I have an Amazon Redshift cluster with four schemas (Schema1, Schema2, Schema3 and Schema 4).
I created a user User1 in this cluster. I want this user to have only read-only access to all the tables in Schema1. Currently, this user has access(Select, Insert, Update, Delete) to all the tables from all the schemas.
I tried all the commands from the Redshift manual, but looks like nothing is working.
Example:
REVOKE ALL on schema schema1 from User1
REVOKE ALL on schema schema2 from User1
REVOKE ALL on schema schema3 from User1
REVOKE ALL on schema schema4 from User1
I also tried to revoke individual permissions (Insert, Update, Delete).
I also tried to revoke permissions (Insert, Update, Delete) from individual table
Tried all the combinations from the manual. I am using SQL Workbench and all the statements were successfully executed without any syntax error.
Not able to figure it. Any help is appreciated.
P.S. I have 15 years of database experience working on roles and permissions.
In my case the issue I had was that I had 3 users belonging to the same group.
The group had been granted ALL privileges to all the tables of the schema.
Therefore revoking the permissions for a single user did not work since group permissions supersede user permissions.
TL;DR
The solution in my case was to create a group for each user and revoke access to the schema for the other groups.
REVOKE ALL ON SCHEMA my_schema FROM group my_group;
These commands seem to work:
CREATE SCHEMA schema1;
CREATE TABLE schema1.foo (name TEXT);
CREATE USER user1 PASSWORD 'Abcd1234';
GRANT USAGE ON SCHEMA schema1 TO user1;
GRANT SELECT ON ALL TABLES IN SCHEMA schema1 TO user1;
However, it might not automatically grant access on tables created in future.
Since Amazon Redshift is based on PostgreSQL 8.0.2, see: How do you create a read-only user in PostgreSQL?
This might not be what caused the issue of the OP, but it solved the issue for me, and could solve it for people who encounter the same situation and end up on this thread.
In addition to George V's answer, note that there is in Redshift a PUBLIC group, that grants permissions to every user.
PUBLIC represents a group that always includes all users. An individual user's privileges consist of the sum of privileges granted to PUBLIC, privileges granted to any groups that the user belongs to, and any privileges granted to the user individually.
(from the doc on GRANT)
So if you want to make sure that User1 doesn't have access to tables in schema2 for example, you should run:
REVOKE ALL on schema schema2 from User1;
REVOKE ALL on schema schema2 from Group1; --assuming this is the only group of User1
REVOKE ALL on schema schema2 from PUBLIC;
Related
I have logged into AWS as the root account and still unable to query a Athena table that was created by another IAM User having Administrator Role. When I log off and login in as the IAM User which created the Tables, I am able to query.
Any inputs how can I grant permission to the AWS Root Account to the Athena Table (also available in the Glue Catalog) ?
This was because, the Admin role had not been granted access in Lakeformation to the given database which was being queried. Once, Admin role was assigned, the Account Owner was able to query the tables in the given database from Athena.
I'm logging into a cloudsql instance via the cloud sql proxy and an iam database user. The authentication succeeds, but doesn't show me any schema / resources or anything in MySQLWorkbench. It's just completely blank.
The iam user is a cloudsql admin, and an owner of the project, so it couldn't be a permission issue could it?
If I use a non iam user, and login with a standard database user and password, everything works fine, and as expected. What else could it be? This seems like something common that other people would have experienced as well.
When an IAM user is added to a database instance, that new user is granted no privileges on any databases, by default.
You need to use either the root or another privileged user and grant the appropriate database permissions to your IAM user.
For more information see: Grant Database Privileges to an IAM user
We’ve been having an issue when giving permissions to groups in redshift.
The main problem is that when we give access to certain schemas and then after an user adds a new table to the schemas, the group has no access to the new table (due to permissions error).
We tried to give the following permissions:
GRANT USAGE ON SCHEMA <schema> TO GROUP <group>;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO GROUP <group>;
ALTER DEFAULT PRIVILEGES IN SCHEMA <schema> GRANT SELECT ON TABLES to group <group>;
And that solution didn’t work as expected.
A temporary solution we made is making a super user to allow our developers to work, which is what we want to avoid and is not a good practice.
Thanks!
To set the privileges that will be created for new tables you have to update the default privileges. See: https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_DEFAULT_PRIVILEGES.html
The default privileges "Defines the default set of access privileges to be applied to objects that are created in the future by the specified user. By default, users can change only their own default access privileges. Only a superuser can specify default privileges for other users." Grant only works on existing tables / objects.
Hope this helps you out.
I have a IAM user with Role: BigQuery Data Editor
In my data set I did Share dataset added the user with Can Edit privileges.
However when I'm running my script which access BigQuery I get error 403
When I add to my IAM user the Role BigQuery User The script works.
The scripts runs only SELECT query from a table in this data set.
I don't understand why I must grant BigQuery User for this to work.
According to the documentation https://cloud.google.com/bigquery/docs/access-control
Rationale: The dataEditor role extends bigquery.dataViewer by issuing
create, update, delete privileges for the tables within the dataset
roles/bigquery.dataViewer has bigquery.tables.getData which get table data
What am I doing wrong here?
Having access to the data and being able to retrieve it with a query are different things and that's where the confusion is coming from.
Per the documentation, roles/bigquery.dataEditor has the following permissions:
Read the dataset's metadata and to list tables in the dataset.
Create, update, get, and delete the dataset's tables.
This means that the user with this role has access and manipulation rights to the dataset's information and the tables in it. An example would be that a user with this role can see all the table information by navigating to it through the GCP console (schema, details and preview tabs) but when trying to run a query there, the following message will appear:
Access Denied: Project <PROJECT-ID>: The user <USER> does not have bigquery.jobs.create permission in project <PROJECT-ID>.
Now let's check the roles/bigquery.user permissions:
Permissions to run jobs, including queries, within the project.
The key element here is that the BigQuery User role can run jobs and the BigQuery DataEditor can't. BigQuery Jobs are the objects that manage the BigQuery tasks, this includes running queries.
With this information, it's clearer in the roles comparison matrix that for what you are trying to accomplish you'll need the BigQuery DataEditor role (Get table data/metadata) and the BigQuery User role (Create jobs/queries).
I have a user in Amazon Redshift. I want that user to be able to do read-only queries against the system tables:
http://docs.aws.amazon.com/redshift/latest/dg/cm_chap_system-tables.html
But I don't know how to grant a user who is not a superuser access to these tables as it does not appear to be documented anywhere on amazon.
Obviously you don't want to grant superuser to another user just so they can see system logs. Being able to monitor is a very common use case that shouldn't require giving someone carte blanche access.
Thankfully you have the ability to grant access to system tables using the syslog access option.
alter user user123 syslog access unrestricted
See Redshift documentation on visibility
If you are a Superuser, you can make other user as superuser or create a new superuser and then other user can query system table and views. Use createuser privilege. Below is the sample query
create user user_super createuser password '1234';
alter user user_super createuser;
Be careful while making any superuser, superuser gets all access including grant and revoke and query run from superuser always goes to query-1 and will make other queries wait until finished.