Well-known Privileges
ldap2pg provides some well-known privileges for recurrent usage. There is no warranty on these privileges. You have to check privileges configuration on your databases just like you should do with your own code.
The true added-value of well-known privileges is the inspect queries
associated and the boilerplate saved for declaring all GRANT queries.
Using Well-known Privileges¶
Well-known privilege starts and ends with __. ldap2pg disables
privileges starting with _. Thus you have
to include well-known privileges in a group to enable them. If two groups
reference the same privilege, it will be deduplicated, don’t worry.
privileges:
ro:
- __connect__
- __usage_on_schemas__
- __select_on_tables__
rw:
- ro
- __insert__
- __update_on_tables__
ddl:
- rw
- __all_on_schemas__
- __all_on_tables__
sync_map:
- grant:
privilege: ddl
database: mydb
schema: __all__
role: admins
Well-known privilege name follows the following loose convention:
..._on_all_tables__is equivalent toGRANT ... ON ALL TABLES IN SCHEMA ....__default_...__is equivalent toALTER DEFAULT PRIVILEGES ... IN SCHEMA ....__..._on_tables__gathers__..._on_all_tables__and__default_..._on_tables__.- Group starting with
__all_on_...__is equivalent toALL PRIVILEGESin SQL. - A privilege specific to one object type does not have
_on_<type>__e.g.__delete_on_tables__is aliased to__delete__.
This page does not document the SQL standard and the meaning of each SQL privileges. You will find the documentation of SQL privileges in Postgresql GRANT documentation and ALTER DEFAULT PRIVILEGES documentation.
Privilege Groups¶
Next is an extensive, boring, list of all well known privilege groups in
master. Each group is documented by its name and the list of included
privilege. Each privilege name point the the detail of privilege definition.
Actually, a group like __all_on_tables__ is implemented as group of groups.
But for the sake of simplicity, the documentation lists the constructed list
of concrete privileges finally included.
Here we go.
Group __all_on_schemas__¶
Includes:
Group __all_on_sequences__¶
Includes:
__default_select_on_sequences____default_update_on_sequences____default_usage_on_sequences____select_on_all_sequences____update_on_all_sequences____usage_on_all_sequences__
Group __all_on_tables__¶
Includes:
__default_delete_on_tables____default_insert_on_tables____default_references_on_tables____default_select_on_tables____default_trigger_on_tables____default_truncate_on_tables____default_update_on_tables____delete_on_all_tables____insert_on_all_tables____references_on_all_tables____select_on_all_tables____trigger_on_all_tables____truncate_on_all_tables____update_on_all_tables__
Group __delete_on_tables__¶
Includes:
Alias: __delete__
Group __execute_on_functions__¶
Includes:
__default_execute_on_functions____execute_on_all_functions____global_default_execute_on_functions__
Alias: __execute__
Group __insert_on_tables__¶
Includes:
Alias: __insert__
Group __references_on_tables__¶
Includes:
Alias: __references__
Group __select_on_sequences__¶
Includes:
Group __select_on_tables__¶
Includes:
Group __trigger_on_tables__¶
Includes:
Alias: __trigger__
Group __truncate_on_tables__¶
Includes:
Alias: __truncate__
Group __update_on_sequences__¶
Includes:
Group __update_on_tables__¶
Includes:
Group __usage_on_sequences__¶
Includes:
Single Privileges¶
Next is the list of well-known privileges. Each is associated with a REVOKE
query and an inspect query implementing full inspection of grantees,
including built-in grants to PUBLIC.
For the actual meaning of each SQL privileges, refer to official PostgreSQL
documentation of
GRANT
statement.
Privilege __connect__¶
Privilege __create_on_schemas__¶
Privilege __default_delete_on_tables__¶
Privilege __default_execute_on_functions__¶
Privilege __default_insert_on_tables__¶
Privilege __default_references_on_tables__¶
Privilege __default_select_on_sequences__¶
Privilege __default_select_on_tables__¶
Privilege __default_trigger_on_tables__¶
Privilege __default_truncate_on_tables__¶
Privilege __default_update_on_sequences__¶
Privilege __default_update_on_tables__¶
Privilege __default_usage_on_sequences__¶
Privilege __default_usage_on_types__¶
Alias: __usage_on_types__