Azure PostgreSQL Flexible Server - Admin user permission issue

Question

Azure PostgreSQL Flexible Server - Admin user permission issue

sappu solanki 66

I have created new Azure database for PostgreSQL - Flexible Server with admin user as "admin_demo".

Now after creating database I have done followoing steps:
(1) create schema abc authorization admin_demo; -- creates new schema
(2) create role role_developer; -- creates new role
(3) grant usage, create on schema abc to role_developer; -- grant access to new role in schema
(4) grant select, insert, update, delete on all tables in schema abc to role_developer; -- grant access to new role in schema
(5) alter default privileges in schema abc grant select, insert, update, delete on tables to role_developer; -- grant access to new role in schema

Now I created one user with name "dev_user" and assigned "role_developer" role created in above step no 2

-- Create the user(s)
create user dev_user with password 'xyz';

-- Assign role(s) to the user(s)
grant role_developer to dev_user;

Now I login into database with user "dev_user" and create table "demo_table".
After that When I login into database with admin user i.e "admin_demo" and try to query the table "demo_table" created by user "dev_user" in above step, it throws me permission denied error.

My requirement here is "admin_demo" being the admin user should be able to anything(DDL/Alter etc) with any table in any schema throughout database irrespective of which user has created that table or function or procedure or sequence etc.

Can anyone help me with this ?

Arman Gasparyan 11 Reputation points

2022-07-13T11:32:22.86+00:00

Hello,

We had the same issue.
We use Postgres Flex Server in MS Azure.
In the server we have admin role and inherited from it app role.
Function uses app role and creates sequence in the database. When we try to dump database by using admin user we get error which say that admin does not have access permissions for sequence object.
app is a member of admin role (as described in the previous answers).
Could you please provide solution for this situation ??
How we can make objects (sequences, tables etc.) which had been created by inherited roles accessible for parent roles in Azure Postgres Flex Server.

Regards,
Arman.
sappu solanki 66 Reputation points

2022-07-13T11:58:44.56+00:00

Hello @Arman Gasparyan ,
As far as I know, In PostgreSQL Flexible server on Azure, owner of the DB object completely owns that object.
Even though you have created app role with admin role where inherit option is checked and true, still you will have to either make function owner as admin or grant required rights explicitly to admin user.

NOTE: Even I am struggling with similar sort of issue hence I had only posted the main question regarding admin role issue on PostgreSQL Flexible Server

3 answers

Your answer

Arman Gasparyan 11 Reputation points

2022-07-13T11:32:22.86+00:00

Hello,

We had the same issue.
We use Postgres Flex Server in MS Azure.
In the server we have admin role and inherited from it app role.
Function uses app role and creates sequence in the database. When we try to dump database by using admin user we get error which say that admin does not have access permissions for sequence object.
app is a member of admin role (as described in the previous answers).
Could you please provide solution for this situation ??
How we can make objects (sequences, tables etc.) which had been created by inherited roles accessible for parent roles in Azure Postgres Flex Server.

Regards,
Arman.
sappu solanki 66 Reputation points

2022-07-13T11:58:44.56+00:00

Hello @Arman Gasparyan ,
As far as I know, In PostgreSQL Flexible server on Azure, owner of the DB object completely owns that object.
Even though you have created app role with admin role where inherit option is checked and true, still you will have to either make function owner as admin or grant required rights explicitly to admin user.

NOTE: Even I am struggling with similar sort of issue hence I had only posted the main question regarding admin role issue on PostgreSQL Flexible Server

Answer 1

GeethaThatipatri-MSFT 29,542 Microsoft Employee Moderator

Hi, @sappu solanki Thanks for the ask and for using the Microsoft Q&A platform.

That is by design the admin will need to be part of the role role_developer
Please add your dev_user under membership as shown below and give it a try.

Please let me know if this helps or if you need any additional information.

Regards
Geetha

Answer 2

sappu solanki 66

Hi, @GeethaThatipatri-MSFT Thanks for quick response.
Actually I already have Azure Database for PostgreSQL - Single Server where roles and users are configured in such a way where admin-user can do anything with DB objects irrespective of which user has created that object.
When I checked the membership for admin-user as suggested by you, it has no role or user assigned as member.

Following is properties of admin-user
It only has no members and is member of azure_pg_admin and pg_read_all_stats with admin option unchecked for both.

I am trying to migrate Azure PostgreSQL Single server to Flexible Server, and hence I am facing issue with roles and users configuration of Flexible Server.
I have used pg_dumall -r option to migrate roles and users.

GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-05-18T22:21:50.277+00:00

@sappu solanki Currently I am checking with the internal team and provide you with more details.

Regards
Geetha
GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-05-20T00:46:06.19+00:00

Hi, @sappu solanki Are you planning to use the Migration tool or something elase? can you please provide information on that.

Regards
Geetha
sappu solanki 66 Reputation points

2022-05-20T06:51:54.85+00:00

@GeethaThatipatri-MSFT - I am using Pg_dump and Pg_restore command for schema only migration of database. For data migration I am using Azure database migration service.

