How to create a user with readonly privileges for all databases in Postgresql?

Question

I want to create a user with only select privilege for all tables in all databases. I thought that I could get a list of databases and apply the following command for each database:

GRANT select ON DATABASE dbname to user1;

But I got the following error:

ERROR:  invalid privilege type SELECT for database

When I googled people advised to do the grant select operation for all tables. But new tables are being added always. So this is not an acceptable solution for me. Does anyone know any workarounds?

@Jonas actually this is basic SQL, so not a good fit for DBA - http://dba.stackexchange.com/faq — Stefano, Mar 19 '12 at 17:53

score 34 · Answer 1 · answered Nov 23 '11 at 18:10

You need to do 2 things: firstly, allow access to existing objects; and secondly, set the default access for new objects created from now on.

Note that granting access to "TABLES" includes views, but does not include sequences (such as the auto-increment function for "SERIAL" columns), so you'll probably want to grant access to those as well.

The below assumes you want to do everything in the public schema. The ALTER DEFAULT PRIVILEGES statement can act on the entire database by omitting the IN SCHEMA ... clause; the GRANT has to be run once for each schema.

-- Grant access to current tables and views
GRANT SELECT ON ALL TABLES IN SCHEMA public TO user1;
-- Now make sure that's also available on new tables and views by default
ALTER DEFAULT PRIVILEGES
    IN SCHEMA public -- omit this line to make a default across all schemas
    GRANT SELECT
ON TABLES 
TO user1;

-- Now do the same for sequences
GRANT SELECT, USAGE ON ALL SEQUENCES IN SCHEMA public TO user1;
ALTER DEFAULT PRIVILEGES
    IN SCHEMA public -- omit this line to make a default across all schemas
    GRANT SELECT, USAGE
ON SEQUENCES 
TO user1;

PostgreSQL manual

oddly enough I needed `grant usage on schema public to user1;` as well — Sam Saffron, Jan 04 '13 at 07:28
It is important to connect to the right DB first `\c mydatabase;`. `user1` will only get access to `mydatabase`. — jerrymouse, Oct 13 '21 at 22:23

score 33 · Accepted Answer · edited Nov 21 '12 at 16:04

33

You cannot do this on database level, only on schema level.

Assuming you are only using the public schema in each database, you can do this:

GRANT SELECT ON ALL TABLES IN SCHEMA public TO user1;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO user;

edited Nov 21 '12 at 16:04

sorin

161,544
178
535
806

answered Jun 23 '11 at 13:05

2

Your statement that this will apply to newly created tables and views is incorrect - the "ALL TABLES" is simply short-hand for running a GRANT SELECT on each currently existing table, and does not set any defaults. To set the default for new objects, you need the ALTER DEFAULT PRIVILEGES command: http://www.postgresql.org/docs/current/static/sql-alterdefaultprivileges.html (See my answer below) – IMSoP Nov 23 '11 at 17:51
2

The original question was on the topic of SELECt for all tables and for ALL databases. This is possible in mysql but (i think) not possible in postgres. In postgres one has to grant these rights for each database independently. Maybe you can add this as a clarification (or correct me if it is possible). – Michael Aug 26 '13 at 12:06
@Michael: hmm, I thought the first sentence "*you cannot do this on database level*" pretty much says that. You have to do it per *schema*, you can not do it per database (or installation wide) – Aug 26 '13 at 12:12
3

yes - if you know postgres. My guess (as is true for me) is a lot of people with limited knowledge of pg will find this Q&A. Not everybody will know the schema is database specific. Plus if you simply connect via `psql` you can issue above commands without an error -> this lead me to the assumption the GRANT was applied installation wide :). Maybe simply add the `psql database_name` as a first command. On the other hand these comments will propably be sufficent for others :) – Michael Aug 26 '13 at 15:48

score 4 · Answer 3 · answered Oct 05 '12 at 11:50

4

For Postgres versions lower than 9.0:

psql -d DBNAME -qAt -c "SELECT 'GRANT SELECT ON ' || tablename || ' TO USER;' 
FROM pg_tables WHERE schemaname = 'public'" | psql -d DBNAME

psql -d DBNAME -qAt -c "SELECT 'GRANT SELECT ON ' || viewname || ' TO USER;' 
FROM pg_views WHERE schemaname = 'public'" | psql -d DBNAME

psql -d DBNAME -qAt -c "SELECT 'GRANT SELECT ON ' || relname || ' TO USER;' 
FROM pg_statio_all_sequences WHERE schemaname = 'public'" | psql -d DBNAME

answered Oct 05 '12 at 11:50

Vishnu Kumar

394
6
13

i had to do `psql -d DBNAME -qAt -c "SELECT 'GRANT SELECT ON ' || relname || ' TO USER;' FROM pg_statio_all_tables WHERE schemaname = 'public'" | psql -d DBNAME` yet – tymik Jan 04 '17 at 17:22

score 4 · Answer 4 · answered Apr 20 '20 at 11:50

I do the next steps for create read-only user:

create your_user:

1. createuser --interactive --pwprompt

go to postgresql in your_databases:

2. psql your_database

define access privileges:

3. GRANT SELECT ON ALL TABLES IN SCHEMA public TO your_user;

define default access privileges:

4. ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO your_user;

Mike Sherrill 'Cat Recall' · Answer 5 · 2011-06-23T12:46:42.450

I realize you've already said this isn't an acceptable answer, but it's the right answer anyway.

Specifying security (GRANT and REVOKE) is part of table design and testing.

Don't move tables to production before table definitions, security, tests, and test data are under version control.

Having said that, PostgreSQL doesn't have any SELECT permissions on databases. You can grant only CREATE, CONNECT, or TEMP permissions on databases.

You can grant SELECT on all tables in a given schema. I don't know how that affects tables created after running the GRANT statement, but it's fairly easy to test.

PostgreSQL Grant syntax

score 2 · Answer 6 · answered Apr 14 '22 at 10:11

I'm aware that this is a very old question, but it still comes up when searching for this problem so I'm just posting this for an up-to-date answer.

As of Postgres 14 or newer, there are now predefined roles for that purpose:

CREATE USER your_readonly_user WITH PASSWORD 'changeme';
GRANT pg_read_all_data TO your_readonly_user;

According to the docs, this gives all the necessary privileges to:

"Read all data (tables, views, sequences), as if having SELECT rights on those objects, and USAGE rights on all schemas, even without having it explicitly. This role does not have the role attribute BYPASSRLS set. If RLS is being used, an administrator may wish to set BYPASSRLS on roles which this role is GRANTed to."

See here for more info on the predefined roles.

score 1 · Answer 7 · answered Jun 01 '21 at 08:14

Try:

CREATE USER readonly WITH ENCRYPTED PASSWORD 'yourpassword';
GRANT CONNECT ON DATABASE <database_name> to readonly;
GRANT USAGE ON SCHEMA public to readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;

How to create a user with readonly privileges for all databases in Postgresql?

7 Answers7