查看pg 用户组_PostgreSQL 角色用户管理
一、角色與用戶的區(qū)別
PostgreSQL使用角色的概念管理數(shù)據(jù)庫訪問權(quán)限。 根據(jù)角色自身的設(shè)置不同,一個(gè)角色可以看做是一個(gè)數(shù)據(jù)庫用戶,或者一組數(shù)據(jù)庫用戶。 角色可以擁有數(shù)據(jù)庫對(duì)象(比如表)以及可以把這些對(duì)象上的權(quán)限賦予其它角色, 以控制誰擁有訪問哪些對(duì)象的權(quán)限。
其實(shí)用戶和角色都是角色,只是用戶是具有登錄權(quán)限的角色。
在PostgreSQL 里沒有區(qū)分用戶和角色的概念,"CREATE USER" 為 "CREATE ROLE" 的別名,這兩個(gè)命令幾乎是完全相同的,唯一的區(qū)別是"CREATE USER" 命令創(chuàng)建的用戶默認(rèn)帶有LOGIN屬性,而"CREATE ROLE" 命令創(chuàng)建的用戶默認(rèn)不帶LOGIN屬性(CREATE USER is equivalent to CREATE ROLE except that CREATE USER assumes LOGIN by default, while CREATE ROLE does not)。
1.1 創(chuàng)建角色與用戶
CREATE ROLE 語法
CREATE ROLE name [ [ WITH ] option [ ... ] ]
where option can be:
SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| REPLICATION | NOREPLICATION
| CONNECTION LIMIT connlimit
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
| VALID UNTIL 'timestamp'
| IN ROLE role_name [, ...]
| IN GROUP role_name [, ...]
| ROLE role_name [, ...]
| ADMIN role_name [, ...]
| USER role_name [, ...]
| SYSID uid
創(chuàng)建david 角色和sandy 用戶
postgres=# CREATE ROLE david; //默認(rèn)不帶LOGIN屬性
CREATE ROLE
postgres=# CREATE USER sandy; //默認(rèn)具有LOGIN屬性
CREATE ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | Cannot login | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=#
postgres=# SELECT rolname from pg_roles ;
rolname
----------
postgres
david
sandy
(3 rows)
postgres=# SELECT usename from pg_user; //角色david 創(chuàng)建時(shí)沒有分配login權(quán)限,所以沒有創(chuàng)建用戶
usename
----------
postgres
sandy
(2 rows)
postgres=#
1.2 驗(yàn)證LOGIN屬性
postgres@CS-DEV:~> psql -U david
psql: FATAL: role "david" is not permitted to log in
postgres@CS-DEV:~> psql -U sandy
psql: FATAL: database "sandy" does not exist
postgres@CS-DEV:~> psql -U sandy -d postgres
psql (9.1.0)
Type "help" for help.
postgres=> \dt
No relations found.
postgres=>
用戶sandy 可以登錄,角色david 不可以登錄。
1.3 修改david 的權(quán)限,增加LOGIN權(quán)限
postgres=# ALTER ROLE david LOGIN ;
ALTER ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=# SELECT rolname from pg_roles ;
rolname
----------
postgres
sandy
david
(3 rows)
postgres=# SELECT usename from pg_user; //給david 角色分配login權(quán)限,系統(tǒng)將自動(dòng)創(chuàng)建同名用戶david
usename
----------
postgres
sandy
david
(3 rows)
postgres=#
1.4 再次驗(yàn)證LOGIN屬性
postgres@CS-DEV:~> psql -U david -d postgres
Type "help" for help.
