postgresql role(角色)

2022/3/1 19:21:44

本文主要是介绍postgresql role(角色),对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

在PG中,角色与用户的概念比较模糊,可以认为带LOGIN属性的role就是用户. #创建role

带了login属性.就可以登录数据库.

  1.   postgres=# create role role1;
  2.   CREATE ROLE
  3.   postgres=# \c - role1
  4.   FATAL: role "role1" is not permitted to log in
  5.   Previous connection kept
  6.   postgres=# alter role role1 login;
  7.   ALTER ROLE
  8.   postgres=# \c - role1
  9.   You are now connected to database "postgres" as user "role1".

create user role1 与create role role1 login 是等价的,避免混淆,我只记create role方式.

role的系统视图是pg_roles

  1.   postgres=> select rolname,rolsuper,rolcanlogin from pg_roles;
  2.   rolname | rolsuper | rolcanlogin
  3.   ----------+----------+-------------
  4.   postgres | t | t
  5.   hippo | f | t
  6.   user2 | f | t
  7.   user1 | t | t
  8.   role1 | f | t

在使用initdb初始化cluster时,默认会创建一个superuser,名字是将执行initdb命令的操作系统用户一样的用户,通常叫postgres
命令行工具如psql,pg_dump等都需要指定连接用户及连接数据库.默认用户是操作系统用户,默认数据库名字跟连接用户名保持一致.

指定数据库名字

  1.   [postgres@fnddb ~]$ psql -d database1
  2.   psql (9.4.1)
  3.   Type "help" for help.
  4.    
  5.   database1=# \c
  6.   You are now connected to database "database1" as user "postgres".

指定用户名

  1.   [postgres@fnddb ~]$ psql -U role1 --不指定数据库名字,默认数据库跟用户名一致,所以找不到
  2.   psql: FATAL: database "role1" does not exist

role属性

可以认为是这个用户所具有的系统权限.

  • LOGIN --具有登录权限
  • SUPERUSER --超级用户,具有所有系统权限,除了登录验证
  • CREATEDB --创建数据库权限
  • CREATEROLE --创建role权限
  • PASSWORD --设置密码

修改属性

  1.   postgres=# create role role2 login;
  2.   CREATE ROLE
  3.    
  4.   postgres=# select * from pg_user where usename = 'role2';
  5.   usename | usesysid | usecreatedb | usesuper | usecatupd | userepl | passwd | valuntil | useconfig
  6.   ---------+----------+-------------+----------+-----------+---------+----------+----------+-----------
  7.   role2 | 16494 | f | f | f | f | ******** | |
  8.   (1 row)
  9.    
  10.   postgres=# alter role role2 createdb createrole password 'rolepasswd';
  11.   ALTER ROLE
  12.   postgres=# \du role2
  13.   List of roles
  14.   Role name | Attributes | Member of
  15.   -----------+------------------------+-----------
  16.   role2 | Create role, Create DB | {}
  17.    
  18.   postgres=# alter role role2 nocreatedb nocreaterole superuser;
  19.   ALTER ROLE
  20.   postgres=# \du role2
  21.   List of roles
  22.   Role name | Attributes | Member of
  23.   -----------+------------+-----------
  24.   role2 | Superuser | {}

#role的参数 可以修改用户的参数,来影响某用户操作数据库的特殊行为.这部分在讲服务器参数修改时已提及.

  1.   postgres=# alter role role2 set enable_indexscan = f;
  2.   ALTER ROLE

#role membership(role 成员) 为了管理上的方便,我们可以创建一个role group,然后可以将各用户或者有特殊权限的role组织在一起,各个role就是这个role group的membership.
role group 是不带login的role,因为pg使用role来表示所有的角色,用户,用户组,所以不要混淆,创建语句都是create role.我们来测试一下.

我们创建一个用户,两个角色,分别有直属一个表的查询权限

  1.   postgres=# create role jack login inherit;
  2.   CREATE ROLE
  3.   postgres=# create role r1;
  4.   CREATE ROLE
  5.   postgres=# create role r2;
  6.   CREATE ROLE
  7.   postgres=# \c database1
  8.   You are now connected to database "database1" as user "postgres".
  9.   database1=# create table tab1(id text);
  10.   CREATE TABLE
  11.   database1=# create table tab2(id text);
  12.   CREATE TABLE
  13.   database1=# create table tab3 (id text);
  14.   CREATE TABLE
  15.   database1=# grant select on tab1 to r1;
  16.   GRANT
  17.   database1=# grant select on tab2 to r2;
  18.   GRANT
  19.   database1=# grant select on tab3 to jack;
  20.   GRANT

进行grant授权,使jack成为r1,r2的membership

  1.   database1=# grant r1 to jack;
  2.   GRANT ROLE
  3.   database1=# grant r2 to jack;
  4.   GRANT ROLE
  5.   database1=# grant usage on schema public to public; --授权usage给所有用户(后一个public),否则看不到数据库中的表.
  6.   GRANT

测试角色切换

jack继承了r1,r2的权限

  1.   database1=# \c - jack
  2.   You are now connected to database "database1" as user "jack".
  3.   database1=> select * from tab3;
  4.   id
  5.   ----
  6.   (0 rows)
  7.    
  8.   database1=> select * from tab1;
  9.   id
  10.   ----
  11.   (0 rows)
  12.    
  13.   database1=> select * from tab2;
  14.   id
  15.   ----
  16.   (0 rows)

