只读角色的Postgres默认权限

时间:2020-04-07 04:46:38

标签: database postgresql

我已经创建了一个PostgreSQL(版本11.5)数据库,并且我想创建两种不同类型的主要角色(readonlyreadwrite),然后将这些角色分配给个人(user1user2等)。

我一直在阅读PostgreSQL文档,并以本文为例:https://aws.amazon.com/blogs/database/managing-postgresql-users-and-roles/

但是,我无法正确设置权限。基本上,我希望角色readwrite能够在此数据库中创建他们想要的任何模式和/或表,并且我希望角色readonly能够从任何{该数据库中的模式和/或表。但是,按照下面的示例,SELECT可以创建一个表,但是user2无权访问该表。

我已经创建了以下脚本,可以作为数据库的主用户运行该脚本,以创建数据库,架构和角色。

运行SQL脚本的命令:

user1

create_db.sql的内容

psql -h <INSERT HOST HERE> -U postgres -W -f create_db.sql

脚本成功运行后,我可以以-- drop the existing database DROP DATABASE IF EXISTS new_db; -- create the database CREATE DATABASE new_db; -- connect to the database \c new_db -- create the new schema CREATE SCHEMA new_schema; -- revoke privileges from 'public' role REVOKE CREATE ON SCHEMA public FROM PUBLIC; REVOKE ALL ON DATABASE new_db FROM PUBLIC; -- create readonly role DROP ROLE IF EXISTS readonly; CREATE ROLE readonly; GRANT CONNECT ON DATABASE new_db TO readonly; GRANT USAGE ON SCHEMA new_schema TO readonly; GRANT SELECT ON ALL TABLES IN SCHEMA new_schema TO readonly; ALTER DEFAULT PRIVILEGES IN SCHEMA new_schema GRANT SELECT ON TABLES TO readonly; -- create read/write role DROP ROLE IF EXISTS readwrite; CREATE ROLE readwrite; GRANT CONNECT, CREATE ON DATABASE new_db TO readwrite; GRANT USAGE, CREATE ON SCHEMA new_schema TO readwrite; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA new_schema TO readwrite; ALTER DEFAULT PRIVILEGES IN SCHEMA new_schema GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO readwrite; GRANT USAGE ON ALL SEQUENCES IN SCHEMA new_schema TO readwrite; ALTER DEFAULT PRIVILEGES IN SCHEMA new_schema GRANT USAGE ON SEQUENCES TO readwrite; -- create users DROP USER IF EXISTS user1; DROP USER IF EXISTS user2; CREATE USER user1 WITH PASSWORD 'password'; CREATE USER user2 WITH PASSWORD 'password'; -- grant privileges to users GRANT readonly TO user1; GRANT readwrite TO user2; 的身份运行以下脚本,以在新架构中创建表。

运行SQL脚本的命令

user2

create_table.sql的内容

psql -h <INSERT HOST HERE> -d new_db -U user2 -W -f create_.sql

现在,如果-- drop the existing table DROP TABLE IF EXISTS new_schema.new_table; -- create a new table CREATE TABLE new_schema.new_table (name VARCHAR, age INT); -- insert data into the new table INSERT INTO new_schema.new_table (name, age) VALUES ('Bob', 42); (只读)登录数据库,我希望他们能够从这个新创建的表中user1,但是,看来他们没有正确的访问权限。他们能够看到表格,但不能查询表格。

SELECT
psql -h <INSERT HOST HERE> -d new_db -U user1 -W

1 个答案:

答案 0 :(得分:0)

对于PostgreSQL 11.7,它可以进行以下修改:

  1. 这两个新创建的表都必须由 postgres 用户
    2. 创建
  2. 或运行ALTER DEFAULT PRIVILEGES IN SCHEMA new_schema GRANT SELECT ON TABLES TO readonly;必须由 user2 运行。

例如,如果我以user2的身份运行create_table.sql,并进行了上述修改:

ALTER DEFAULT PRIVILEGES IN SCHEMA new_schema GRANT SELECT ON TABLES TO readonly;
ALTER DEFAULT PRIVILEGES

CREATE TABLE new_schema.new_table (name VARCHAR, age INT);
CREATE TABLE

INSERT INTO new_schema.new_table (name, age) VALUES ('Bob', 42);
INSERT 0 1

$ psql -U user1 -d new_db
psql (11.7)
Type "help" for help.

new_db=> select * from new_schema.new_table;
 name | age 
------+-----
 Bob  |  42
(1 row)


new_db=> \dp+ new_schema.new_table;
                                  Access privileges
   Schema   |   Name    | Type  |  Access privileges  | Column privileges | Policies 
------------+-----------+-------+---------------------+-------------------+----------
 new_schema | new_table | table | readonly=r/user2   +|                   | 
            |           |       | user2=arwdDxt/user2 |                   | 
(1 row)

我知道ALTER DEFAULT特权必须由将来涉及的对象的所有者运行。

相关问题
最新问题