[docs] PostgreSQL auto-user provisioning guide minor edits #48897
Conversation
greedy52
added
no-changelog
docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx
Outdated
Show resolved
Hide resolved
github-actions
bot
requested review from
mmcallister,
ptgott,
r0mant,
xinding33 and
zmb3
| <Admonition type="warning" title="Procedure Privileges in PostgreSQL 15+"> | ||
| (!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!) | ||
| </Admonition> |
There was a problem hiding this comment.
GRANT CREATE ON SCHEMA public TO "teleport-admin";
This shouldn't be necessary any more after @gabrielcorado 's change that moved procedures to pg_temp
greedy52
force-pushed
the
STeve/docs/postgres_auto_user_update
branch
from
ae82c07 to
4e2eb72
Compare
|
🤖 Vercel preview here: https://docs-iyaz50s9n-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-8v6382zn6-goteleport.vercel.app/docs/ver/preview |
public-teleport-github-review-bot
bot
removed request for
r0mant,
gabrielcorado,
mmcallister,
zmb3 and
xinding33
|
Should we merge this one? |
…/docs/postgres_auto_user_update
|
Amplify deployment status
|
greedy52
force-pushed
the
STeve/docs/postgres_auto_user_update
branch
from
aa05c9d to
879633f
Compare
public-teleport-github-review-bot
bot
removed the request for review
from smallinsky
* [docs] PostgreSQL auto-user provisioning guide minor edits * remove admin option from rds_superuser and add note on admin option for each role
| `rds_superuser` role for RDS databases. | ||
|
|
||
| For improved security through the principle of least privilege, you can also | ||
| assign permissions directly to specific database objects. For example: | ||
|
|
||
| ```sql | ||
| GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin"; |
There was a problem hiding this comment.
We need to update this if the assumption is that they don't have a superuser role: It should be:
- GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin";
+ GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION;Additionally, in light of #51851
the admin will need this:
GRANT ALL PRIVILEGES ON SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTIONOr more specifically, the equivalent:
GRANT USAGE, CREATE ON SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTIONcc @greedy52
There was a problem hiding this comment.
And it may also be useful for non-superuser admins to alter their default permissions like this so that new tables are also supported:
GRANT USAGE, CREATE ON SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION;
GRANT ALL ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION;
ALTER DEFAULT PRIVILEGES IN SCHEMA schema1, schema2, schema3 GRANT ALL ON TABLES TO "teleport-admin" WITH GRANT OPTION;The same can be done for new tables created in all current/new schemas:
ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO "teleport-admin" WITH GRANT OPTION;And for any new schemas as well:
ALTER DEFAULT PRIVILEGES GRANT USAGE,CREATE ON SCHEMAS TO "teleport-admin" WITH GRANT OPTION;There was a problem hiding this comment.
thanks! let's track these for #51851. why does admin need CREATE on schemas?
There was a problem hiding this comment.
We discussed this in call but just to write it down: this would just be future proofing so that we can support permission grants for schema objects.
No description provided.