PostgreSQL中的角色浅析
原本角色相关的单词都是能够小写的,为了表示重要性,本文中所有大写。html
ROLE的概念sql
PostgreSQL经过Role的概念管理数据库的访问权限。数据库
ROLE能够拥有数据库对象,如表、函数,也能够GRANT相关权限给其余ROLE。安全
Role能够被当作User使用,也能够当作Group使用,或者既是User也是Group,彻底看这个Role如何设置。session
PG 8.1版本以前还有User和Group的概念,以后都纳入Role。函数
ROLE的分类:post
一、按数量,分类普通ROLE和GROUP测试
二、按权限大小,分为:ROLE、USER、ADMIN、SUPERUSERui
GROUPspa
在GP系统的用户管理中,一般会把多个ROLE赋予一个GROUP,这样能够对该GROUP中的ROLE作批量的权限操做。
在设置权限时只需给该组设置便可,撤销权限时也是从该组撤消。在PostgreSQL中,首先须要建立一个表明组的角色,以后再将该角色的membership权限赋给独立的用户角色便可。
GROUP关系demo:
rathandb=# CREATE ROLE rathan_group_test;
NOTICE: resource queue required -- using default resource queue "pg_default"
CREATE ROLE
rathandb=# CREATE ROLE rathan_group_member IN ROLE rathan_group_test INHERIT;
NOTICE: resource queue required -- using default resource queue "pg_default"
CREATE ROLE
rathandb=# CREATE ROLE rathan_group_member2 IN ROLE rathan_group_test;
NOTICE: resource queue required -- using default resource queue "pg_default"
CREATE ROLE
rathandb=# CREATE ROLE rathan_no_group_member;
NOTICE: resource queue required -- using default resource queue "pg_default"
CREATE ROLE
rathandb=# \du+ rathan_*;
List of roles
Role name | Attributes | Member of | Description
------------------------+--------------+---------------------+-------------
rathan_group_member | Cannot login | {rathan_group_test} |
rathan_group_member2 | Cannot login | {rathan_group_test} |
rathan_group_test | Cannot login | |
rathan_no_group_member | Cannot login | |
rathandb=# ALTER ROLE rathan_no_group_member IN ROLE rathan_group_test;
ERROR: option "addroleto" not recognized (user.c:813)
rathandb=# GRANT rathan_group_test TO rathan_no_group_member;
GRANT ROLE
List of roles
Role name | Attributes | Member of | Description
------------------------+-------------------------+---------------------+-------------
rathan_group_member | Cannot login | {rathan_group_test} |
rathan_group_member2 | Cannot login | {rathan_group_test} |
rathan_group_test | | |
rathan_no_group_member | Cannot login | {rathan_group_test} |
rathandb=# REVOKE rathan_group_test FROM rathan_no_group_member;
rathandb=# \du+ rathan_*;
List of roles
Role name | Attributes | Member of | Description
------------------------+-------------------------+---------------------+-------------
rathan_group_member | Cannot login | {rathan_group_test} |
rathan_group_member2 | Cannot login | {rathan_group_test} |
rathan_group_test | | |
rathan_no_group_member | Cannot login | |
rathandb=# DROP ROLE rathan_group_test;
rathandb=# \du+ rathan_*;
List of roles
Role name | Attributes | Member of | Description
------------------------+-------------------------+---------------------+-------------
rathan_group_member | Cannot login | |
rathan_group_member2 | Cannot login | |
rathan_no_group_member | Cannot login | |
LOGIN赋权操做:
rathandb=# ALTER ROLE rathan_group_test WITH LOGIN;
ALTER ROLE
rathandb=# \du+ rathan_*;
List of roles
Role name | Attributes | Member of | Description
------------------------+--------------+---------------------+-------------
rathan_group_member | Cannot login | {rathan_group_test} |
rathan_group_test | | |
rathan_no_group_member | Cannot login | |
rathan_group_member继承了rathan_group_test的权限,为何仍是没有login属性?