postgres=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=>
david 現(xiàn)在也可以登錄了。
二、查看角色信息
psql 終端可以用\du 或\du+ 查看,也可以查看系統(tǒng)表 select * from pg_roles;
postgres=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | Cannot login | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=> \du+
List of roles
Role name | Attributes | Member of | Description
-----------+------------------------------------------------+-----------+-------------
david | Cannot login | {} |
postgres | Superuser, Create role, Create DB, Replication | {} |
sandy | | {} |
postgres=> SELECT * from pg_roles;
rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig | oid
----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+---------------+-----------+-------
postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10
david | f | t | f | f | f | f | f | -1 | ******** | | | 49438
sandy | f | t | f | f | f | t | f | -1 | ******** | | | 49439
(3 rows)
postgres=>
三、角色屬性(Role Attributes)
一個(gè)數(shù)據(jù)庫角色可以有一系列屬性,這些屬性定義了他的權(quán)限。
屬性說明login只有具有 LOGIN 屬性的角色可以用做數(shù)據(jù)庫連接的初始角色名
superuser數(shù)據(jù)庫超級(jí)用戶
createdb創(chuàng)建數(shù)據(jù)庫權(quán)限
createrole允許其創(chuàng)建或刪除其他普通的用戶角色(超級(jí)用戶除外)
replication做流復(fù)制的時(shí)候用到的一個(gè)用戶屬性,一般單獨(dú)設(shè)定。
password在登錄時(shí)要求指定密碼時(shí)才會(huì)起作用,比如md5或者password模式,跟客戶端的連接認(rèn)證方式有關(guān)
inherit用戶組對(duì)組員的一個(gè)繼承標(biāo)志,成員可以繼承用戶組的權(quán)限特性
四、創(chuàng)建用戶時(shí)賦予角色屬性
從pg_roles 表里查看到的信息,在上面創(chuàng)建的david 用戶時(shí),默認(rèn)沒有創(chuàng)建數(shù)據(jù)庫等權(quán)限。
postgres@CS-DEV:~> psql -U david -d postgres
Type "help" for help.
postgres=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=> CREATE DATABASE test;
ERROR: permission denied to create database
postgres=>
如果要在創(chuàng)建角色時(shí)就賦予角色一些屬性,可以使用下面的方法。
首先切換到postgres 用戶。
4.1 創(chuàng)建角色bella 并賦予其CREATEDB 的權(quán)限。
postgres=# CREATE ROLE bella CREATEDB ;
CREATE ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=#
4.2 創(chuàng)建角色renee 并賦予其創(chuàng)建數(shù)據(jù)庫及帶有密碼登錄的屬性。
postgres=# CREATE ROLE renee CREATEDB PASSWORD 'abc123' LOGIN;
CREATE ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create DB | {}
sandy | | {}
postgres=#
4.3 測試renee 角色
a. 登錄
postgres@CS-DEV:~> psql -U renee -d postgres
Type "help" for help.
postgres=>
用renee 用戶登錄數(shù)據(jù)庫,發(fā)現(xiàn)不需要輸入密碼既可登錄,不符合實(shí)際情況。
b. 查找原因
在角色屬性中關(guān)于password的說明,在登錄時(shí)要求指定密碼時(shí)才會(huì)起作用,比如md5或者password模式,跟客戶端的連接認(rèn)證方式有關(guān)。
查看pg_hba.conf 文件,發(fā)現(xiàn)local 的METHOD 為trust,所以不需要輸入密碼。
將local 的METHOD 更改為password,然后保存重啟postgresql。
五、給已存在用戶賦予各種權(quán)限
使用ALTER ROLE 命令。
ALTER ROLE 語法:
ALTER ROLE name [ [ WITH ] option [ ... ] ]
where option can be:
SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| REPLICATION | NOREPLICATION
| CONNECTION LIMIT connlimit
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
| VALID UNTIL 'timestamp'
ALTER ROLE name RENAME TO new_name
ALTER ROLE name [ IN DATABASE database_name ] SET configuration_parameter { TO | = } { value | DEFAULT }
ALTER ROLE name [ IN DATABASE database_name ] SET configuration_parameter FROM CURRENT
ALTER ROLE name [ IN DATABASE database_name ] RESET configuration_parameter
ALTER ROLE name [ IN DATABASE database_name ] RESET ALL
5.1 賦予bella 登錄權(quán)限
a. 查看現(xiàn)在的角色屬性
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create DB | {}
sandy | | {}
postgres=#
b. 賦予登錄權(quán)限
postgres=# ALTER ROLE bella WITH LOGIN;
ALTER ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create DB | {}
sandy | | {}
