{"id":13876,"date":"2020-03-31T05:21:16","date_gmt":"2020-03-31T03:21:16","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/"},"modified":"2020-03-31T05:21:16","modified_gmt":"2020-03-31T03:21:16","slug":"where-does-postgresql-store-information-about-default-privileges","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/","title":{"rendered":"Where does PostgreSQL store information about default privileges?"},"content":{"rendered":"

A recent comment on the blog post about PostgreSQL default privileges<\/a> is the reason for this little post: “I\u2019d love to know where postgres stores default privileges?”. Well, all the information about privileges should be stored somewhere in the catalog so let’s check where that information could be.<\/p>\n

<\/p>\n

To start with, we create a brand new user, a brand new schema and then modify the default privileges for that user in the given schema:<\/p>\n

\npostgres=# create user a with login password 'a';\nCREATE ROLE\npostgres=# create schema s;\nCREATE SCHEMA\npostgres=# alter default privileges in schema s grant select on tables to a;\nALTER DEFAULT PRIVILEGES\n<\/pre>\n
There is a “useconfig” column in the pg_user<\/a> catalog table so you might think the information about default privileges is there:<\/p>\n
\npostgres=# d pg_user\n                        View \"pg_catalog.pg_user\"\n    Column    |           Type           | Collation | Nullable | Default \n--------------+--------------------------+-----------+----------+---------\n usename      | name                     |           |          | \n usesysid     | oid                      |           |          | \n usecreatedb  | boolean                  |           |          | \n usesuper     | boolean                  |           |          | \n userepl      | boolean                  |           |          | \n usebypassrls | boolean                  |           |          | \n passwd       | text                     |           |          | \n valuntil     | timestamp with time zone |           |          | \n useconfig    | text[]                   | C         |          | \n\npostgres=# select * from pg_user where usename = 'a';\n usename | usesysid | usecreatedb | usesuper | userepl | usebypassrls |  passwd  | valuntil | useconfig \n---------+----------+-------------+----------+---------+--------------+----------+----------+-----------\n a       |    16408 | f           | f        | f       | f            | ******** |          | \n(1 row)\n<\/pre>\n
It is not, and actually it does not make any sense as default privileges are attached to schemas, not users. So it could be in the pg_namespace<\/a> catalog table:<\/p>\n
\npostgres=# select * from pg_namespace where nspname = 's';\n  oid  | nspname | nspowner | nspacl \n-------+---------+----------+--------\n 16409 | s       |       10 | \n(1 row)\n<\/pre>\n
It is not there as well but it gives you a hint. Privileges have something to do with ACLs (Access control lists) so let’s check if there is a catalog table that could relate to that:<\/p>\n
\npostgres=# select * from pg_tables where tablename like '%acl%';\n schemaname |   tablename    | tableowner | tablespace | hasindexes | hasrules | hastriggers | rowsecurity \n------------+----------------+------------+------------+------------+----------+-------------+-------------\n pg_catalog | pg_default_acl | postgres   |            | t          | f        | f           | f\n(1 row)\n<\/pre>\n
Here we go:<\/p>\n
\npostgres=# select * from pg_default_acl where defaclnamespace = 's'::regnamespace;\n  oid  | defaclrole | defaclnamespace | defaclobjtype |   defaclacl    \n-------+------------+-----------------+---------------+----------------\n 16410 |         10 |           16409 | r             | {a=r\/postgres}\n(1 row)\n<\/pre>\n
“a=r” means: User “a” has read privileges on all the objects. Modifying the default privileges once more:<\/p>\n
\npostgres=# alter default privileges in schema s grant insert on tables to a;\nALTER DEFAULT PRIVILEGES\npostgres=# select * from pg_default_acl defaclnamespace = 's'::regnamespace;\n  oid  | defaclrole | defaclnamespace | defaclobjtype |    defaclacl    \n-------+------------+-----------------+---------------+-----------------\n 16410 |         10 |           16409 | r             | {a=ar\/postgres}\n(1 row)\n<\/pre>\n
Now “a” was added, and that means append(insert). You can check the various flags in the documentation<\/a>.<\/p>\n
The “\/postgres” string defines the owner of the schema:<\/p>\n
\npostgres=# alter user a superuser;\nALTER ROLE\npostgres=# c postgres a\nYou are now connected to database \"postgres\" as user \"a\".\npostgres=# create schema s2;\nCREATE SCHEMA\npostgres=# select * from pg_default_acl where defaclnamespace = 's2'::regnamespace;\n oid | defaclrole | defaclnamespace | defaclobjtype | defaclacl \n-----+------------+-----------------+---------------+-----------\n(0 rows)\n\npostgres=# create user b;\nCREATE ROLE\npostgres=# alter default privileges in schema s2 grant select on tables to b;\nALTER DEFAULT PRIVILEGES\npostgres=# select * from pg_default_acl where defaclnamespace = 's2'::regnamespace;\n  oid  | defaclrole | defaclnamespace | defaclobjtype | defaclacl \n-------+------------+-----------------+---------------+-----------\n 16413 |      16408 |           16411 | r             | {b=r\/a}\n(1 row)\n<\/pre>\n
I hope that answers the question.<\/p>\n","protected":false},"excerpt":{"rendered":"
A recent comment on the blog post about PostgreSQL default privileges is the reason for this little post: “I\u2019d love to know where postgres stores default privileges?”. Well, all the information about privileges should be stored somewhere in the catalog so let’s check where that information could be.<\/p>\n","protected":false},"author":29,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229],"tags":[77],"type_dbi":[],"class_list":["post-13876","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","tag-postgresql"],"acf":[],"yoast_head":"\nWhere does PostgreSQL store information about default privileges? - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Where does PostgreSQL store information about default privileges?\" \/>\n<meta property=\"og:description\" content=\"A recent comment on the blog post about PostgreSQL default privileges is the reason for this little post: “I\u2019d love to know where postgres stores default privileges?”. Well, all the information about privileges should be stored somewhere in the catalog so let’s check where that information could be.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-03-31T03:21:16+00:00\" \/>\n<meta name=\"author\" content=\"Daniel Westermann\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@westermanndanie\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniel Westermann\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/\"},\"author\":{\"name\":\"Daniel Westermann\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\"},\"headline\":\"Where does PostgreSQL store information about default privileges?