PostgreSQL permission reports and checks
========================================
This extension allows you to review object permissions on a PostgreSQL database.
Cookbook
--------
First, you have to install the extension in the database:
CREATE EXTENSION pg_permissions SCHEMA public;
Then you need to add entries to `permission_target` that correspond to your
desired permissions.
Let's assume we have a schema `appschema`, and `appuser` should have
`SELECT`, `UPDATE`, `DELETE` and `INSERT` permissions on all tables and
views in that schema:
INSERT INTO public.permission_target
(id, role_name, permissions,
object_type, schema_name)
VALUES
(1, 'appuser', '{SELECT,INSERT,UPDATE,DELETE}',
'TABLE', 'appschema');
INSERT INTO public.permission_target
(id, role_name, permissions,
object_type, schema_name)
VALUES
(2, 'appuser', '{SELECT,INSERT,UPDATE,DELETE}',
'VIEW', 'appschema');
Of course, the user will need the `USAGE` privilege on the schema:
INSERT INTO public.permission_target
(id, role_name, permissions,i
object_type, schema_name)
VALUES
(3, 'appuser', '{USAGE}',
'SCHEMA', 'appschema');
The user also needs `USAGE` privileges on the `appseq` sequence in
that schema:
INSERT INTO public.permission_target
(id, role_name, permissions,
object_type, schema_name, object_name)
VALUES
(4, 'appuser', '{USAGE}',
'SEQUENCE', 'appschema', 'appseq');
Now we can review which permissions are missing and which additional
permissions are granted:
SELECT * FROM public.permission_diffs();
missing | role_name | object_type | schema_name | object_name | column_name | permission
---------+-----------+-------------+-------------+-------------+-------------+------------
f | laurenz | VIEW | appschema | appview | | SELECT
t | appuser | TABLE | appschema | apptable | | DELETE
(2 rows)
That means that `appuser` is missing the `DELETE` privilege on
`appschema.apptable` which should be granted, while user `laurenz`
has the additional `SELECT` privilege on `appschema.appview` (`missing`
is `FALSE`).
To review the actual permissions on an object, we can use the `*_permissions`
views:
SELECT * FROM schema_permissions
WHERE role_name = 'appuser' AND schema_name = 'appschema';
object_type | role_name | schema_name | object_name | column_name | permissions | granted
-------------+-----------+-------------+-------------+-------------+-------------+---------
SCHEMA | appuser | appschema | | | USAGE | t
SCHEMA | appuser | appschema | | | CREATE | f
(2 rows)
Usage
-----
### Views ###
The extension provides a number of views:
- `database_permissions`: permissions granted on the current database
- `schema_permissions`: permissions granted on schemas
- `table_permissions`: permissions granted on tables
- `view_permissions`: permissions granted on views
- `column_permissions`: permissions granted on table and view columns
- `function_permissions`: permissions granted on functions
- `sequence_permissions`: permissions granted on sequences
- `all_permissions`: permissions on all objects (`UNION` of the above)
All views have the same columns; a column is NULL if it has no meaning
for the current view.
These views can be used to examine the currently granted permissions on
database objects.
**Note:** Superusers are not show in the view, as they automatically have
all permissions.
### Tables ###
The extension provides a table `permission_target` with which you can describe
the permissions that *should* be granted on database objects.
If you set a relevant column in `permission_target` to NULL (e.g., the
`object_name` and `column_name` columns in a `TABLE` entry), the meaning is
that the entry refers to *all* possible objects (in the example above, all
tables in the schema).
### Functions ###
The table function `permission_diffs()` checks the desired permissions in
`permission_target` against the actually granted permissions in the views
of the extension and returns a table of differences.
If the first column `missing` is `TRUE`, the result is a permission that should
be there but isn't; if `missing` is `FALSE`, the result row is a permission that
is there even though it is not defined in `permission_target` (an extra
permission).
Installation
------------
Make sure the PostgreSQL extension building infrastructure is installed.
If you installed PostgreSQL with installation packages, you usually need to
install the "development"-Package.
Make sure that `pg_config` is on your `PATH`. Then type
make install
Then connect to the database where you want to run `pg_permissions` and use
CREATE EXTENSION pg_permissions;
You need `CREATE` privileges on the schema where you install the extension.
### Installation without the extension building infrastructure ###
This is also what Windows users will have to dom because there is no extension
building infrastructure for Windows.
Find out where your PostgreSQL share directory is:
pg_config --sharedir
Then copy `pg_permissions.control` and the SQL files to the `extension`
subdirectory of that directory, e.g.
copy pg_permissions.control *.sql "C:\Program Files\PostgreSQL\10\share\extension"
You still have to run `CREATE EXTENSION` as described above.
Support
-------
Open an [issue][issue] on Gitgub if you have problems or questions.
For professional support, please contact [Cybertec][cybertec].
[issue]: https://github.com/cybertec-postgresql/pg_permission/issues
[cybertec]: https://www.cybertec-postgresql.com/
