我正在尝试第一次创建Postgres数据库,所以这可能是一个愚蠢的问题。我为必须从我的php脚本访问数据库的db角色分配了基本的只读权限,我有一个好奇心:如果我执行
GRANT some_or_all_privileges ON ALL TABLES IN SCHEMA schema TO role;
是否还需要执行
GRANT USAGE ON SCHEMA schema TO role;
USAGE:对于模式,允许访问包含在中的对象 指定的模式(假设对象拥有自己的权限 要求也得到满足)。从本质上讲,这允许受让人 在模式中“查找”对象。
我认为如果我可以选择或操作模式中包含的任何数据,我就可以访问模式本身的任何对象。我错了吗?如果没有,GRANT USAGE ON SCHEMA用于什么?文档的含义是什么“假设对象的自身权限要求也得到满足”?
答案 0 :(得分:95)
GRANT是分开的。对数据库GRANT不具有GRANT对模式的权限。同样地,GRANT在模式上不会授予对表中的表的权限。
如果您拥有表中SELECT的权限,但无权在包含该表的架构中查看它,则无法访问该表。
权利测试按顺序进行:
Do you have `USAGE` on the schema?
No: Reject access.
Yes: Do you also have the appropriate rights on the table?
No: Reject access.
Yes: Check column privileges.
您的混淆可能源于public架构对角色GRANT的所有权限的默认public这一事实,每个用户/组都是该角色的成员。所以每个人都已经在该架构上使用过。
短语:
(假设还满足了对象自己的权限要求)
是说您必须在架构上使用USAGE才能在其中使用对象,但在架构上使用USAGE本身不足以使用架构中的对象,您还必须拥有对象本身的权利。
它就像一个目录树。如果您在其中创建一个文件somedir的目录somefile,则将其设置为只有您自己的用户才能访问目录或文件(模式rwx------,模式{{1然后没有其他人可以列出目录以查看该文件是否存在。
如果要授予文件的全局读取权限(模式rw-------)但不更改目录权限,则无效。没有人可以看到该文件以便阅读它,因为他们没有列出目录的权利。
如果您在目录上设置rw-r--r--,设置它以便人们可以列出并遍历目录但不更改文件权限,人们可以列出该文件但不能读取它,因为他们无法访问该文件。
您需要为人们设置两个权限才能真正查看该文件。
同样的事情在Pg。您需要模式rwx-r-xr-x权限和对象权限才能对对象执行操作,例如表中的USAGE。
(类比有点下降,因为PostgreSQL还没有行级安全性,因此用户仍然可以通过{{1}来SELECT“看到”该表存在于模式中但是,他们不能以任何方式与它进行交互,所以它只是“列表”部分并不完全相同。)
答案 1 :(得分:56)
对于生产系统,您可以使用此配置:
--ACCESS DB
REVOKE CONNECT ON DATABASE nova FROM PUBLIC;
GRANT CONNECT ON DATABASE nova TO user;
--ACCESS SCHEMA
REVOKE ALL ON SCHEMA public FROM PUBLIC;
GRANT USAGE ON SCHEMA public TO user;
--ACCESS TABLES
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM PUBLIC ;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only ;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO read_write ;
GRANT ALL ON ALL TABLES IN SCHEMA public TO admin ;
答案 2 :(得分:0)
好吧,这是我针对Linux的简单数据库的最终解决方案:
# Read this before!
#
# * roles in postgres are users, and can be used also as group of users
# * $ROLE_LOCAL will be the user that access the db for maintenance and
# administration. $ROLE_REMOTE will be the user that access the db from the webapp
# * you have to change '$ROLE_LOCAL', '$ROLE_REMOTE' and '$DB'
# strings with your desired names
# * it's preferable that $ROLE_LOCAL == $DB
#-------------------------------------------------------------------------------
//----------- SKIP THIS PART UNTIL POSTGRES JDBC ADDS SCRAM - START ----------//
cd /etc/postgresql/$VERSION/main
sudo cp pg_hba.conf pg_hba.conf_bak
sudo -e pg_hba.conf
# change all `md5` with `scram-sha-256`
# save and exit
//------------ SKIP THIS PART UNTIL POSTGRES JDBC ADDS SCRAM - END -----------//
sudo -u postgres psql
# in psql:
create role $ROLE_LOCAL login createdb;
\password $ROLE_LOCAL
create role $ROLE_REMOTE login;
\password $ROLE_REMOTE
create database $DB owner $ROLE_LOCAL encoding "utf8";
\connect $DB
# Create all tables and objects, and after that:
revoke connect on database $DB from public;
revoke all on schema public from public;
revoke all on all tables in schema public from public;
grant connect on database $DB to $ROLE_LOCAL;
grant all on schema public to $ROLE_LOCAL;
grant all on all tables in schema public to $ROLE_LOCAL;
grant all on all sequences in schema public to $ROLE_LOCAL;
grant all on all functions in schema public to $ROLE_LOCAL;
grant connect on database $DB to $ROLE_REMOTE;
grant usage on schema public to $ROLE_REMOTE;
grant select, insert, update, delete on all tables in schema public to $ROLE_REMOTE;
grant usage, select on all sequences in schema public to $ROLE_REMOTE;
grant execute on all functions in schema public to $ROLE_REMOTE;
alter default privileges for role $ROLE_LOCAL in schema public
grant all on tables to $ROLE_LOCAL;
alter default privileges for role $ROLE_LOCAL in schema public
grant all on sequences to $ROLE_LOCAL;
alter default privileges for role $ROLE_LOCAL in schema public
grant all on functions to $ROLE_LOCAL;
alter default privileges for role $ROLE_REMOTE in schema public
grant select, insert, update, delete on tables to $ROLE_REMOTE;
alter default privileges for role $ROLE_REMOTE in schema public
grant usage, select on sequences to $ROLE_REMOTE;
alter default privileges for role $ROLE_REMOTE in schema public
grant execute on functions to $ROLE_REMOTE;
# CTRL+D