How to do “\dp” by query on postgresql?

Question

I'm trying to find the information about how to do "Show Grants" on Postgresql. So far, the \\dp command in psql is the most close result for me.

I searched the PG document and it didn't say any detail about where the \\dp command gets information, or which table/view would contains them.

My question: What is the SQL statement could do the same thing like \\dp in psql(or same thing like "Show Grants" in Mysql)?

BTW, I don't know if the table/view name that contains the info I wanted would be different between PG8 or PG9.

Answer 1

You can see the SQL run by psql for any backslash command by running psql with -E .

eg

$ psql -E
myuser=> \dp

However , psql 's queries aren't guaranteed to be cross-version portable. It may emit different queries for different PostgreSQL versions. If at all possible you should prefer to use the information_schema instead.

Also, note that "Pg 8" or "Pg 9" is nonsensical, like saying "Windows 6.x". The "x" is very important. 9.1 and 9.4 are very different releases.

In this case I think you probably want information_schema.table_privileges and information_schema.column_privileges .

Answer 2

MySQL SHOW GRANTS shows all the privileges assigned to a specific user. PostgreSQL does not have a similar command; see this question and answer for a discussion. Using the pointers there it is not very difficult to piece together a query that returns results similar to what MySQL shows.

User privilege, inherited privileges

Finding the privileges for an individual user is relatively straightforward using the pg_roles catalog table. But a user can also inherit privileges from other roles, possibly multiple levels deep. Analyzing that is - again - not available out-of-the-box. This answer shows you how you can list privileges granted to the user and privileges inherited through role membership.

SHOW GRANTS

The below query will give you details on every privilege granted on tables and views, using the query from above ( priv_membership view):

WITH rel AS (
  SELECT pg_class.oid,
         pg_class.relnamespace,
         pg_class.relname,
         (aclexplode(pg_class.relacl)).grantor AS grantor,
         (aclexplode(pg_class.relacl)).grantee AS grantee,
         (aclexplode(pg_class.relacl)).privilege_type AS privilege_type,
         (aclexplode(pg_class.relacl)).is_grantable AS is_grantable
  FROM pg_class
  WHERE pg_class.relkind::text = ANY (ARRAY['r'::text, 'v'::text]))
SELECT rel.oid AS reloid,
    mem.usrname AS rolname,
    rel.privilege_type AS privilege,
    sch.nspname AS schema,
    rel.relname,
    r1.rolname AS grantee,
    r2.rolname AS grantor
FROM priv_membership mem
JOIN rel ON rel.grantee = mem.grpid
JOIN pg_roles r1 ON r1.oid = rel.grantee
JOIN pg_roles r2 ON r2.oid = rel.grantor
JOIN pg_namespace sch ON sch.oid = rel.relnamespace
WHERE mem.usrname <> 'postgres'
  AND mem.canlogin IS TRUE
ORDER BY sch.nspname, rel.relname, mem.usrname;

This shows individual privileges so a single table or view may appear multiple times for a specific user. You can wrap this in a view for handy access and then easily filter on a specific user, schema, relation, etc.