zoukankan      html  css  js  c++  java
  • PostgreSQL创建只读账户

    目前PostgreSQL并不能像MySQL一样直接对某个数据库赋予只读权限,现实中有研发需要新建一个用户然后赋予对某个数据库只读权限。

    举例说明如何创建

    用edbstore用户连接edbstore数据库,并创建一个测试schema

    $ psql -U edbstore edbstore
    psql (9.6.4)
    Type "help" for help.
    
    edbstore=> create schema ota_data;
    CREATE SCHEMA
    edbstore=> dn ota_data 
       List of schemas
       Name   |  Owner   
    ----------+----------
     ota_data | edbstore
    (1 row)

    在测试schema下创建一张测试表并插入部分数据

    edbstore=> set search_path to ota_data ;
    SET
    edbstore=> show search_path ;
     search_path 
    -------------
     ota_data
    (1 row)
    
    edbstore=> create table tb1(name varchar,age int);
    CREATE TABLE
    edbstore=> insert into tb1 values('chris',23);
    INSERT 0 1
    edbstore=> insert into tb1 values('tonny',25);
    INSERT 0 1
    edbstore=> select * from tb1;
     name  | age 
    -------+-----
     chris |  23
     tonny |  25
    (2 rows)

     现在新建一个readonly用户并尝试访问edbstore用户下新建的测试数据

    postgres=# create role readonly password 'readonly' login;
    CREATE ROLE
    $ export PGPASSWORD=readonly
    $ psql -h 172.16.101.66 -U readonly edbstore
    psql (9.6.4)
    Type "help" for help.
    
    edbstore=> set search_path to ota_data ;
    SET
    edbstore=> d
    No relations found.

     可以看到默认情况下新用户readonly是无法看到edbstore用户下的数据的,现在赋予用户readonly查看schema对象的权限

    edbstore=> GRANT USAGE ON SCHEMA ota_data TO readonly;
    GRANT

     readonly用户再次查看

    edbstore=> d
             List of relations
      Schema  | Name | Type  |  Owner   
    ----------+------+-------+----------
     ota_data | tb1  | table | edbstore
    (1 row)
    
    edbstore=> select * from tb1 ;
    ERROR:  permission denied for relation tb1

    可以看到虽然用户可以查看到该对象,但是没用select权限,现在进行赋权

    edbstore=> dp
                                 Access privileges
      Schema  | Name | Type  | Access privileges | Column privileges | Policies 
    ----------+------+-------+-------------------+-------------------+----------
     ota_data | tb1  | table |                   |                   | 
    (1 row)
    
    edbstore=> GRANT SELECT ON ALL TABLES IN SCHEMA ota_data TO readonly;
    GRANT
    edbstore=> dp
                                     Access privileges
      Schema  | Name | Type  |     Access privileges     | Column privileges | Policies 
    ----------+------+-------+---------------------------+-------------------+----------
     ota_data | tb1  | table | edbstore=arwdDxt/edbstore+|                   | 
              |      |       | readonly=r/edbstore       |                   | 
    (1 row)

     readonly用户再次查看

    edbstore=> select * from tb1 ;
     name  | age 
    -------+-----
     chris |  23
     tonny |  25
    (2 rows)
    
    edbstore=> insert into tb1 values('tina',19);
    ERROR:  permission denied for relation tb1

    该命令只能对已经存在的对象(表,视图等)赋权,新建立的表,readonly用户是无法查看的,新建一张表

    edbstore=> create table tb2 as select * from tb1;
    SELECT 2
    edbstore=> dp
                                     Access privileges
      Schema  | Name | Type  |     Access privileges     | Column privileges | Policies 
    ----------+------+-------+---------------------------+-------------------+----------
     ota_data | tb1  | table | edbstore=arwdDxt/edbstore+|                   | 
              |      |       | readonly=r/edbstore       |                   | 
     ota_data | tb2  | table |                           |                   | 
    (2 rows)

     readonly用户再次查看

    edbstore=> d
             List of relations
      Schema  | Name | Type  |  Owner   
    ----------+------+-------+----------
     ota_data | tb1  | table | edbstore
     ota_data | tb2  | table | edbstore
    (2 rows)
    
    edbstore=> select * from tb2;
    ERROR:  permission denied for relation tb2

    为了让readonly用户可以有权限继续查看新建的表,需要为该新建的schema指定default权限

    edbstore=> ALTER DEFAULT PRIVILEGES IN SCHEMA ota_data GRANT SELECT ON TABLES TO readonly;
    ALTER DEFAULT PRIVILEGES
    edbstore=> ddp
                 Default access privileges
      Owner   |  Schema  | Type  |  Access privileges  
    ----------+----------+-------+---------------------
     edbstore | ota_data | table | readonly=r/edbstore
    (1 row)
    
    edbstore=> create table tb3 as select * from tb1;
    SELECT 2
    edbstore=> dp
                                     Access privileges
      Schema  | Name | Type  |     Access privileges     | Column privileges | Policies 
    ----------+------+-------+---------------------------+-------------------+----------
     ota_data | tb1  | table | edbstore=arwdDxt/edbstore+|                   | 
              |      |       | readonly=r/edbstore       |                   | 
     ota_data | tb2  | table |                           |                   | 
     ota_data | tb3  | table | edbstore=arwdDxt/edbstore+|                   | 
              |      |       | readonly=r/edbstore       |                   | 
    (3 rows)

    可以看到新建的表tb3会自动继承我们给该schema下的表预定义的select权限。

    edbstore=> select * from information_schema.role_table_grants where grantee='readonly';
     grantor  | grantee  | table_catalog | table_schema | table_name | privilege_type | is_grantable | with_hierarchy 
    ----------+----------+---------------+--------------+------------+----------------+--------------+----------------
     edbstore | readonly | edbstore      | ota_data     | tb1        | SELECT         | NO           | YES
     edbstore | readonly | edbstore      | ota_data     | tb3        | SELECT         | NO           | YES
    (2 rows)

    如何取消该权限

    alter default privileges in schema public revoke select on tables from readonly ;

     关于如何对整个输几局所有schema添加权限可以参考如下命令:

    select 'grant usage on schema '|| schema_name || ' to readonly ;' from information_schema.schemata;
    
    select 'GRANT SELECT ON ALL TABLES IN SCHEMA '|| schema_name || ' TO readonly ;' from information_schema.schemata;
    
    select 'ALTER DEFAULT PRIVILEGES IN SCHEMA '|| schema_name || ' GRANT SELECT ON TABLES TO readonly ;' from information_schema.schemata;
  • 相关阅读:
    对MVC模型的自悟,详尽解释,为了更多非计算机人员可以理解
    openSUSE leap 42.3 实现有线 无线同时用
    Fedora27 源配置
    Ubuntu16.04添加HP Laserjet Pro M128fn打印机和驱动
    openSUSE leap 42.3 添加HP Laserjet Pro M128fn打印机和驱动
    OpenSUSE Leap 42.3下通过Firefox Opera Chromium浏览器直接执行java应用程序(打开java jnlp文件)实现在服务器远程虚拟控制台完成远程管理的方法
    OpenSUSE Leap 42.3 安装java(Oracle jre)
    linux下支持托盘的邮件客户端Sylpheed
    Ubuntu下通过Firefox Opera Chromium浏览器直接执行java应用程序(打开java jnlp文件)实现在服务器远程虚拟控制台完成远程管理的方法
    Firefox 浏览器添加Linux jre插件
  • 原文地址:https://www.cnblogs.com/ilifeilong/p/11405578.html
Copyright © 2011-2022 走看看