Amazon Redshift Grants - New table can't be ac

2020-05-23 03:11发布

问题:

I have a bit of a funny situation in Amazon Redshift where I have a user X who has grant select on all tables in schema public, but once a new table is created, this grant doesn't seem to apply to the new table. Is this normal behaviour? If yes, how does one deal with it such that the schema level grants are maintained. Thank you.

回答1:

In Redshift tables and views do not automatically inherit the permissions of their parent schema. Your newly created tables are only accessible to the user who created them, and the superuser.

In a recent patch to Redshift a new feature to grant default privileges was implemented that addresses this issue.

Alter Default Privileges

The following code snippet will grant select privileges only for all future tables in the sales schema to the sales_admin group. If you want this to apply to existing tables in a schema you will need to combine it with a second grant statement.

alter default privileges in schema sales grant select on tables to group sales_admin;


回答2:

Executing the following command as super user (master):

alter default privileges 
  for user staging_user 
  in schema staging 
  grant select on tables 
  to reporting_user;

will allow reporting_user to select data from all future tables created by staging_user in schema staging.



回答3:

This is a normal behavior. Only the object owner/superuser have permission to use the object by default.

http://docs.aws.amazon.com/redshift/latest/dg/r_Privileges.html

You can add grant command to your create table statement and grant needed privileges for the user.



回答4:

When we first spotted new tables not appearing in our reporting tool, I discovered a quick workaround is to re-execute the following SQL statement for the groups/users impacted:

ALTER DEFAULT PRIVILEGES IN SCHEMA <SCHEMANAME> GRANT SELECT ON TABLES TO GROUP <USER/GROUPNAME>;