由于角色属性LOGIN、SUPERUSER和CREATEROLE被视为特殊权限,它们不会像其它数据库对象的普通权限那样被继承。
ROLE与USER:
USER表示带有LOGIN属性的ROLE。
CREATE ROLE建立的用户默认不带LOGIN属性,而CREATE USER建立的用户默认带有LOGIN属性。
LOGIN权限demo:
rathandb=# CREATE ROLE rathan_role_test; NOTICE: resource queue required -- using default resource queue "pg_default" CREATE ROLE rathandb=# CREATE USER rathan_user_test; NOTICE: resource queue required -- using default resource queue "pg_default" CREATE ROLE rathandb=# \du+ rathan_*; List of roles Role name | Attributes | Member of | Description -------------------+--------------+---------------------+------------- rathan_group_test | | | rathan_role_test | Cannot login | | rathan_user_test | | |
SUPERUSER
一、只有SUPERUSER能够建立SUPERUSER,SUPERUSER能够改写全部的database限制。
二、数据库的超级用户拥有该数据库的全部权限,为了安全起见,咱们最好使用非超级用户完成咱们的正常工做。和建立普通用户不一样,建立超级用户必须是以超级用户的身份执行如下命令:
rathandb=# CREATE ROLE rathan_normal_role; rathandb=# CREATE ROLE rathan_superuser WITH SUPERUSER; CREATE ROLE rathandb=# CREATE ROLE rathan_superuser2 WITH SUPERUSER LOGIN; CREATE ROLE rathandb=# \du+ rathan_*; List of roles Role name | Attributes | Member of | Description ------------------------+-------------------------+---------------------+------------- rathan_normal_role | Cannot login | | rathan_superuser | Superuser, Cannot login | | rathan_superuser2 | Superuser | |
ADMIN
能够GRANT GROUP TO 其余ROLE,或者REVOKE GROUP FROM 其余ROLE。
ADMIN权限demo:
rathandb=# SET SESSION AUTHORIZATION 'gpadmin';
rathandb=# CREATE ROLE rathan_role_admin IN ROLE rathan_group_test;
rathandb=# CREATE ROLE rathan_role_no_admin IN ROLE rathan_group_test;
rathandb=# CREATE ROLE rathan_role_test IN ROLE rathan_group_test;
rathandb=# GRANT rathan_group_test TO rathan_role_admin WITH ADMIN OPTION;
rathandb=# \du+ rathan_*;
List of roles
Role name | Attributes | Member of | Description
----------------------+--------------+---------------------+-------------
rathan_group_test | | |
rathan_role_admin | Cannot login | {rathan_group_test} |
rathan_role_no_admin | Cannot login | {rathan_group_test} |
rathan_role_test | Cannot login | {rathan_group_test} |
rathandb=# SET SESSION AUTHORIZATION 'rathan_role_admin';
rathandb=# SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
-------------------+-------------------
rathan_role_admin | rathan_role_admin
(1 row)
rathandb=# REVOKE rathan_group_test FROM rathan_role_test;
REVOKE ROLE
rathandb=# \du+ rathan_role_test;
List of roles
Role name | Attributes | Member of | Description
-------------------+--------------+-----------+-------------
rathan_role_test | Cannot login | |
rathandb=# GRANT rathan_group_test TO rathan_role_test;
GRANT ROLE
rathandb=# SET SESSION AUTHORIZATION 'rathan_role_no_admin';
SET
rathandb=# SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
----------------------+----------------------
rathan_role_no_admin | rathan_role_no_admin
(1 row)
rathandb=# REVOKE rathan_group_test FROM rathan_role_test;
ERROR: must have admin option on role "rathan_group_test"
补充:
设置默认schema:
ALTER USER username SET search_path = schema1,schema2,schema3,etc;
关于一点点权限:
默认状况下,只有建立database的ROLE才有权限对database作全量操做;
Superuser能够访问全部的object。其余帐号想要使用须要被GRANT权限;
权限分类: SELECT, INSERT, UPDATE, DELETE, REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.
上述权限所有GRANT的话能够用ALL代替。
本文中的测试环境:
psql --version psql (PostgreSQL) 8.2.15
相关官方文档:
角色:
http://www.postgresql.org/docs/8.2/static/user-manag.html
命令:
CREATE ROLE、ALTER ROLE、DROP ROLE、GRANT、REVOKE、SET ROLE、SET SESSION AUTHORIZATION
权限:
相关文章
- 1. PostgreSQL角色(二)
- 2. PostgreSQL角色(一)
- 3. PostgreSQL 角色管理
- 4. 在Postgresql中添加新角色(Role)
- 5. PostgreSQL 角色权限管理
- 6. PostgreSql角色、用户建立
- 7. PostgreSQL-角色、库、模式、表
- 8. PostgreSQL 用户、角色、权限管理
- 9. PostgreSQL 用户和角色管理
- 10. PostgreSQL 角色与用户管理介绍
- 更多相关文章...
- • PHP imagecolorclosesthwb - 取得与指定的颜色最接近的色度的黑白色的索引 - PHP参考手册
- • Spring中Bean的作用域 - Spring教程
- • 互联网组织的未来:剖析GitHub员工的任性之源
- • C# 中 foreach 遍历的用法
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 融合阿里云,牛客助您找到心仪好工作
- 2. 解决jdbc(jdbctemplate)在测试类时不报错在TomCatb部署后报错
- 3. 解决PyCharm GoLand IntelliJ 等 JetBrains 系列 IDE无法输入中文
- 4. vue+ant design中关于图片请求不显示的问题。
- 5. insufficient memory && Native memory allocation (malloc) failed
- 6. 解决IDEA用Maven创建的Web工程不能创建Java Class文件的问题
- 7. [已解决] Error: Cannot download ‘https://start.spring.io/starter.zip?
- 8. 在idea让java文件夹正常使用
- 9. Eclipse启动提示“subversive connector discovery”
- 10. 帅某-技巧-快速转帖博主文章(article_content)
欢迎关注本站公众号,获取更多信息
