GRANT USAGE ON SCHEMA doesn't do anything

postgresql

For whatever reason, our database is not respecting GRANT commands. Below is an example with a newly created user.

pddbtest=> create user test_user login;
CREATE ROLE

then verify user does not have schema permission yet

pddbtest=> SELECT rolname, has_schema_privilege(rolname, 'public', 'usage') from pg_roles where rolname='test_user';
  rolname  | has_schema_privilege
-----------+----------------------
 test_user | f
(1 row)

then grant permission

pddbtest=> grant usage on schema public to test_user;
GRANT

then read if permission exists now (it does not)

pddbtest=> SELECT rolname, has_schema_privilege(rolname, 'public', 'usage') from pg_roles where rolname='test_user';
  rolname  | has_schema_privilege
-----------+----------------------
 test_user | f
(1 row)

Even after granting permission on the schema, which doesn't return any errors, the database still sees the permission as not granted. (if I add a select grant on all tables in schema after, I also still get a schema permission denied error when trying to query any of the tables)

(Search path is "$user",public should that information be relevant)

EDIT: Here is the output of SELECT version(); and \dn+ as requested:

PostgreSQL 10.7 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.9.3, 64-bit


                             List of schemas
   Name    |     Owner      |         Access privileges        | Description 
-----------+----------------+----------------------------------+------------------------
 fnrbaks   | appuser_root   |                                  |
 mask      | maint_user_2   | maint_user_2=UC/maint_user_2+    |
           |                | readonly_viewer=U/maint_user_2   | 
 pganalyze | appuser_root   | appuser_root=UC/appuser_root    +| 
           |                | pganalyze=U/appuser_root        +| 
           |                | pganalyze2=U/appuser_root        | 
 public    | rdsadmin       | appuser_root=UC/rdsadmin        +| standard public schema
           |                | proddb=U/rdsadmin                | 
(4 rows)

The public schema belongs here to rdsadmin. A possible explanation to the GRANT not working is that it's run by an under-priviledged user (not rdsadmin and not superuser) that doesn't have the right to grant rights on public:

grant usage on schema public to test_user;

By default if that grant is ineffective, a warning is displayed:

WARNING:  no privileges were granted for "public"

but it depends on the client_min_messages setting. If that setting is below the warning threshold (for instance it's set to error), then the warning is not displayed and you'd have the behavior shown in the question. This can be verified with:

 SHOW client_min_messages;

and changed to a more verbose level with:

SET client_min_messages TO notice;

I had the same issue and contacted AWS support;

Template0 owner is rdsadmin. You should not use it to create a new database. Template1 owner is root (Master user). You should usee it to create a new database. [...]we are not able to alter the schema owner back to rdsadmin, as it is a super user reserved for RDS. So, you should never use the template0 to create a database.

In my case it could be fixed by running:

alter schema public owner to root;

Related

Which certificate does kubelet use?
nginx: ability to log if client supports TLS SNI?
SetroubleshootPrivileged.py using 95% CPU | Centos 8 server
Making an `ip rule` higher priority than `local`
What is the difference between a proxy server and a gateway server?
kubernetes mariadb-galera cluster - bitnami helm chart - Readiness probe failed
SSH - Permission denied (publickey)
What's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in `auditctl`?
How do I log console output from a XEN VM?
Wordpress + nginx infinite redirect loop
LTO-8 tapes long-term storage rules
How secure is webdav? Is smb tunneling over ssh (with putty) a better solution?