如何为可以执行此操作的用户为postgresql数据库创建正确的角色树:
我查看了有关roles和default privileges的文档,但没有任何帮助我了解Postgres如何使用角色。我创建示例角色的实际脚本:
create database daba;
create role "ra" nologin noinherit; -- default read only role
grant connect on database "daba" to "ra";
grant usage on schema public to "ra" with grant option;
grant select on all tables in schema public to "ra" with grant option;
-- ingore sequences and functions now
create role "rb" nologin inherit;
grant "ra" to "rb"; -- grant connect, grant select
grant insert, update, delete on all tables in schema public to "rb" with grant option;
create role "rc" nologin inherit;
grant "rb" to "rc";
grant all privileges on schema public to "rc" with grant option;
grant all privileges on all tables in schema public to "rc" with grant option;
create role "rd" nologin inherit;
grant "rc" to "rd";
grant "postgres" to "rd";
-- default privileges for new created tables
-- only "rc" and "rd" can create table, "ra" can read it
alter default privileges for role "rc", "rd" in schema public grant select on tables to "ra" with grant option;
-- "rb" and higher can insert, update or delete also
alter default privileges for role "rc", "rd" in schema public grant insert, update, delete on tables to "rb" with grant option;
-- roles done, create users
create role "ua" login encrypted password 'ua' in role "ra";
create role "ub" login encrypted password 'ub' in role "rb";
create role "uc" login encrypted password 'uc' in role "rc";
create role "ud" login encrypted password 'ud' in role "rd";
好的,创建了角色和用户,现在使用错误进行测试:
-- connect as "ud"
create table ud_a (a numeric); -- OK
insert into ud_a values (1); -- OK
select * from ud_a; -- OK -- 1 row
-- connect as "uc"
select * from ud_a; -- SQL Error [42501]: ERROR: permission denied for relation ud_a
-- As user "uc" I cannot insert value, or drop table
insert into ud_a values (2); -- **SQL Error [42501]: ERROR: permission denied for relation ud_a**
drop table ud_a; -- **SQL Error [42501]: ERROR: must be owner of relation ud_a**
-- But I can create new table! As "uc":
create table uc_a (a numeric); -- OK
insert into uc_a values (2); -- OK
-- After this when i connect as more powerfull user - "ud"
-- I cannot even read from this table even though my user "ud" is created under role "rd" with "grant 'rc' to 'rd'":
select * from uc_a; -- SQL Error [42501]: ERROR: permission denied for relation uc_a
-- Connect as "ua" for read only return also errors for selects:
select * from ud_a; -- SQL Error [42501]: ERROR: permission denied for relation ud_a
select * from uc_a; -- SQL Error [42501]: ERROR: permission denied for relation uc_a
清洗:
-- as "postgres":
drop owned by "ud"; drop owned by "uc"; drop owned by "ub"; drop owned by "ua";
drop role "ud"; drop role "uc"; drop role "ub"; drop role "ua";
drop owned by "rd"; drop owned by "rc"; drop owned by "rb"; drop owned by "ra";
drop role "rd"; drop role "rc"; drop role "rb"; drop role "ra";
drop database daba;
我需要创建角色结构,其中用户A可以选择由用户C或D创建的所有表,并且所有用户都从高级别继承(因此可以选择用户A的所有内容也可以选择用户B,C和D)以及角色D可以删除用户在角色C下创建的表格等等......
你能帮我解决这个问题吗?