Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tzaH7-003t0G-IU for pgsql-sql@arkaria.postgresql.org; Tue, 01 Apr 2025 11:59:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tzaH6-001Wlx-5D for pgsql-sql@arkaria.postgresql.org; Tue, 01 Apr 2025 11:59:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tzH24-007ZR6-4L for pgsql-sql@lists.postgresql.org; Mon, 31 Mar 2025 15:26:36 +0000 Received: from qs51p00im-qukt01072101.me.com ([17.57.155.10]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tzH21-002A2G-1z for pgsql-sql@lists.postgresql.org; Mon, 31 Mar 2025 15:26:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; bh=FPTwIhTvp2grdXcjdAmNPt4FPteY3rkZINs58G5Gbuc=; h=Content-Type:From:Mime-Version:Date:Subject:Message-Id:To:x-icloud-hme; b=MDHL1zk0T7SxhYqCieGlDcF9gUMOyPvqC2P1gbGtrO3J5viLSpXBhS5JKxvrJBNjN GS2wupMsqGyRN1Ml4C34Wlbl5HNIeA1Yk+FCYB6PB0M+l9rGVZA+Ty0UPztxwADyq4 b/CXrzYsRlUUiaQ18RsTf0V/YhAjqdMCROOpcSaYUYguO0zhFGBr+dQoEQJ/Fa8WVa w8UvJ4PJCz1lJTUFBFJM3cXAgg4TZEiUYeFmblMnjf3XzMQKUjfDt6G1gDRK8u82ax NsKb3YDv4U+uYNVTcOVz7UMytNUv3/76hTt0YslBYf5nGpglTJL8KEP8sPFPpONTvf yn1JH6gl9umjw== Received: from smtpclient.apple (qs51p00im-dlb-asmtp-mailmevip.me.com [17.57.155.28]) by qs51p00im-qukt01072101.me.com (Postfix) with ESMTPSA id 88C5D40591 for ; Mon, 31 Mar 2025 15:26:30 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable From: "Ing. Marijo Kristo" Mime-Version: 1.0 (1.0) Date: Mon, 31 Mar 2025 17:26:13 +0200 Subject: Revoke Connect Privilege from Database not working Message-Id: <6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com> References: <18873-c148b32c0e501cc0@postgresql.org> To: pgsql-sql@lists.postgresql.org X-Mailer: iPhone Mail (22D82) X-Proofpoint-ORIG-GUID: iyChEvGX3NoEOzBTqfymzHf_boK2Ffqb X-Proofpoint-GUID: iyChEvGX3NoEOzBTqfymzHf_boK2Ffqb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-03-31_07,2025-03-27_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 adultscore=0 malwarescore=0 mlxlogscore=410 bulkscore=0 clxscore=1011 mlxscore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2503310110 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > Hello, >=20 > we are using Vault to provision temporary users which get deleted after a > while by the same user. > For this purpose we have created a vault_admin user. >=20 > postgres=3D# \du vault_admin > List of roles > Role name | Attributes > -------------+------------------------ > vault_admin | Superuser, Create role >=20 > postgres=3D# \l "disp_db" >=20 > List of databases > Name | Owner | Encoding | Locale Provider | Collate | =20= > Ctype | ICU Locale | ICU Rules | Access > privileges > ---------+-------------------+----------+-----------------+------------+--= ----------+------------+-----------+----------------------------------------= ---------------------------------------- > disp_db | app_disp_db_admin | UTF8 | libc | en_US.utf8 | > en_US.utf8 | | | > app_disp_db_admin=3DCTc/app_disp_db_admin = =20 > + > | | | | | = =20 > | | | app_disp_db=3DTc/app_disp_db_admin = =20 > + > | | | | | = =20 > | | | pg_database_owner=3DCTc/app_disp_db_admin= =20 > + > | | | | | = =20 > | | | vault_admin=3Dc*/app_disp_db_admin = =20 > + > | | | | | = =20 > | | | > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"=3Dc/vault_admi= n =20 > + > | | | | | = =20 > | | | app_disp_db_readonly=3Dc/app_disp_db_admi= n >=20 >=20 > Removing the connect privilege with the Postgres Superuser and with the > Vault Admin user does not work. >=20 > postgres=3D# select current_user; > current_user > -------------- > postgres >=20 > postgres=3D# revoke connect on database "disp_db" from > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"; > REVOKE >=20 > postgres=3D# drop user > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"; > ERROR: role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00" > cannot be dropped because some objects depend on it > DETAIL: privileges for database disp_db >=20 > Same happens when trying to revoke with the vault admin user: >=20 > disp_db=3D# select current_user; > current_user > -------------- > vault_admin > (1 row) >=20 > disp_db=3D# revoke connect on database "disp_db" from > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"; > REVOKE > disp_db=3D# drop user > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"; > ERROR: role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00" > cannot be dropped because some objects depend on it > DETAIL: privileges for database disp_db >=20 > Does not work via PSQL nor with pgadmin. >=20 > Best Regards > Marijo Kristo >=20