postgres=#
5.2 賦予renee 創(chuàng)建角色的權(quán)限
postgres=# ALTER ROLE renee WITH CREATEROLE;
ALTER ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
postgres=#
5.3 賦予david 帶密碼登錄權(quán)限
postgres=# ALTER ROLE david WITH PASSWORD 'ufo456';
ALTER ROLE
postgres=#
5.4 設(shè)置sandy 角色的有效期
postgres=# ALTER ROLE sandy VALID UNTIL '2019-04-24';
ALTER ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
postgres=# SELECT * from pg_roles ;
rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig | oid
----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+------------------------+-----------+-------
postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10
bella | f | t | f | t | f | t | f | -1 | ******** | | | 49440
renee | f | t | t | t | f | t | f | -1 | ******** | | | 49442
david | f | t | f | f | f | t | f | -1 | ******** | | | 49438
sandy | f | t | f | f | f | t | f | -1 | ******** | 2019-04-24 00:00:00+08 | | 49439
(5 rows)
postgres=#
六、角色賦權(quán)/角色成員
在系統(tǒng)的角色管理中,通常會(huì)把多個(gè)角色賦予一個(gè)組,這樣在設(shè)置權(quán)限時(shí)只需給該組設(shè)置即可,撤銷權(quán)限時(shí)也是從該組撤銷。在PostgreSQL中,首先需要?jiǎng)?chuàng)建一個(gè)代表組的角色,之后再將該角色的membership 權(quán)限賦給獨(dú)立的角色即可。
6.1 創(chuàng)建組角色
postgres=# CREATE ROLE father login nosuperuser nocreatedb nocreaterole noinherit encrypted password 'abc123';
CREATE ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
father | No inheritance | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
postgres=#
6.2 給father 角色賦予數(shù)據(jù)庫test 連接權(quán)限和相關(guān)表的查詢權(quán)限。
postgres=# GRANT CONNECT ON DATABASE test to father;
GRANT
postgres=# \c test renee
You are now connected to database "test" as user "renee".
test=> \dt
No relations found.
test=> CREATE TABLE emp (
test(> id serial,
test(> name text);
NOTICE: CREATE TABLE will create implicit sequence "emp_id_seq" for serial column "emp.id"
CREATE TABLE
test=> INSERT INTO emp (name) VALUES ('david');
INSERT 0 1
test=> INSERT INTO emp (name) VALUES ('sandy');
INSERT 0 1
test=> SELECT * from emp;
id | name
----+-------
1 | david
2 | sandy
(2 rows)
test=> \dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+-------
public | emp | table | renee
(1 row)
test=> GRANT USAGE ON SCHEMA public to father;
WARNING: no privileges were granted for "public"
GRANT
test=> GRANT SELECT on public.emp to father;
GRANT
test=>
6.3 創(chuàng)建成員角色
test=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# CREATE ROLE son1 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123';
CREATE ROLE
postgres=#
這里創(chuàng)建了son1 角色,并開啟inherit 屬性。PostgreSQL 里的角色賦權(quán)是通過角色繼承(INHERIT)的方式實(shí)現(xiàn)的。
6.4 將father 角色賦給son1
postgres=# GRANT father to son1;
GRANT ROLE
postgres=#
還有另一種方法,就是在創(chuàng)建用戶的時(shí)候賦予角色權(quán)限。
postgres=# CREATE ROLE son2 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123' in role father;
CREATE ROLE
postgres=#
6.5 測試son1 角色
postgres=# \c test son1
You are now connected to database "test" as user "son1".
test=> \dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+-------
public | emp | table | renee
(1 row)
test=> SELECT * from emp;
id | name
----+-------
1 | david
2 | sandy
(2 rows)
test=>
用renee 角色新創(chuàng)建一張表,再次測試
test=> \c test renee
You are now connected to database "test" as user "renee".
test=> CREATE TABLE dept (
test(> deptid integer,
test(> deptname text);
CREATE TABLE
test=> INSERT INTO dept (deptid, deptname) values(1, 'ts');
INSERT 0 1
test=> \c test son1
You are now connected to database "test" as user "son1".