For users and Roles migration I am using below pg_dumpall command

Step 1 - Backup
pg_dumpall -r --host=hostname --port=5432 --username=username@servername --database=db_name > roles.sql

Step 2 - Remove WITH NOSUPERUSER and NOBYPASSRLS from roles.sql script and save it

Step 3 - Restore roles
psql -f roles.sql --host=hostname --port=5432 --username=user_name -d db_name.
GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-05-20T13:00:26.027+00:00

HI, @sappu solanki Thanks for sharing additional information not I got it.
We do not provide the option to our customers to use the real superuser, which is referred to here as an admin. So there is no concept of a user that is able to do everything.

This doesn't make much sense since when you are doing CREATE ROLE both options mentioned are default, so even if you will not specify it will default to NOSUPERUSER and NOBYPASSRLS

Please let me know if you are looking for any additional information.
Regards
Geetha
sappu solanki 66 Reputation points

2022-05-23T06:53:22.667+00:00

@GeethaThatipatri-MSFT
Currently, In our Azure Database for PostgreSQL - Single Server (Version 11), Admin User can do select, Insert, Update, Delete, Drop, Alter to any DB object irrespective of which user has created that object.

Current Scenario in our Database -
(1) Suppose dev_user1 creates table, if dev_user2 tries to access that table, it shows permission denied.
But If same table admin_user tries to access, it can do that.

(2) Now Suppose admin_user creates any table, then dev_user1 and dev_user2 both can access the table. Here both users are tagged under developer_user role where we are explicitly granting INSERT/UPDATE/DELETE rights.

But then in the point number 1 as far as I know, We have not explicitly assign any rights or grants, By default admin_user is able to access the objects.
Lets suppose for assumption, even if we had provided any rights explicitly in point no 1, then if we create new schema then how can admin_user still can access any objects under that schema created by any user. Because if new schema is created then then by default admin_user should be provided grants to access any objects. But even we are not providing an explicit grants it can access the objects.

Current PostgreSQL database version on single server we are using is 11, Now we are planning to move to version 13 on Flexible Server, is there any changes in how roles and user works from version 11 to 13, Can you help with this aswell ?
GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-05-24T22:55:33.053+00:00

Hi, @sappu solanki After reproducing the issue can you please try as below.

CREATE USER admin_demo password 'xyz';
create user role_developer;
grant admin_demo to pgadmin ;
create schema abc authorization admin_demo;
grant usage, create on schema abc to role_developer;
grant select, insert, update, delete on all tables in schema abc to role_developer;
alter default privileges in schema abc grant select, insert, update, delete on tables to role_developer;
create user dev_user with password 'xyz';
grant role_developer to dev_user;
\c postgres dev_user@01aa
CREATE TABLE abc.demo_table(id int);
\c postgres admin_demo@01aa
table abc.demo_table ;

Please let me know if you find any issue

Regards
Geetha
sappu solanki 66 Reputation points

2022-05-25T11:16:08.373+00:00

Hello @GeethaThatipatri-MSFT
The steps mentioned by you above is exactly how we have configured roles and users in our current Azure PostgreSQL - Single Server. Here everything works fine and admin-user can DDL/DML any DB objects irrespective which user has created that.

But the same things is not working the same when configured in similar manner in Azure PostgreSQL - Flexible Server.

Can you create one demo instance of Flexible Server and try to execute the above steps and see the difference.

NOTE : Steps mentioned by you above "CREATE USER admin_demo password 'xyz'; We have not executed explicitly as this user is the admin user that we create as part of setting Azure PostgreSQL from Azure portal and hence it gets created automatically.
Make Sure when you are trying to create Azure PostgreSQL - Flexible Server, during setup only have that admin user set with username and password and after that do not explicitly create new admin_user issuing "CREATE USER admin_demo password 'xyz'" command.

Please let me know the outcome.
GeethaThatipatri-MSFT 29,542 Reputation points Microsoft Employee Moderator

2022-05-25T22:43:29.267+00:00

Hi, @sappu solanki Did you get a chance to check my private message?

Regards
Geetha
sappu solanki 66 Reputation points

2022-05-26T06:57:24.207+00:00

Hi, @GeethaThatipatri-MSFT Yes as suggested by you I have sent an email to the concerned team. I will keep you updated.
Bikram GC 15 Reputation points

2023-08-01T06:58:17.06+00:00

Hi @sappu solanki what was the solution here? i am having the similar issue with postgresql flexible server, where an azure ad admin group is unable to access any databases apart from the default databases(postgres,azure_maintenance), i get the error saying must be owner of database "x" when i try to run the GRANT commands to the database "x". Note: i can connect but doesn't have permission to query it
sappu solanki 66 Reputation points

2023-08-02T18:12:07.29+00:00

@Bikram GC You can explicitly assign rights or ownership of DB object to the required user OR Create an event trigger for action like create table, function, procedure etc which will automatically assign ownership/rights to the required user
Bikram GC 15 Reputation points

2023-08-02T22:48:31.78+00:00

@sappu solanki is there an example you can provide me for reference please.

Answer 3

Andy Lam 0

@sappu solanki Is this the sole solution/recommendation by @GeethaThatipatri-MSFT that you've been using up until now, to use DDL triggers of some sort? If so, seems like this was an oversight by Microsoft with flexible server; in my opinion there should be a better work-around for all of this since the server admin technically isn't the admin. I've spent hours looking, but is this fixed in a later version of flexible server? (My current organization is using v11)

Share via

Azure PostgreSQL Flexible Server - Admin user permission issue

3 answers

Your answer