Greeplum 系列(七) 权限管理
一、角色管理
Role 分为用户(User)和组(Group),用户有 login 权限,组用来管理用户,一般不会有 login 权限。初始化 gp 时创建了一个 SUPERUSER ROLE:gpadmin。
表 1 :ALTER ROLE 属性
| 属性 | 说明 |
|---|---|
| SUPERUSER/NOSUPERUSER | 超级管理员,默认 NOSUPERUSER |
| CREATEDB/OCREATEDB | 创建数据库的权限 |
| CREATEROLE/NOCREATEROLE | 创建角色的权限 |
| INHERIT/NOINHERIT | 继承组或父用户的权限 |
| LOGIN/NOLOGIN | 登陆 |
| CONNECTION LIMIT connlimit | 限制连接数 |
| PASSWORD 'password' | 密码 |
| ENCRYPTED/UNENCRYPTED | 是否加密 |
| VALID UNTIL 'timestamp' | 帐户有效期 |
| RESOURCE QUEUE queue_name | 资源队列 |
| DENY {deny_interval/deny_point} | 拒绝某些连接 |
(1) 创建用户
create role lei with login; # 创建用户
drop owned by lei; # 删除用户
reassign owned by oldUser to newUser; # 将 oldUser 的权限赋予 newUser
alter role lei password '123456'; # 修改密码
alter role lei valid until 'infinity'; # 永不失效
alter role lei deny day 'Sunday';
alter role lei resource queue queue1;
alter role lei set search_path to sc01,public;
(2) 创建组
# 创建组
create role admin createrole createdb;
# 添加或删除组成员
grant admin to lei;
revoke admin from lei;
# 赋予合适的权限给组 admin
grant all on table mytable to admin;
grant all on schema myschema to admin;
grant all on database mydb to admin;
# 获取管理属性
set role admin;
(3) 对象权限管理
表 2 :对象权限
| 属性 | 说明 |
|---|---|
| Tables、Views、Sequences | SELECT、INSERT、UPDATE、DELETE、RULE、ALL |
| External Tables | SELECT、RULE、ALL |
| Databases | CONNECT、CREATE |
| TEMPORARY、TEMP | ALL |
| Functions | EXECUTE |
| Procedural Languages | USAGE |
| Schemas | CREATE、USAGE |
(4) 基于时间的登录认证
通过 BETWEEN 和 AND 关键字连接两个日期/时间。
BETWEEN DAY 'Monday' AND DAY 'Tuesday'
BETWEEN DAY 'Monday' TIME '00:00' AND DAY 'Monday' TIME '01:00'
BETWEEN DAY 'Monday' TIME '12:00 AM' AND DAY 'Tuesday' TIME '02:00 AM'
BETWEEN DAY 'Monday' TIME '00:00' AND DAY 'Tuesday' TIME '02:00'
BETWEEN DAY 1 TIME '00:00' AND DAY 2 TIME '02:00'
注意:日期间隔不能跨 Saturday(周六)
Incorrect: DENY BETWEEN DAY 'Saturday' AND DAY 'Sunday'
删除时间约束,原则:有交集即移出
ALTER ROLE dylan DROP DENY FOR DAY ‘Monday’;
(5) 配置客户端认证
修改 $MASTER_DATA_DIRECTORY/pg_hba.conf
# local(本地)/host(远程) dbname role authmethod
local all gpadmin ident
host all gpadmin 127.0.0.1/28 trust
host all gpadmin 192.168.2.110/32 trust
host all gpadmin ::1/128 trust
host all gpadmin fe80::250:56ff:fe2a:552a/128 trust
local replication gpadmin ident
host replication gpadmin samenet trust
host all gpadmin 0.0.0.0/0 md5
host all lei 0.0.0.0/0 md5
local all lei trust
重新加载 pg_hba.conf 使修改生效
gpstop –u
二、配置客户端($MASTER_DATA_DIRECTORY/postgresql.conf)
postgresql.conf 是 Greenplum 中一个重要的配制文件,下面介绍几个重要的配制项。
# 限制并发操作的连接的两个配制
max_connections = 250 # 最大连接数,Segment 最少是 Master 的 3 倍
max_prepared_transactions = 250 # 最大事务
每天用心记录一点点。内容也许不重要,但习惯很重要!