test=> SELECT * from dept ;
ERROR: permission denied for relation dept
test=>
son1 角色只能查詢emp 表的數(shù)據(jù),而不能查詢dept 表的數(shù)據(jù),測試成功。
6.6 查詢角色組信息
test=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=#
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
father | No inheritance | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
son1 | | {father}
son2 | | {father}
postgres=#
"Member of " 項(xiàng)表示son1 和son2 角色屬于father 角色組。
6.7 對(duì)整個(gè)schema的對(duì)象進(jìn)行權(quán)限管理
PostgreSQL 從9.0開始就提供了比較方便的對(duì)整個(gè)schema的指定對(duì)象賦權(quán)給目標(biāo)用的語法。
GRANT
例子
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
將schema digoal下的所有表的select,update權(quán)限賦予給test用戶。
注意
如果digoal.*中包含了非當(dāng)前用戶的表,并且當(dāng)前用戶非超級(jí)用戶,并且當(dāng)前用戶沒有這些表的select,update的with grant option權(quán)限。將報(bào)錯(cuò)。
換句話說,如果要確保這個(gè)賦權(quán)操作萬無一失,可以選擇使用超級(jí)用戶來執(zhí)行。
grant select,update on all tables in schema digoal to test;
將schema digoal下的所有表的select,update權(quán)限從test用戶回收。
revoke select,update on all tables in schema digoal from test;
在對(duì)整個(gè)schema下的所有對(duì)象的權(quán)限管理完后, 別忘記了在對(duì)象之上,還需要對(duì)schema、database、instance進(jìn)行相應(yīng)的賦權(quán)。
6.8 如何設(shè)置用戶創(chuàng)建的對(duì)象的默認(rèn)權(quán)限
另一個(gè)問題,如何設(shè)置用戶新建的對(duì)象的默認(rèn)權(quán)限?
在PostgreSQL 9.0以后新加的語法:
ALTER DEFAULT PRIVILEGES
例如
ALTER DEFAULT PRIVILEGES
[ FOR { ROLE | USER } target_role [, ...] ]
[ IN SCHEMA schema_name [, ...] ]
abbreviated_grant_or_revoke
where abbreviated_grant_or_revoke is one of:
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON TABLES
TO { [ GROUP ] role_name | PUBLIC } [, ...] [ WITH GRANT OPTION ]
例子:
將digoal用戶未來在public下面創(chuàng)建的表的select,update權(quán)限默認(rèn)賦予給test用戶.
postgres=> alter default privileges for role digoal in schema public grant select,update on tables to test;
ALTER DEFAULT PRIVILEGES
將test用戶未來在public,digoal下面創(chuàng)建的表的select,update權(quán)限默認(rèn)賦予給digoal用戶.
postgres=# alter default privileges for role test in schema public,digoal grant select,update on tables to digoal;
ALTER DEFAULT PRIVILEGES
查看已經(jīng)賦予的默認(rèn)權(quán)限
postgres=> \ddp+
Default access privileges
Owner | Schema | Type | Access privileges
----------+--------+-------+---------------------------
digoal | public | table | test=rw/digoal
test | digoal | table | digoal=rw/test
test | public | table | digoal=rw/test
或
SELECT pg_catalog.pg_get_userbyid(d.defaclrole) AS "Owner",
n.nspname AS "Schema",
CASE d.defaclobjtype WHEN 'r' THEN 'table' WHEN 'S' THEN 'sequence' WHEN 'f' THEN 'function' WHEN 'T' THEN 'type' END AS "Type",
pg_catalog.array_to_string(d.defaclacl, E'\n') AS "Access privileges"
FROM pg_catalog.pg_default_acl d
LEFT JOIN pg_catalog.pg_namespace n ON n.oid = d.defaclnamespace
ORDER BY 1, 2, 3;
Owner | Schema | Type | Access privileges
----------+--------+-------+---------------------------
digoal | public | table | test=rw/digoal
postgres | | table | postgres=arwdDxt/postgres+
| | | digoal=arwdDxt/postgres
test | digoal | table | digoal=rw/test
test | public | table | digoal=rw/test
(4 rows)
總結(jié)
以上是生活随笔為你收集整理的查看pg 用户组_PostgreSQL 角色用户管理的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Spring Cloud概念+案例(eu
- 下一篇: 巴身小(leng)一族作为夜郎后裔的历史