zoukankan      html  css  js  c++  java
  • Greeplum 系列(七) 权限管理

    Greeplum 系列(七) 权限管理

    一、角色管理

    Role 分为用户(User)和组(Group),用户有 login 权限,组用来管理用户,一般不会有 login 权限。初始化 gp 时创建了一个 SUPERUSER ROLE:gpadmin。

    表 1 :ALTER ROLE 属性

    属性 说明
    SUPERUSER/NOSUPERUSER 超级管理员,默认 NOSUPERUSER
    CREATEDB/OCREATEDB 创建数据库的权限
    CREATEROLE/NOCREATEROLE 创建角色的权限
    INHERIT/NOINHERIT 继承组或父用户的权限
    LOGIN/NOLOGIN 登陆
    CONNECTION LIMIT connlimit 限制连接数
    PASSWORD 'password' 密码
    ENCRYPTED/UNENCRYPTED 是否加密
    VALID UNTIL 'timestamp' 帐户有效期
    RESOURCE QUEUE queue_name 资源队列
    DENY {deny_interval/deny_point} 拒绝某些连接

    (1) 创建用户

    create role lei with login;             # 创建用户
    drop owned by lei;                      # 删除用户
    reassign owned by oldUser to newUser;   # 将 oldUser 的权限赋予 newUser
    alter role lei password '123456';       # 修改密码
    alter role lei valid until 'infinity';       # 永不失效
    alter role lei deny day 'Sunday';
    alter role lei resource queue queue1;
    alter role lei set search_path to sc01,public;
    

    (2) 创建组

    # 创建组
    create role admin createrole createdb;
    # 添加或删除组成员
    grant admin to lei;
    revoke admin from lei;
    # 赋予合适的权限给组 admin
    grant all on table mytable to admin;
    grant all on schema myschema to admin;
    grant all on database mydb to admin;
    # 获取管理属性
    set role admin;
    

    (3) 对象权限管理

    表 2 :对象权限

    属性 说明
    Tables、Views、Sequences SELECT、INSERT、UPDATE、DELETE、RULE、ALL
    External Tables SELECT、RULE、ALL
    Databases CONNECT、CREATE
    TEMPORARY、TEMP ALL
    Functions EXECUTE
    Procedural Languages USAGE
    Schemas CREATE、USAGE

    (4) 基于时间的登录认证

    通过 BETWEEN 和 AND 关键字连接两个日期/时间。

    BETWEEN DAY 'Monday' AND DAY 'Tuesday'
    BETWEEN DAY 'Monday' TIME '00:00' AND DAY 'Monday' TIME '01:00'
    BETWEEN DAY 'Monday' TIME '12:00 AM' AND DAY 'Tuesday' TIME '02:00 AM'
    BETWEEN DAY 'Monday' TIME '00:00' AND DAY 'Tuesday' TIME '02:00' 
    BETWEEN DAY 1 TIME '00:00' AND DAY 2 TIME '02:00'
    

    注意:日期间隔不能跨 Saturday(周六)

    Incorrect: DENY BETWEEN DAY 'Saturday' AND DAY 'Sunday'
    

    删除时间约束,原则:有交集即移出

    ALTER ROLE dylan DROP DENY FOR DAY ‘Monday’;
    

    (5) 配置客户端认证

    修改 $MASTER_DATA_DIRECTORY/pg_hba.conf

    # local(本地)/host(远程) dbname role authmethod
    local    all         gpadmin         ident
    host     all         gpadmin         127.0.0.1/28    trust
    host     all         gpadmin         192.168.2.110/32       trust
    host     all         gpadmin         ::1/128       trust
    host     all         gpadmin         fe80::250:56ff:fe2a:552a/128       trust
    local    replication gpadmin         ident
    host     replication gpadmin         samenet       trust
    host    all         gpadmin         0.0.0.0/0      md5
    host    all         lei         0.0.0.0/0      md5
    local    all         lei         trust
    

    重新加载 pg_hba.conf 使修改生效

    gpstop –u
    

    二、配置客户端($MASTER_DATA_DIRECTORY/postgresql.conf)

    postgresql.conf 是 Greenplum 中一个重要的配制文件,下面介绍几个重要的配制项。

    # 限制并发操作的连接的两个配制
    max_connections = 250           # 最大连接数,Segment 最少是 Master 的 3 倍
    max_prepared_transactions = 250 # 最大事务
    

    每天用心记录一点点。内容也许不重要,但习惯很重要!

  • 相关阅读:
    The password has to have a minimum of 6 characters, including at least 1 small letter, 1 uppercase letter and 1 number
    Angular i18n的技术分享、踩过的坑
    转: .Net 4.0 ExpandoObject 使用
    min_square
    KALMAN PYTHON
    双系统安装 win + ubuntu
    docker
    drl
    shell
    导航定位方案
  • 原文地址:https://www.cnblogs.com/binarylei/p/9113873.html
Copyright © 2011-2022 走看看