← Back to Skills Marketplace
wenbingyu

Hologres Privileges

by francis · GitHub ↗ · v0.2.0 · MIT-0
cross-platform ✓ Security Clean
83
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install hologres-privileges
Description
Hologres privilege management using PostgreSQL standard authorization model (expert permission model). Use for creating users, granting/revoking Schema/table...
README (SKILL.md)

Prerequisites

This skill requires hologres-cli to be installed first:

pip install hologres-cli
export HOLOGRES_SKILL=hologres-privileges

All SQL execution depends on hologres-cli commands (hologres sql run --write).

Hologres Privilege Management (Expert Permission Model)

Manage fine-grained access control in Hologres using standard PostgreSQL GRANT/REVOKE syntax.

Permission Model Overview

Hologres provides three permission models. This skill focuses on the Expert Model.

Model Granularity Use Case
Expert (PostgreSQL Standard) Table/Column/View level Fine-grained control, per-table/per-user
SPM (Simple Permission Model) Database level Quick setup, 4 preset role groups
SLPM (Schema-Level Permission Model) Schema level Multi-team isolation with simplified management

The expert model uses standard PostgreSQL GRANT/REVOKE syntax. It only applies to existing objects — use ALTER DEFAULT PRIVILEGES for future objects.

Quick Start

-- 1. Create user (RAM user format: p4_\x3Cuid>)
CREATE USER "p4_1822780xxx";

-- 2. Grant Schema access (required for any table query)
GRANT USAGE ON SCHEMA public TO "p4_1822780xxx";

-- 3. Grant table read permission
GRANT SELECT ON TABLE public.orders TO "p4_1822780xxx";

-- 4. Verify permission
SELECT has_table_privilege('p4_1822780xxx', 'public.orders', 'SELECT');

User Management

Account Types

Type Format Example
Alibaba Cloud main account Numeric UID 11822780xxx
RAM sub-account p4_ + UID p4_1822780xxx
Custom user (BASIC) BASIC$ + name BASIC$dev_user

Create Users

-- Create user with login privilege
CREATE USER "p4_1822780xxx";

-- Create user as Superuser
CREATE USER "p4_1822780xxx" SUPERUSER;

-- Create custom user with password
CREATE USER "BASIC$dev_user" WITH PASSWORD 'secure_password';

Alter Users

-- Promote to Superuser
ALTER USER "p4_1822780xxx" SUPERUSER;

-- Demote to normal user
ALTER USER "p4_1822780xxx" NOSUPERUSER;

-- Change custom user password
ALTER USER "BASIC$dev_user" WITH PASSWORD 'new_password';

Delete Users

-- Drop user (no owned objects)
DROP USER "p4_1822780xxx";

-- Drop user with owned objects (transfer first)
REASSIGN OWNED BY "p4_old_uid" TO "p4_new_uid";
DROP USER "p4_old_uid";

Core Grant Syntax

Schema Privileges

-- Grant Schema access (required before any table query)
GRANT USAGE ON SCHEMA schema_name TO "user_id";

-- Grant ability to create tables in Schema
GRANT CREATE ON SCHEMA schema_name TO "user_id";

Table Privileges

-- Grant specific privileges on a single table
GRANT SELECT ON TABLE schema_name.table_name TO "user_id";
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE schema_name.table_name TO "user_id";

-- Grant on all existing tables in a Schema
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "user_id";

-- Grant to all users
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO PUBLIC;

Column Privileges

-- Grant SELECT on specific columns only
GRANT SELECT (column1, column2) ON TABLE schema_name.table_name TO "user_id";

View Privileges

GRANT SELECT ON view_name TO "user_id";

Grant with Transfer (WITH GRANT OPTION)

-- Allow the grantee to re-grant this privilege to others
GRANT SELECT ON TABLE schema_name.table_name TO "user_id" WITH GRANT OPTION;

Owner Transfer

Only the table Owner or Superuser can DROP/ALTER a table.

-- Transfer table ownership
ALTER TABLE schema_name.table_name OWNER TO "user_id";

-- Transfer ownership to a role group
ALTER TABLE schema_name.table_name OWNER TO role_name;

Default Privileges (Future Objects)

GRANT only applies to existing objects. Use ALTER DEFAULT PRIVILEGES so that future tables automatically inherit permissions.

-- All future tables created by user1 in public schema are readable by everyone
ALTER DEFAULT PRIVILEGES FOR ROLE "user1" IN SCHEMA public
  GRANT SELECT ON TABLES TO PUBLIC;

-- Only user2 can read future tables created by user1
ALTER DEFAULT PRIVILEGES FOR ROLE "user1" IN SCHEMA public
  GRANT SELECT ON TABLES TO "user2";

-- Revoke a default privilege rule
ALTER DEFAULT PRIVILEGES FOR ROLE "user1" IN SCHEMA public
  REVOKE SELECT ON TABLES FROM PUBLIC;

-- Check current default privilege settings
SELECT pg_catalog.pg_get_userbyid(d.defaclrole) AS "Owner",
  n.nspname AS "Schema",
  CASE d.defaclobjtype
    WHEN 'r' THEN 'table' WHEN 'S' THEN 'sequence'
    WHEN 'f' THEN 'function' WHEN 'T' THEN 'type'
  END AS "Type",
  pg_catalog.array_to_string(d.defaclacl, E'\
') AS "Access privileges"
FROM pg_catalog.pg_default_acl d
LEFT JOIN pg_catalog.pg_namespace n ON n.oid = d.defaclnamespace
ORDER BY 1, 2, 3;

Important: ALTER DEFAULT PRIVILEGES FOR ROLE "X" only applies when user X creates the object. If another user creates tables, the rule does not trigger.

