-
-
Notifications
You must be signed in to change notification settings - Fork 163
/
Copy pathroles.sql
77 lines (74 loc) · 2.29 KB
/
roles.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
-- all roles and attributes
select
rolname,
rolcreaterole ,
rolcanlogin ,
rolsuper ,
rolinherit ,
rolcreatedb ,
rolreplication ,
rolconnlimit ,
rolbypassrls ,
rolvaliduntil
from pg_roles r
-- TODO: this exclusion is to maintain compat with pg17, we should cover it
where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
order by rolname;
select
rolname,
rolconfig
from pg_roles r
-- TODO: this exclusion is to maintain compat with pg17, we should cover it
where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
order by rolname;
-- all role memberships
select
r.rolname as member,
g.rolname as "member_of (can become)",
m.admin_option
from
pg_roles r
left join
pg_auth_members m on r.oid = m.member
left join
pg_roles g on m.roleid = g.oid
-- TODO: this exclusion is to maintain compat with pg17, we should cover it
where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
order by
r.rolname, g.rolname;
-- Check all privileges of the roles on the schemas
select schema_name, privilege_type, grantee, default_for
from (
-- ALTER DEFAULT privileges on schemas
select
n.nspname as schema_name,
a.privilege_type,
r.rolname as grantee,
d.defaclrole::regrole as default_for,
case when n.nspname = 'public' then 0 else 1 end as schema_order
from
pg_default_acl d
join
pg_namespace n on d.defaclnamespace = n.oid
cross join lateral aclexplode(d.defaclacl) as a
join
pg_roles r on a.grantee = r.oid
where
a.privilege_type != 'MAINTAIN' -- TODO: this is to maintain compat with pg17, we should cover it
union all
-- explicit grant usage and create on the schemas
select
n.nspname as schema_name,
a.privilege_type,
r.rolname as grantee,
n.nspowner::regrole as default_for,
case when n.nspname = 'public' then 0 else 1 end as schema_order
from
pg_namespace n
cross join lateral aclexplode(n.nspacl) as a
join
pg_roles r on a.grantee = r.oid
where
a.privilege_type in ('CREATE', 'USAGE')
) sub
order by schema_order, schema_name, privilege_type, grantee, default_for;