postgres中schema访问权限设置

1、数据库当前拥有的schema

postgres=# \dn+
                           List of schemas
   Name    |  Owner   |  Access privileges   |      Description       
-----------+----------+----------------------+------------------------
 my_schema | postgres | postgres=UC/postgres+| 
           |          | scott=UC/postgres   +| 
           |          | abc=U/postgres      +| 
 public    | postgres | postgres=UC/postgres+| standard public schema
           |          | =UC/postgres         | 
 u1        | postgres | postgres=UC/postgres+| 
           |          | test1=U/postgres     | 
 u2        | postgres |                      | 
(4 rows)

postgres=# 

2、创建一个新角色并赋予使用my_schema的权限

postgres=# create role aa login password 'aa';
CREATE ROLE
postgres=# 
postgres=# 
postgres=# grant USAGE on SCHEMA my_schema to aa;
GRANT
postgres=# 
postgres=# 

3、my_schema角色下面有一张T表

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# \dt
        List of relations
 Schema | Name | Type  |  Owner   
--------+------+-------+----------
 public | t    | table | postgres
 public | test | table | postgres
(2 rows)

postgres=# set search_path=my_schema;
SET
postgres=# \dt
          List of relations
  Schema   | Name | Type  |  Owner   
-----------+------+-------+----------
 my_schema | t    | table | postgres
(1 row)

4、切换到aa角色,并设置search_path

postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> set search_path=my_schema;
SET
postgres=> 
postgres=> \dt
          List of relations
  Schema   | Name | Type  |  Owner   
-----------+------+-------+----------
 my_schema | t    | table | postgres
(1 row)

5、aa角色查询my_schema下面的表

postgres=> select * from my_schema.t;
ERROR:  permission denied for table t
postgres=> 
postgres=> 

6、切换到postgres用户授权t表的select权限给aa角色

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# grant select on my_schema.t to aa;
GRANT
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select * from my_schema.t;
 id 
----
 20
(1 row)

postgres=> 

7、postgres提供了角色可以默认使用其他角色的权限的功能,看下面测试

切换到postgres用户创建一张新表test1

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# 
postgres=# select * from pg_default_acl ;
 defaclrole | defaclnamespace | defaclobjtype |                   defaclacl                   
------------+-----------------+---------------+-----------------------------------------------
         10 |           24696 | r             | {scott=arwdDxt/postgres,abc=arwdDxt/postgres}
(1 row)

postgres=# create table my_schema.test1(id int); 
CREATE TABLE
postgres=# 

8、如果这个时候不执行grant select on my_schema.test1 to aa;是没有权限访问的

postgres=> \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> 
postgres=> 
postgres=> select * from my_schema.test1;
ERROR:  permission denied for table test1
postgres=> 
postgres=> select * from my_schema.t;
 id 
----
 20
(1 row)

9、设置aa角色继承postgres权限

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# ALTER DEFAULT PRIVILEGES for role postgres in schema my_schema grant select on tables to aa;
ALTER DEFAULT PRIVILEGE

10、再次访问test1表

postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select * from pg_default_acl ;
 defaclrole | defaclnamespace | defaclobjtype |                          defaclacl                          
------------+-----------------+---------------+-------------------------------------------------------------
         10 |           24696 | r             | {scott=arwdDxt/postgres,abc=arwdDxt/postgres,aa=r/postgres}
(1 row)

postgres=> select *from my_schema.test1;
ERROR:  permission denied for table test1
postgres=> 

其中pg_default_acl 视图的defaclacl列就显示了类似的关系,比如 aa=r/postgres。角色aa继承了对postgres角色中namespace OID=24696的schema的读表权限。如果是读写权限则为aa=rw/postgres

postgres=# ALTER DEFAULT PRIVILEGES for role postgres in schema my_schema grant update on tables to aa;
ALTER DEFAULT PRIVILEGES
postgres=# 
postgres=# select * from pg_default_acl ;
-[ RECORD 1 ]---+-------------------------------------------------------------
defaclrole      | 10
defaclnamespace | 24696
defaclobjtype   | r
defaclacl       | {scott=arwdDxt/postgres,abc=arwdDxt/postgres,aa=rw/postgres}
postgres=> select oid,  * from pg_namespace;
  oid  |      nspname       | nspowner |                                nspacl                                 
-------+--------------------+----------+-----------------------------------------------------------------------
    99 | pg_toast           |       10 | 
 11804 | pg_temp_1          |       10 | 
 11805 | pg_toast_temp_1    |       10 | 
    11 | pg_catalog         |       10 | {postgres=UC/postgres,=U/postgres}
  2200 | public             |       10 | {postgres=UC/postgres,=UC/postgres}
 12941 | information_schema |       10 | {postgres=UC/postgres,=U/postgres}
 24714 | u2                 |       10 | 
 24713 | u1                 |       10 | {postgres=UC/postgres,test1=U/postgres}
 24696 | my_schema          |       10 | {postgres=UC/postgres,scott=UC/postgres,abc=U/postgres,aa=U/postgres}
(9 rows)

postgres=> 

11、如果postgres新建一张表,该表的select权限自己会赋予aa角色

postgres=# create table my_schema.test2(id int);
CREATE TABLE
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select *from my_schema.test2;
 id 
----
(0 rows)

通过步骤10、11可以看到,设置ALTER DEFAULT PRIVILEGES时对之前已经存在的表是不起作用的,只有之后创建的表的权限才能被授权成功。

你可能感兴趣的:(postgres技术分享,postgres,postgresql)