,
    HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'delete') AS del,
    HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'references') AS ref
  FROM objs, usrs
  ORDER BY fullobj
)
SELECT * FROM query
WHERE (
  sel = TRUE 
  OR ins = TRUE 
  OR upd = TRUE 
  OR del = TRUE 
  OR ref = TRUE
) AND schemaname='[optional schemaname]'
  AND usename = '[optional username]';

Fabio Comune di Firenze · Answer 3 · 2017-05-05T09:43:18+0000

|| , , '' '|| schemaname ||' "." '|| tablename ||' "'AS fullobj '' '|| schemaname ||' "." '|| viewname ||' "'AS fullobj

schemaname + '.' + tablename AS fullobj schemaname + '.' + viewname AS fullobj

How to find privileges granted to a user in postgresql

More articles: