PostgreSQL角色(一)
PostgreSQL角色数据库
一.前言
PostgreSQL经过“角色”来对数据库进行管理,我对它“角色”定义理解是:角色(role)=组(group)+用户(user),或者是group/user=role,缘由以下:oracle
user=role:user彻底能够理解为有login权限的role函数
group=role:最能说明这一点的是create role命令中的role参数能够将新定义的角色变为group组spa
二.public角色
public是一个特殊的角色,虽然平日不能以public身份登录数据库,但它确实是存在的,它默认拥有:继承
数据库:connect,temp/temprary权限,与模式无关ip
public模式:usage,create权限,与数据库无关it
函数:execute权限,仅限于public模式下io
language语言:usage权限,与模式无关table
更为重要的是,public角色属于一个全局性的角色,这就意味着你所建立的角色均可以理解为是public角色组成员,并且对public权限的继承彻底不受NOINHERIT的控制,一旦建立了一个拥有login权限的角色,它会当即继承拥有上述权限,此时若是想经过revoke(好比revoke connect on database)来回收的话不会成功,由于这是经过组-组成员来继承的,这种继承权限没法经过单纯的对角色成员revoke掉,只能对组进行revoke,经过继承来实现回收。coding
//实验一:public角色不存在,但能影响新建角色
1.验证public角色不存在
lihao=# create database db1 owner "lihao";
CREATE DATABASE
lihao=# \du+
List of roles
Role name | Attributes | Member of | Description
-----------+--------------------------------------------------------+--------------+-------------
lihao | Superuser, Create role, Create DB, Replication | {} |
lihao=# \c db1 public
FATAL: role "public" does not exist
Previous connection kept
2.验证public角色的权限会默认继承给新建用户
lihao=# create role role1 login password '123456';
CREATE ROLE
lihao=# \du+
List of roles
Role name | Attributes | Member of | Description
-----------+------------------------------------------------+-----------+-------------
lihao | Superuser, Create role, Create DB, Replication | {} |
role1 | | {} |
lihao=# \l+
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges | Size | Tablespace | Description
-----------+-------+----------+-------------+-------------+-------------------+---------+------------+-------------
db1 | lihao | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | 6625 kB | pg_default |
lihao=# \c db1 role1
You are now connected to database "db1" as user "role1"
db1=> \dn+
List of schemas
Name | Owner | Access privileges | Description
---------+--------------+----------------------+------------------------
public | lihao | lihao=UC/lihao | standard public schema
| | =UC/lihao |
(1 row)
db1=> create temp table t1 (id int);
CREATE TABLE
db1=> create table t2 (id int);
CREATE TABLE
db1=> \d
List of relations
Schema | Name | Type | Owner
-----------+--------------------------+----------+-------
pg_temp_3 | t1 | table | role1?
public | t2 | table | role1
//在建立角色时没有进行赋权,但它确实拥有这些权限,那么经过revoke看是否能回收掉
db1=> \c db1 lihao
You are now connected to database "db1" as user "lihao".
db1=# revoke connect on database db1 from role1;
REVOKE
db1=# revoke create on schema public from role1;
REVOKE
db1=# \c db1 role1
You are now connected to database "db1" as user "role1".
db1=> create table t3 (id int);
CREATE TABLE
db1=> \d
List of relations
Schema | Name | Type | Owner
-----------+--------------------------+----------+-------
pg_temp_3 | t1 | table | role1
public | t2 | table | role1
public | t3 | table | role1
3.验证NOINHERIT
db1=> \c db1 lihao
You are now connected to database "db1" as user "lihao".
db1=# create role role2 login noinherit password '123456';
CREATE ROLE
db1=# \c db1 role2
You are now connected to database "db1" as user "role2".
db1=> create table t4 (id int);
CREATE TABLE
db1=> \d
List of relations
Schema | Name | Type | Owner
-----------+--------------------------+----------+-------
pg_temp_3 | t1 | table | role1
public | t2 | table | role1
public | t3 | table | role1
public | t4 | table | role2
经过实验一能够看到,建立用户时虽然没有赋权,可是它默认拥有上面的权限,考虑是不是继承的,经过revoke来验证,但显然revoke无效,虽然命令提示成功了(这里一样的revoke操做,oracle下会报错用户没有被赋予该权限,没法回收),并且另一个使用NOINHERIT建立的角色仍能使用这些权限。
此时解决办法就是从public角色上revoke掉这些权限,执行命令revoke all on schema public from public;和revoke all on database DB_NAME from public;命令执行以前和以后所建立的角色均失去了执行命令所在库以及库中public模式的全部权限,但不会影响对其余库和它们的public模式的访问。
//实验二:验证对public角色的revoke操做
1.验证public角色不存在
lihao=# create database db1 owner "lihao";
CREATE DATABASE
lihao=# \du+
List of roles
Role name | Attributes | Member of | Description
-----------+--------------------------------------------------------+--------------+-------------
lihao | Superuser, Create role, Create DB, Replication | {} |
lihao=# \c db1 public
FATAL: role "public" does not exist
Previous connection kept
2.验证public角色的权限会默认继承给新建用户
lihao=# create role role1 login password '123456';
CREATE ROLE
lihao=# \du+
List of roles
Role name | Attributes | Member of | Description
-----------+------------------------------------------------+-----------+-------------
lihao | Superuser, Create role, Create DB, Replication | {} |
role1 | | {} |
lihao=# \l+
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges | Size | Tablespace | Description
-----------+-------+----------+-------------+-------------+-------------------+---------+------------+-------------
db1 | lihao | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | 6625 kB | pg_default |
lihao=# \c db1 role1
You are now connected to database "db1" as user "role1"
db1=> \dn+
List of schemas
Name | Owner | Access privileges | Description
---------+--------------+----------------------+------------------------
public | lihao | lihao=UC/lihao | standard public schema
| | =UC/lihao |
(1 row)
db1=> create temp table t1 (id int);
CREATE TABLE
db1=> create table t2 (id int);
CREATE TABLE
db1=> \d
List of relations
Schema | Name | Type | Owner
-----------+--------------------------+----------+-------
pg_temp_3 | t1 | table | role1?
public | t2 | table | role1
//在建立角色时没有进行赋权,但它确实拥有这些权限,那么经过revoke看是否能回收掉
db1=> \c db1 lihao
You are now connected to database "db1" as user "lihao".
db1=# revoke connect on database db1 from role1;
REVOKE
db1=# revoke create on schema public from role1;
REVOKE
db1=# \c db1 role1
You are now connected to database "db1" as user "role1".
db1=> create table t3 (id int);
CREATE TABLE
db1=> \d
List of relations
Schema | Name | Type | Owner
-----------+--------------------------+----------+-------
pg_temp_3 | t1 | table | role1
public | t2 | table | role1
public | t3 | table | role1
3.验证NOINHERIT
db1=> \c db1 lihao
You are now connected to database "db1" as user "lihao".
db1=# create role role2 login noinherit password '123456';
CREATE ROLE
db1=# \c db1 role2
You are now connected to database "db1" as user "role2".
db1=> create table t4 (id int);
CREATE TABLE
db1=> \d
List of relations
Schema | Name | Type | Owner
-----------+--------------------------+----------+-------
pg_temp_3 | t1 | table | role1
public | t2 | table | role1
public | t3 | table | role1
public | t4 | table | role2
经过实验二能够看出,从public角色上进行revoke彻底能够实现对角色权限的控制,并且这种控制仅仅只是在当前库下,不会对其余库有影响。
经过实验一和实验二,咱们彻底能够得出如下结论:
数据库中存在一个全局public角色,它不具体存在,但会影响到数据库中已有或将有角色的权限
public就像一个public组,数据库中全部角色默认继承其权限
数据库中角色继承的权限不能仅仅对角色进行revoke,这样是不会成功的,只有经过对其所在组的权限进行revoke才可
- 1. PostgreSQL角色(二)
- 2. PostgreSQL 角色管理
- 3. PostgreSQL 角色权限管理
- 4. PostgreSql角色、用户建立
- 5. PostgreSQL中的角色浅析
- 6. PostgreSQL-角色、库、模式、表
- 7. PostgreSQL 用户、角色、权限管理
- 8. PostgreSQL 用户和角色管理
- 9. PostgreSQL 角色与用户管理介绍
- 10. 在Postgresql中添加新角色(Role)
- 更多相关文章...
- • ionic 颜色 - ionic 教程
- • 一对一关联查询 - MyBatis教程
- • RxJava操作符(一)Creating Observables
- • Kotlin学习(一)基本语法
-
每一个你不满意的现在,都有一个你没有努力的曾经。