\",\"datePublished\":\"2020-03-31T03:21:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/\"},\"wordCount\":227,\"commentCount\":0,\"keywords\":[\"PostgreSQL\"],\"articleSection\":[\"Database Administration & Monitoring\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/\",\"name\":\"Where does PostgreSQL store information about default privileges? - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2020-03-31T03:21:16+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Where does PostgreSQL store information about default privileges?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\",\"name\":\"Daniel Westermann\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"caption\":\"Daniel Westermann\"},\"description\":\"Daniel Westermann is Principal Consultant and Technology Leader Open Infrastructure at dbi services. He has more than 15 years of experience in management, engineering and optimization of databases and infrastructures, especially on Oracle and PostgreSQL. Since the beginning of his career, he has specialized in Oracle Technologies and is Oracle Certified Professional 12c and Oracle Certified Expert RAC\/GridInfra. Over time, Daniel has become increasingly interested in open source technologies, becoming \u201cTechnology Leader Open Infrastructure\u201d and PostgreSQL expert. \u00a0Based on community or EnterpriseDB tools, he develops and installs complex high available solutions with PostgreSQL. He is also a certified PostgreSQL Plus 9.0 Professional and a Postgres Advanced Server 9.4 Professional. He is a regular speaker at PostgreSQL conferences in Switzerland and Europe. Today Daniel is also supporting our customers on AWS services such as AWS RDS, database migrations into the cloud, EC2 and automated infrastructure management with AWS SSM (System Manager). He is a certified AWS Solutions Architect Professional. Prior to dbi services, Daniel was Management System Engineer at LC SYSTEMS-Engineering AG in Basel. Before that, he worked as Oracle Developper &\u00a0Project Manager at Delta Energy Solutions AG in Basel (today Powel AG). Daniel holds a diploma in Business Informatics (DHBW, Germany). His branch-related experience mainly covers the pharma industry, the financial sector, energy, lottery and telecommunications.\",\"sameAs\":[\"https:\/\/x.com\/westermanndanie\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/daniel-westermann\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Where does PostgreSQL store information about default privileges? - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/","og_locale":"en_US","og_type":"article","og_title":"Where does PostgreSQL store information about default privileges?","og_description":"A recent comment on the blog post about PostgreSQL default privileges is the reason for this little post: “I\u2019d love to know where postgres stores default privileges?”. Well, all the information about privileges should be stored somewhere in the catalog so let’s check where that information could be.","og_url":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/","og_site_name":"dbi Blog","article_published_time":"2020-03-31T03:21:16+00:00","author":"Daniel Westermann","twitter_card":"summary_large_image","twitter_creator":"@westermanndanie","twitter_misc":{"Written by":"Daniel Westermann","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/"},"author":{"name":"Daniel Westermann","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66"},"headline":"Where does PostgreSQL store information about default privileges?","datePublished":"2020-03-31T03:21:16+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/"},"wordCount":227,"commentCount":0,"keywords":["PostgreSQL"],"articleSection":["Database Administration & Monitoring"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/","url":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/","name":"Where does PostgreSQL store information about default privileges? - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2020-03-31T03:21:16+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/where-does-postgresql-store-information-about-default-privileges\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Where does PostgreSQL store information about default privileges?"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66","name":"Daniel Westermann","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","caption":"Daniel Westermann"},"description":"Daniel Westermann is Principal Consultant and Technology Leader Open Infrastructure at dbi services. He has more than 15 years of experience in management, engineering and optimization of databases and infrastructures, especially on Oracle and PostgreSQL. Since the beginning of his career, he has specialized in Oracle Technologies and is Oracle Certified Professional 12c and Oracle Certified Expert RAC\/GridInfra. Over time, Daniel has become increasingly interested in open source technologies, becoming \u201cTechnology Leader Open Infrastructure\u201d and PostgreSQL expert. \u00a0Based on community or EnterpriseDB tools, he develops and installs complex high available solutions with PostgreSQL. He is also a certified PostgreSQL Plus 9.0 Professional and a Postgres Advanced Server 9.4 Professional. He is a regular speaker at PostgreSQL conferences in Switzerland and Europe. Today Daniel is also supporting our customers on AWS services such as AWS RDS, database migrations into the cloud, EC2 and automated infrastructure management with AWS SSM (System Manager). He is a certified AWS Solutions Architect Professional. Prior to dbi services, Daniel was Management System Engineer at LC SYSTEMS-Engineering AG in Basel. Before that, he worked as Oracle Developper &\u00a0Project Manager at Delta Energy Solutions AG in Basel (today Powel AG). Daniel holds a diploma in Business Informatics (DHBW, Germany). His branch-related experience mainly covers the pharma industry, the financial sector, energy, lottery and telecommunications.","sameAs":["https:\/\/x.com\/westermanndanie"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/daniel-westermann\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/13876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=13876"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/13876\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=13876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=13876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=13876"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=13876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}