public inbox for pgsql-sql@postgresql.org
help / color / mirror / Atom feedFrom: Ing. Marijo Kristo <marijo.kristo@icloud.com>
To: pgsql-sql@lists.postgresql.org
Subject: Revoke Connect Privilege from Database not working
Date: Mon, 31 Mar 2025 17:26:13 +0200
Message-ID: <6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com> (raw)
References: <18873-c148b32c0e501cc0@postgresql.org>
> Hello,
>
> we are using Vault to provision temporary users which get deleted after a
> while by the same user.
> For this purpose we have created a vault_admin user.
>
> postgres=# \du vault_admin
> List of roles
> Role name | Attributes
> -------------+------------------------
> vault_admin | Superuser, Create role
>
> postgres=# \l "disp_db"
>
> List of databases
> Name | Owner | Encoding | Locale Provider | Collate |
> Ctype | ICU Locale | ICU Rules | Access
> privileges
> ---------+-------------------+----------+-----------------+------------+------------+------------+-----------+--------------------------------------------------------------------------------
> disp_db | app_disp_db_admin | UTF8 | libc | en_US.utf8 |
> en_US.utf8 | | |
> app_disp_db_admin=CTc/app_disp_db_admin
> +
> | | | | |
> | | | app_disp_db=Tc/app_disp_db_admin
> +
> | | | | |
> | | | pg_database_owner=CTc/app_disp_db_admin
> +
> | | | | |
> | | | vault_admin=c*/app_disp_db_admin
> +
> | | | | |
> | | |
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"=c/vault_admin
> +
> | | | | |
> | | | app_disp_db_readonly=c/app_disp_db_admin
>
>
> Removing the connect privilege with the Postgres Superuser and with the
> Vault Admin user does not work.
>
> postgres=# select current_user;
> current_user
> --------------
> postgres
>
> postgres=# revoke connect on database "disp_db" from
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> REVOKE
>
> postgres=# drop user
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> ERROR: role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"
> cannot be dropped because some objects depend on it
> DETAIL: privileges for database disp_db
>
> Same happens when trying to revoke with the vault admin user:
>
> disp_db=# select current_user;
> current_user
> --------------
> vault_admin
> (1 row)
>
> disp_db=# revoke connect on database "disp_db" from
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> REVOKE
> disp_db=# drop user
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> ERROR: role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"
> cannot be dropped because some objects depend on it
> DETAIL: privileges for database disp_db
>
> Does not work via PSQL nor with pgadmin.
>
> Best Regards
> Marijo Kristo
>
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: pgsql-sql@postgresql.org
Cc: marijo.kristo@icloud.com, pgsql-sql@lists.postgresql.org
Subject: Re: Revoke Connect Privilege from Database not working
In-Reply-To: <6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox