By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SVV_REDSHIFT_TABLES returns empty results when queried via a NON-ADMIN USER with SYSLOG ACCESS UNRESTRICTED

0

One of our monitoring systems uses SVV_REDSHIFT_TABLES to identify the user tables across all databases.

When SVV_REDSHIFT_TABLES is queried using a non-admin user created with SYSLOG ACCESS UNRESTRICTED, no results are returned.

The SVV_REDSHIFT_TABLES doc points to Visibility of data in system tables and views which further points to https://repost.aws/knowledge-center/amazon-redshift-system-tables.

The above re:post states creating a user with SYSLOG ACCESS UNRESTRICTED grants them access to all rows in the metadata views.

Even after creating the user with SYSLOG ACCESS UNRESTRICTED rows are not visible from SVV_REDSHIFT_TABLES.

Meta info

select VERSION();
+-------------------------------------------------------------------------------------------------------------------------+
|version                                                                                                                  |
+-------------------------------------------------------------------------------------------------------------------------+
|PostgreSQL 8.0.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3), Redshift 1.0.63269|
+-------------------------------------------------------------------------------------------------------------------------+

Provisioned Cluster with "ra3.xlplus" instance type

Steps to reproduce the issue

Create databases using admin credentials

create database user_access_test_db_1;
create database user_access_test_db_2;

Connect to Redshift with "user_access_test_db_1" as the database in the connection string and create a table using admin credentials

create table user_access_test_db_1.public.test_table_1 as
select 'test_table_1_row_1'
union
select 'test_table_1_row_2'
union
select 'test_table_1_row_3'
union
select 'test_table_1_row_4';

Connect to Redshift with "user_access_test_db_2" as the database in the connection string and create a table using admin credentials

create table user_access_test_db_2.public.test_table_2 as
select 'test_table_2_row_1'
union
select 'test_table_2_row_2'
union
select 'test_table_2_row_3'
union
select 'test_table_2_row_4';

Create a user using admin credentials

CREATE USER user_access_test_user PASSWORD <password> SYSLOG ACCESS UNRESTRICTED;
ALTER USER user_access_test_user WITH SYSLOG ACCESS UNRESTRICTED;

Connect to Redshift with "user_access_test_db_2" as the database in the connection string and create a table using "user_access_test_user" credentials

select *
from SVV_REDSHIFT_TABLES
where database_name in ('user_access_test_db_1', 'user_access_test_db_2')
  and schema_name not in ('pg_catalog', 'information_schema', 'pg_internal')

-- Returns no result
Topics
Analytics
Tags
Amazon Redshift
Language
English
Sumeet
asked 2 months ago94 views
3 Answers
0

I recommend you open Support Ticket so this issue gets looked into officially.

profile pictureAWS
MilindOke
answered 2 months ago
  • Sumeet
    2 months ago

    We opened a support ticket, and will post an update here once we have any response

0

Hi Sumeet,

Some SVV tables and views return empty result if the user does not have permissions on the objects (in your case the test_table_* tables), even if the user has SYSLOG ACCESS UNRESTRICTED. If you grant access (for example, SELECT) on the table to user_access_test_user, then this should work.

Regards,

AWS
EXPERT
Ziad
answered 2 months ago
  • Sumeet
    2 months ago

    Thank you for the suggestion, granting SELECT on the table makes it appear in the SVV_REDSHIFT_TABLES. However, the user_access_test_user user is created for and used by the monitoring service. Our internal policies do not allow the monitoring system user to have SELECT access to the tables, thus the issue.

0

Currently, Super users can see all the data and regular users can see their own data in SVV_REDSHIFT_TABLES[1]. To query complete data in the SVV_REDSHIFT_TABLES or SVV_ALL_TABLES tables, you require Super user or provide access[2] on the table for normal user.

SYSLOG ACCESS UNRESTRICTED is used to view the data of other user queries in query monitoring tables(ex: svv_tansactions, stv_recents) when other users are running queries on Redshift cluster. Privileges to access for each system table may vary when the querying user is non-super user.

[1] https://docs.aws.amazon.com/redshift/latest/dg/r_SVV_REDSHIFT_TABLES.html
[2] GRANT: https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html
Srinivas
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content