postgreSQL 用户、角色、权限、数据库的简单使用

最近公司使用postgreSQL数据库进行应用开发，对用户、权限和数据库的使用有些和mysql不一致的地方，记下来供以后参考。

用户和角色

postgreSQL的用户和角色基本没有什么差别，只不过用户是默认有数据库的login权限的，而角色没有。
角色可以被当做一个用户、或者一个组。

摘取postgreSQL手册创建用户大纲：

CREATE ROLE name [ [ WITH ] option [ … ] ]

where option可以是：

  SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| REPLICATION | NOREPLICATION
| BYPASSRLS | NOBYPASSRLS
| CONNECTION LIMIT connlimit
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
| VALID UNTIL 'timestamp'
| IN ROLE role_name [, ...]
| IN GROUP role_name [, ...]
| ROLE role_name [, ...]
| ADMIN role_name [, ...]
| USER role_name [, ...]
| SYSID uid

• 用户登陆

  psql -U username
  password:
  如下图：
  

• 创建用户

  create user username;

• 删除用户

  drop user username;

• 创建一个有密码的用户

  create user username with password ‘password’;

• 创建角色

  create role rolename;

角色用户此时是没有登陆权限的，可以登陆验证一下.

• 删除角色

  drop role rolename;

• 创建一个有登陆权限的角色

  create role rolename login;

• 创建一个有密码的登陆角色

  create role rolename login password ‘password’;

当然也可以使用shell命令进行用户创建，这里就不介绍了。

数据库

要创建一个数据库那你必须是管理员或者有创建数据库权限。
创建数据库的时候默认使用template数据库模板，当然也可以使用template name命令指定模板。下面有例子。

摘取postgreSQL手册大纲：

CREATE DATABASE name
[ [ WITH ] [ OWNER [=] user_name ]
       [ TEMPLATE [=] template ]
       [ ENCODING [=] encoding ]
       [ LC_COLLATE [=] lc_collate ]
       [ LC_CTYPE [=] lc_ctype ]
       [ TABLESPACE [=] tablespace_name ]
       [ ALLOW_CONNECTIONS [=] allowconn ]
       [ CONNECTION LIMIT [=] connlimit ] ]
       [ IS_TEMPLATE [=] istemplate ]

• 创建一个数据库

  create database databasename;

• 按模板数据库创建一个数据库

  create database databasename template templatename; //当前登陆用户必须对模板数据库有连接权限

• 删除一个数据库

  drop database databasename;

• 创建一个数据库同时指定它的所有者

  create database databasename owner username template templatename;

• 创建一个数据库，然后只允许管理员和数据库所有者才能连接

  create database databasename owner username; //创建一个数据库
  revoke all on database databasename from public; //回收其他用户的连接权限
  grant connect on database databasename to username; //给用户赋予数据库连接权限

因为数据库创建的时候是默认将连接权限授予public角色，所以新创建的数据库是所有用户都能看到的，我们可以在创建完数据库之后对连接权限进行回收，以此达到数据库私有。

授权GRANT

摘取postgreSQL数据库手册大纲：

GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { [ TABLE ] table_name [, ...]
         | ALL TABLES IN SCHEMA schema_name [, ...] }
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
    [, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
    ON [ TABLE ] table_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { USAGE | SELECT | UPDATE }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { SEQUENCE sequence_name [, ...]
         | ALL SEQUENCES IN SCHEMA schema_name [, ...] }
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
    ON DATABASE database_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
    ON DOMAIN domain_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
    ON FOREIGN DATA WRAPPER fdw_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
    ON FOREIGN SERVER server_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }
    ON { FUNCTION function_name ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) [, ...]
         | ALL FUNCTIONS IN SCHEMA schema_name [, ...] }
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
    ON LANGUAGE lang_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
    ON LARGE OBJECT loid [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
    ON SCHEMA schema_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { CREATE | ALL [ PRIVILEGES ] }
    ON TABLESPACE tablespace_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
    ON TYPE type_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]

这里的role_specification可以是:

    [ GROUP ] role_name
  | PUBLIC
  | CURRENT_USER
  | SESSION_USER

GRANT role_name [, ...] TO role_name [, ...] [ WITH ADMIN OPTION ]

• 将表的dml权限授予一个或多个用户

  grant select,insert,update,delete,truncate on tablename to username1, username2, rolename1,rolename2;

• 将表的dml权限授予所有用户

  grant select,insert,update,delete,truncate on tablename to public;

• 将表、视图、数据库、模式等的所有权限授予用户

  grant all privileges on tablename to username;

• 将表、视图、数据库、模式等的所有权限授予所有用户

  grant all privileges on tablename to public;

• 将用户fire的权限授予icer

  grant fire to icer;

相关参考资料

—— [ PostgreSQL 9.5.3 中文手册 ]

—— [ PostgreSQL配置优化 ]

网上资料还有很多，大家可以多google一下。