间接继承的也可以

  1.   database1=> \c - postgres
  2.   You are now connected to database "database1" as user "postgres".
  3.   database1=# revoke r2 from jack;
  4.   REVOKE ROLE
  5.   database1=# grant r2 to r1;
  6.   GRANT ROLE
  7.   database1=# \c - jack;
  8.   You are now connected to database "database1" as user "jack".
  9.   database1=> select * from tab2;
  10.   id
  11.   ----
  12.   (0 rows)

关闭r1的继承

  1.   database1=> \c - postgres
  2.   You are now connected to database "database1" as user "postgres".
  3.   database1=# alter role r1 noinherit;
  4.   ALTER ROLE
  5.   database1=# \c - jack;
  6.   You are now connected to database "database1" as user "jack".
  7.   database1=> select * from tab2; --已经查询不了r2的权限
  8.   ERROR: permission denied for relation tab2
  9.   database1=> select * from tab1;
  10.   id
  11.   ----
  12.   (0 rows)

直接切换到r2角色,你已经不是jack了:)

  1.   database1=> set role r1;
  2.   SET
  3.   database1=> select * from tab1;
  4.   id
  5.   ----
  6.   (0 rows)
  7.    
  8.   database1=> select * from tab2;
  9.   ERROR: permission denied for relation tab2
  10.   database1=> select * from tab3;
  11.   ERROR: permission denied for relation tab3

授权不能形成回路

  1.   database1=> \c - postgres
  2.   You are now connected to database "database1" as user "postgres".
  3.   database1=# \du
  4.   List of roles
  5.   Role name | Attributes | Member of
  6.   -----------+------------------------------------------------+-----------
  7.   hippo | | {}
  8.   jack | | {r1}
  9.   postgres | Superuser, Create role, Create DB, Replication | {}
  10.   r1 | No inheritance, Cannot login | {r2}
  11.   r2 | Cannot login | {}
  12.   user1 | Superuser, Create role, Create DB | {}
  13.   user2 | Create DB | {}
  14.    
  15.   database1=# grant jack to r2;
  16.   ERROR: role "jack" is a member of role "r2"

系统权限任何时候都不会继承,只有主动set过去才生效

  1.   database1=# alter role r1 createrole;
  2.   ALTER ROLE
  3.   database1=# \c - jack;
  4.   You are now connected to database "database1" as user "jack".
  5.   database1=> create role jacktest1;
  6.   ERROR: permission denied to create role
  7.   database1=> set role r1;
  8.   SET
  9.   database1=> create role jacktest1;
  10.   CREATE ROLE

三种方式还原到最初的jack角色

  1.   database1=> set role jack;
  2.   SET
  3.   database1=> set role none;
  4.   SET
  5.   database1=> reset role;
  6.   RESET

#角色删除

在什么角色下建的对象,归属于哪个角色,而非登录者

  1.   database1=> \c - postgres
  2.   You are now connected to database "database1" as user "postgres".
  3.   database1=# grant create on database database1 to r1;
  4.   GRANT
  5.   database1=# \c - jack
  6.   You are now connected to database "database1" as user "jack".
  7.   database1=> set role r1;
  8.   SET
  9.   database1=> create table tab4(id text);
  10.   CREATE TABLE
  11.   database1=> \dt tab4 --这里要注意:owner变成了r1而不是jack
  12.   List of relations
  13.   Schema | Name | Type | Owner
  14.   --------+------+-------+-------
  15.   public | tab4 | table | r1
  16.   (1 row)

删除role,role下有权限或者是对象属于此role,则删除不了

  1.   database1=> \c - postgres
  2.   You are now connected to database "database1" as user "postgres".
  3.   database1=# drop role r1;
  4.   ERROR: role "r1" cannot be dropped because some objects depend on it
  5.   DETAIL: owner of table tab4
  6.   privileges for database database1
  7.   privileges for table tab1

移除掉相关权限关联后进行删除

  1.   database1=# drop table tab1;
  2.   DROP TABLE
  3.   database1=# drop table tab4;
  4.   DROP TABLE
  5.   database1=# revoke create on database database1 from r1;
  6.   REVOKE
  7.   database1=# drop role r1;
  8.   DROP ROLE

涉及到r1的成员或者是角色租(role group) 自动释放

  1.   database1=# \du
  2.   List of roles
  3.   Role name | Attributes | Member of
  4.   -----------+------------------------------------------------+-----------
  5.   hippo | | {}
  6.   jack | | {}
  7.   jacktest1 | Cannot login | {}
  8.   postgres | Superuser, Create role, Create DB, Replication | {}
  9.   r2 | Cannot login | {}
  10.   user1 | Superuser, Create role, Create DB | {}
  11.   user2 | Create DB | {}

#ROLE总结

  1. PG中的role包含了用户,角色,角色组,成员等所有含义.都使用create role来创建.
  2. 一个role可以成为多个role的成员,根据role的inherit属性来决定是否集成其他role的各种权限
  3. 继承关系不能形成回路.
  4. role上的属性如createdb,createrole不会直接继承,需要显式通过set role切换过去.
  5. 删除role需要先清理此role关联的各种权限.

//END

 

转载于:https://my.oschina.net/hippora/blog/376733



这篇关于postgresql role(角色)的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!


扫一扫关注最新编程教程