# User Management and Access Control in PostgreSQL

For much of the routine tasks involved with interacting with a database, such as reading the content of a table or adding new entries, the postgres superuser may not be appropriate as it bypasses all permission checks, which carries inherent risk. Furthermore, as a database administrator, you will almost certainly not be the only one who will need to access the database in some capacity. For this reason, you will need a way to add new users to the database and give them the proper privileges that is appropriate for their use cases.

## Objectives
After completing this lab, you will be able to:

Create roles in a database and grant them select permissions
Create new users in the database and assign them the appropriate role
Revoke and deny access to the database from a user

https://www.coursera.org/learn/relational-database-administration/ungradedLti/XB0R9/hands-on-lab-user-management-and-access-control-in-postgresql

In [1]:
#!curl -O https://cf-courses-data.s3.us.cloud-object-storage.appdomain.cloud/example-guided-project/flights_RUSSIA_small.sql

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 99.0M  100 99.0M    0     0   577k      0  0:02:55  0:02:55 --:--:--  740k:42  0:00:54  0:02:48  843k    0  0:02:47  0:01:16  0:01:31  906kk0:02:21  0:00:27  311k 577k      0  0:02:55  0:02:55 --:--:--  737k


In [1]:
import os
from dotenv import load_dotenv

# Cargar variables de entorno desde el archivo .env
load_dotenv()

# Obtener la contraseña de la variable de entorno
password = os.getenv("DB_PASSWORD")

In [2]:
# Load SQL Magic extension
%load_ext sql

In [5]:
# Especificar los detalles de la conexión
user = 'postgres'
host = 'localhost'
port = '5432'  # Puerto predeterminado de PostgreSQL
dbname = 'demo'  # Nombre de la base de datos

# Crear la URL de conexión
connection_string = f'postgresql://{user}:{password}@{host}:{port}/{dbname}'

# Conectar a la base de datos
%sql $connection_string

## Exercise 1: Create New Roles and Grant them Relevant Privileges

In PostgreSQL, users, groups, and roles are all the same entity, with the difference being that users can log in by default.

In this exercise, you will create two new roles: read_only and read_write, then grant them the relevant privileges.

To begin, ensure that you have the PostgreSQL Command Line Interface open and connected to the demo database, as such:

#### Task A: Create a read_only role and grant it privileges

In [7]:
%sql CREATE ROLE read_only;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [8]:
%sql GRANT CONNECT ON DATABASE demo TO read_only;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [9]:
%sql GRANT USAGE ON SCHEMA bookings TO read_only;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [10]:
%sql GRANT SELECT ON ALL TABLES IN SCHEMA bookings TO read_only;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

#### Task B: Create a read_write role and grant it privileges

In [11]:
%sql CREATE ROLE read_write;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [12]:
%sql GRANT CONNECT ON DATABASE demo TO read_write;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [13]:
%sql GRANT USAGE ON SCHEMA bookings TO read_write;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [14]:
%sql GRANT SELECT, INSERT, DELETE, UPDATE ON ALL TABLES IN SCHEMA bookings TO read_write;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

## Exercise 2: Add a New User and Assign them a Relevant Role

In this exercise, you will create a new user for the database and assign them the one of the roles you created in Exercise 1. This method streamlines the process of adding new users to the database since you don’t have to go through the process of granting custom privileges to each one. Instead, you can assign them a role and the user inherits the privileges of that role.


Suppose you wish to add a new user, user_a, for use by an information and help desk at an airport. In this case, assume that there is no need for this user to modify the contents of the database. As you may have guessed, the appropriate role to assign is the read_only role.



In [None]:
#CREATE USER user_a WITH PASSWORD 'user_a_password';

In [15]:
%sql CREATE USER user_a WITH PASSWORD '1234';

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [16]:
%sql GRANT read_only TO user_a;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

demo-# \du
                              List of roles
 Role name  |                         Attributes                         
------------+------------------------------------------------------------
 postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS
 read_only  | Cannot login
 read_write | Cannot login
 user_a     | 

In [24]:
%%sql

SELECT rolname AS "User Role",
       rolsuper AS "Superuser",
       rolinherit AS "Inherit Roles",
       rolcreaterole AS "Can Create Roles",
       rolcreatedb AS "Can Create Databases",
       rolcanlogin AS "Can Login",
       rolreplication AS "Is Replication",
       rolbypassrls AS "Can Bypass RLS",
       rolconnlimit AS "Connection Limit",
       rolpassword AS "Password",
       rolvaliduntil AS "Valid Until",
       rolconfig AS "Role Configuration"
FROM pg_roles
WHERE rolname NOT LIKE 'pg_%';



 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
4 rows affected.


