防止角色在 postgresql 上公开创建表

Question

How do you prevent a ROLE from creating TABLES in the PUBLIC schema?

Here is what I have tried:

# Logging in as administrator
PGPASSWORD=my_admin_password psql -h XXX.XXX.XXX.XXX --port XXXXX -d database -U admin_user

# Creating role/user
CREATE ROLE test_role;
GRANT CONNECT ON DATABASE database TO test_role;
CREATE USER test_user WITH ENCRYPTED PASSWORD 'password';
GRANT test_role TO test_user;

# Removing all permissions on public
REVOKE ALL ON DATABASE database FROM PUBLIC;
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM test_role;

Now let's log in with the test_user:

# Logging in as test_user
PGPASSWORD=password psql -h XXX.XXX.XXX.XXX --port XXXXX -d database -U test_user

# Creating a table 
CREATE TABLE test (id int, name text);

Table has been created in public successfully! Wonderful! What is going wrong here? Why can a user will all permissions revoked still create tables?

Update:

As suggested I have written a few more revokes as the administrator, and it says there is nothing left to revoke. STILL, I can create all the tables I want as test_user . I am starting to speculate if it could be some strange behaviour by the Managed Postgres , where I do not have access to the REAL admin, and it says the owner of public is _rdb_superadmin . The Postgresql message is not very helpfull, as it doesn't tell me if all permissions have been revoked or not.

Answer 1

Your command REVOKE ALL ON ALL TABLES IN SCHEMA public only revoked privileges on existing tables in that schema, not any privileges on the schema itself.

You need to revoke the privileges on the public schema itself as well:

revoke all on schema public from public;

It's a bit unclear if you only want to prevent the creation of tables. So maybe you just want

revoke create on schema public from public;

which would keep the usage privilege.

---

In the upcoming Postgres 15, the public role will no longer have the create privilege on the schema public by default.