先创建一个测试用户
postgres=# create user abce with login password 'abce'; CREATE ROLE postgres=# create schema t; CREATE SCHEMA postgres=# alter default privileges in schema t grant select on tables to abce; ALTER DEFAULT PRIVILEGES postgres=#
目录表pg_user中有个列:useconfig。我们可能会觉得是存在这里:
postgres=# d pg_user View "pg_catalog.pg_user" Column | Type | Collation | Nullable | Default --------------+---------+-----------+----------+--------- usename | name | | | usesysid | oid | | | usecreatedb | boolean | | | usesuper | boolean | | | userepl | boolean | | | usebypassrls | boolean | | | passwd | text | | | valuntil | abstime | | | useconfig | text[] | | | postgres=# select * from pg_user where usename='abce'; usename | usesysid | usecreatedb | usesuper | userepl | usebypassrls | passwd | valuntil | useconfig ---------+----------+-------------+----------+---------+--------------+----------+----------+----------- abce | 74849 | f | f | f | f | ******** | | (1 row) postgres=#
但是,这里并没有存储默认的权限。
再来看看目录表pg_namespace
postgres=# select * from pg_namespace where nspname='t'; nspname | nspowner | nspacl ---------+----------+-------- t | 10 | (1 row) postgres=#
也没有存放在pg_namespace表中。但是,这里却给了我们一个提示:ACL(访问控制列表)。让我们来看看是否有相关的目录表存在:
postgres=# select * from pg_tables where tablename like '%acl%'; schemaname | tablename | tableowner | tablespace | hasindexes | hasrules | hastriggers | rowsecurity ------------+----------------+------------+------------+------------+----------+-------------+------------- pg_catalog | pg_default_acl | postgres | | t | f | f | f (1 row) postgres=#
可以看到,有个pg_default_acl目录表。
继续往下查看:
postgres=# select * from pg_default_acl where defaclnamespace='t'::regnamespace; defaclrole | defaclnamespace | defaclobjtype | defaclacl ------------+-----------------+---------------+------------------- 10 | 74850 | r | {abce=r/postgres} (1 row) postgres=#
这里“abce=r”表示用户abce在所有对象上有read的权限。
再次尝试修改abce的默认权限:
postgres=# alter default privileges in schema t grant insert on tables to abce; ALTER DEFAULT PRIVILEGES postgres=# select * from pg_default_acl where defaclnamespace='t'::regnamespace; defaclrole | defaclnamespace | defaclobjtype | defaclacl ------------+-----------------+---------------+-------------------- 10 | 74850 | r | {abce=ar/postgres} (1 row) postgres=#
现在abce就被增加a权限,a表示append(insert)。权限的缩写以及含义可以查看文档:https://www.postgresql.org/docs/current/ddl-priv.html
这里的“/postgres”表示schema的属主。
postgres=# alter user abce superuser; ALTER ROLE postgres=# c postgres abce You are now connected to database "postgres" as user "abce". postgres=# create schema t2; CREATE SCHEMA postgres=# select * from pg_default_acl where defaclnamespace='t2'::regnamespace; defaclrole | defaclnamespace | defaclobjtype | defaclacl ------------+-----------------+---------------+----------- (0 rows) postgres=# create user abce2; CREATE ROLE postgres=# alter default privileges in schema t2 grant select on tables to abce2; ALTER DEFAULT PRIVILEGES postgres=# select * from pg_default_acl where defaclnamespace='t2'::regnamespace; defaclrole | defaclnamespace | defaclobjtype | defaclacl ------------+-----------------+---------------+---------------- 74849 | 74852 | r | {abce2=r/abce} (1 row) postgres=#