User Role,Superuser,Inherit Roles,Can Create Roles,Can Create Databases,Can Login,Is Replication,Can Bypass RLS,Connection Limit,Password,Valid Until,Role Configuration
postgres,True,True,True,True,True,True,True,-1,********,,
read_only,False,True,False,False,False,False,False,-1,********,,
read_write,False,True,False,False,False,False,False,-1,********,,
user_a,False,True,False,False,True,False,False,-1,********,,


In [31]:
%%sql
SELECT
    r.rolname AS "Role name",
    CASE
        WHEN r.rolsuper AND r.rolcreaterole AND r.rolcreatedb AND r.rolreplication AND r.rolbypassrls THEN 'Superuser, Create role, Create DB, Replication, Bypass RLS'
        WHEN r.rolsuper AND r.rolcreaterole AND r.rolcreatedb AND r.rolreplication THEN 'Superuser, Create role, Create DB, Replication'
        WHEN r.rolsuper AND r.rolcreaterole AND r.rolcreatedb THEN 'Superuser, Create role, Create DB'
        WHEN r.rolsuper AND r.rolcreaterole THEN 'Superuser, Create role'
        WHEN r.rolsuper THEN 'Superuser'
        WHEN r.rolcreaterole THEN 'Create role'
        WHEN r.rolcreatedb THEN 'Create DB'
        WHEN r.rolreplication THEN 'Replication'
        WHEN r.rolbypassrls THEN 'Bypass RLS'
        WHEN r.rolcanlogin THEN 'login'
        ELSE 'Cannot login'
    END AS "Attributes",
    array_to_string(ARRAY(
        SELECT m.roleid::regrole
        FROM pg_auth_members m
        WHERE m.member = r.oid
    ), ', ') AS "Member of"
FROM pg_roles r
WHERE r.rolname NOT LIKE 'pg_%'
ORDER BY r.rolname;


 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
4 rows affected.


Role name,Attributes,Member of
postgres,"Superuser, Create role, Create DB, Replication, Bypass RLS",
read_only,Cannot login,
read_write,Cannot login,
user_a,login,read_only


In [33]:
%%sql
SELECT grantee,
       table_schema,
       table_name,
       string_agg(privilege_type, ', ') AS privileges
FROM information_schema.role_table_grants
WHERE table_schema = 'bookings'
GROUP BY grantee, table_schema, table_name
ORDER BY grantee, table_schema, table_name;


 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
36 rows affected.


grantee,table_schema,table_name,privileges
postgres,bookings,aircrafts,"INSERT, SELECT, UPDATE, DELETE, TRUNCATE, TRIGGER, REFERENCES"
postgres,bookings,aircrafts_data,"SELECT, TRIGGER, REFERENCES, TRUNCATE, DELETE, INSERT, UPDATE"
postgres,bookings,airports,"TRIGGER, INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCES"
postgres,bookings,airports_data,"TRIGGER, REFERENCES, TRUNCATE, DELETE, UPDATE, SELECT, INSERT"
postgres,bookings,boarding_passes,"SELECT, INSERT, TRIGGER, REFERENCES, TRUNCATE, DELETE, UPDATE"
postgres,bookings,bookings,"TRIGGER, REFERENCES, TRUNCATE, DELETE, UPDATE, SELECT, INSERT"
postgres,bookings,flights,"DELETE, UPDATE, SELECT, INSERT, TRIGGER, REFERENCES, TRUNCATE"
postgres,bookings,flights_v,"INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER"
postgres,bookings,routes,"INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER"
postgres,bookings,seats,"TRIGGER, INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCES"


## Exercise 3: Revoke and Deny Access

You can use the REVOKE command in the Command Line Interface to remove specific privileges from a role or user in PostgreSQL.


In [34]:
%sql REVOKE SELECT ON aircrafts_data FROM user_a;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

Now suppose user_a is transferred departments within the airport and no longer needs to be able to access the demo database at all. You can remove all their SELECT privileges by simply revoking the read_only role you assigned to them earlier.

In [53]:
%sql REVOKE read_only FROM user_a;

 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
Done.


[]

In [54]:
%%sql
SELECT r.rolname
FROM pg_roles r
JOIN pg_auth_members m ON r.oid = m.roleid
WHERE m.member IN (SELECT oid FROM pg_roles WHERE rolname = 'user_a');


 * postgresql://postgres:***@localhost:5432/demo
   postgresql://postgres:***@localhost:5432/restored_demo
0 rows affected.


rolname