Revoke Privileges

Scope SQL
Single table REVOKE SELECT ON TABLE schema.table FROM "user_id";
All tables in Schema REVOKE ALL ON ALL TABLES IN SCHEMA public FROM "user_id";
Schema access REVOKE USAGE ON SCHEMA schema_name FROM "user_id";
Column privilege REVOKE SELECT (col1) ON TABLE schema.table FROM "user_id";

Permission Diagnostics Quick Reference

-- List all roles with key attributes
SELECT rolname, rolsuper, rolcanlogin FROM pg_roles;

-- Check if a user has SELECT on a specific table
SELECT has_table_privilege('user_id', 'schema.table', 'SELECT');

-- List all table grants for a specific role
SELECT table_schema, table_name, privilege_type
FROM information_schema.role_table_grants
WHERE grantee = 'user_id';

-- Find all users with any privilege on a specific table
SELECT rolname FROM pg_roles
WHERE has_table_privilege(rolname, 'schema.table', 'SELECT');

For more diagnostic queries, see diagnostic-queries.md.

Common Errors and Troubleshooting

Error Cause Solution
permission denied for table xxx Missing table privilege GRANT SELECT ON TABLE xxx TO "user";
must be the owner of table xxx Non-owner attempting DDL ALTER TABLE xxx OWNER TO "user";
permission denied for Schema xxx Missing Schema USAGE GRANT USAGE ON SCHEMA xxx TO "user";

References

Document Content
grant-revoke-reference.md Complete GRANT/REVOKE syntax reference
diagnostic-queries.md Permission diagnostic SQL collection
best-practices.md Role group planning best practices

Best Practices

  1. Never use the main account for business queries — create dedicated users
  2. Always GRANT USAGE ON SCHEMA first — without it, no table queries work
  3. Use role groups instead of per-user grants — create project_dev, project_write, project_view roles
  4. Use ALTER DEFAULT PRIVILEGES for future tables — combine with GRANT ON ALL TABLES for existing tables
  5. Regularly audit permissions with diagnostic SQL from diagnostic-queries.md
  6. Transfer ownership before dropping users — use REASSIGN OWNED BY
  7. Enable catalog RLS on V3.0+ to protect metadata visibility (hg_experimental_enable_catalog_rls)
Usage Guidance
Install only if you need Hologres database privilege administration. Before running any generated SQL, verify the target database and account, review grants to PUBLIC or ALL TABLES carefully, and require explicit approval for SUPERUSER, DROP USER, ownership-transfer, and default-privilege changes.
Capability Analysis
Type: OpenClaw Skill Name: hologres-privileges Version: 0.2.0 The skill bundle provides comprehensive instructions and SQL templates for managing Hologres privileges using the PostgreSQL expert permission model. It includes documentation on user management, role-based access control, and diagnostic queries (e.g., in references/diagnostic-queries.md). No evidence of malicious behavior, data exfiltration, or prompt injection was found; the content is strictly aligned with its stated purpose of database administration and follows standard security practices for the Hologres platform.
Capability Assessment
Purpose & Capability
Purpose and capability align: SKILL.md describes Hologres user, role, GRANT/REVOKE, ownership, and default-privilege management. These are high-impact database administration actions, but they are disclosed and central to the stated purpose.
Instruction Scope
The visible instructions are SQL examples and references, including broad examples such as SUPERUSER grants and grants to PUBLIC. They appear instructional rather than hidden or automatic, but users should require explicit review before applying them.
Install Mechanism
SKILL.md asks the user to run `pip install hologres-cli`, while the registry metadata has no install spec or required binary declaration. This is a purpose-aligned setup gap rather than evidence of malicious behavior.
Credentials
No code files, hidden endpoints, required credentials, or broad local file access are present in the provided artifacts; the expected environment dependency is a Hologres CLI/database connection.
Persistence & Privilege
The skill covers persistent database state changes such as users, roles, ownership, grants, revokes, and default privileges for future objects. That persistence is expected for a privilege-management skill, but changes can outlive the current task.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install hologres-privileges
  3. After installation, invoke the skill by name or use /hologres-privileges
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
- Added comprehensive documentation covering Hologres privilege management using the PostgreSQL standard (Expert) authorization model. - Included quick start guides for user creation, privilege grants, and diagnostics. - Detailed instructions for managing schema, table, column, and view privileges. - Explained default privileges setup for future objects. - Added common error troubleshooting, best practice recommendations, and reference links for further diagnostics and advanced scenarios.
Metadata
Slug hologres-privileges
Version 0.2.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Hologres Privileges?

Hologres privilege management using PostgreSQL standard authorization model (expert permission model). Use for creating users, granting/revoking Schema/table... It is an AI Agent Skill for Claude Code / OpenClaw, with 83 downloads so far.

How do I install Hologres Privileges?

Run "/install hologres-privileges" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Hologres Privileges free?

Yes, Hologres Privileges is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Hologres Privileges support?

Hologres Privileges is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Hologres Privileges?

It is built and maintained by francis (@wenbingyu); the current version is v0.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments