postgres 基於Schema 權限訪問探討

01，環境配置

　　　創建用戶，和schema

postgres=# create user test1 with password 'test1';
CREATE ROLE
postgres=# create user test2 with password 'test2';
CREATE ROLE
postgres=# create schema u1;
CREATE SCHEMA
postgres=# create schema u2;
CREATE SCHEMA
postgres=# insert into u1.txt1 values (1,'hello')
;
INSERT 0 1
postgres=# insert into u1.txt2 values (2,'world')
;
INSERT 0 1
postgres=# insert into u2.txt1 values (1,'hello')
;
INSERT 0 1
postgres=# insert into u2.txt2 values (2,'world')
;
INSERT 0 1



創建環境

02，權限訪問

postgres=# select current_user  -- 查看當前的schema
postgres-# ; 
 current_user
--------------
 postgres
(1 row)

postgres=# show search_path -- 看到當前是public schema
postgres-# ;
   search_path
-----------------
 "$user", public
(1 row)

postgres=# \dt              -- 查看當前的表，發現並沒有剛剛創建的表
        List of relations
 Schema | Name | Type  |  Owner
--------+------+-------+----------
 public | test | table | postgres

postgres=# \c postgres test1 ;    --登入到 test1 用戶
You are now connected to database "postgres" as user "test1".
postgres=> select current_user;   ---查看當前用戶
 current_user
--------------
 test1
(1 row)

postgres=> \dt;                 -- 發現當前只能讀取public的表
        List of relations
 Schema | Name | Type  |  Owner
--------+------+-------+----------
 public | test | table | postgres
(1 row)

postgres=> show search_path ;  ---看當前schema
   search_path
-----------------
 "$user", public
(1 row)
postgres=> set search_path = 'u1';   ---切換到u1
SET
postgres=> show search_path ;   -查看
 search_path
-------------
 u1
(1 row)

postgres=> \dt;        --發現並沒有 表出來，我不是創建的時候指定了嗎？
Did not find any relations.



postgres=> set search_path = 'u1';
SET
postgres=> show search_path ;
 search_path
-------------
 u1
(1 row)

postgres=> \dt;
Did not find any relations.
postgres=> select * from u1.test1;  --- 查詢，沒有權限
ERROR:  permission denied for schema u1
LINE 1: select * from u1.test1;

我們通過 postgres 用戶來看下

postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# show search_path
postgres-# ;
   search_path
-----------------
 "$user", public
(1 row)

postgres=# \d+
                   List of relations
 Schema | Name | Type  |  Owner   | Size  | Description
--------+------+-------+----------+-------+-------------
 public | test | table | postgres | 16 kB |
(1 row)

postgres=# set search_path = u1;
SET
postgres=# \d+
                      List of relations
 Schema | Name | Type  |  Owner   |    Size    | Description
--------+------+-------+----------+------------+-------------
 u1     | txt1 | table | postgres | 8192 bytes |
 u1     | txt2 | table | postgres | 8192 bytes |

發現是沒有問題的。是不是權限不夠呢？

那我授權下

postgres=# grant SELECT on u1.txt1 to test1 ;
GRANT
postgres=# \c postgres test1;
You are now connected to database "postgres" as user "test1".
postgres=> \d+
                   List of relations
 Schema | Name | Type  |  Owner   | Size  | Description
--------+------+-------+----------+-------+-------------
 public | test | table | postgres | 16 kB |
(1 row)

postgres=> set search_path = u1;
SET
postgres=> \d+
Did not find any relations.
postgres=> select * from u1.txt1 ;
ERROR:  permission denied for schema u1
LINE 1: select * from u1.txt1 ;
                      ^

發現還是權限不夠

這時候其實是少了一個權限

postgres=# grant USAGE on SCHEMA u1 to test1 ;
GRANT
postgres=# \c postgres test1 ;
You are now connected to database "postgres" as user "test1".
postgres=> \dt ;
        List of relations
 Schema | Name | Type  |  Owner
--------+------+-------+----------
 public | test | table | postgres
(1 row)

postgres=> set search_path = u1 ;
SET
postgres=> \dt ;
        List of relations
 Schema | Name | Type  |  Owner
--------+------+-------+----------
 u1     | txt1 | table | postgres
 u1     | txt2 | table | postgres

postgres=> select * from txt1
postgres-> ;
 id | name
----+-------
  1 | hello
  1 | hello
(2 rows)

這樣設置就可以了

　　　　所以一般使用schema 的時候注意：

　　　　　　　1　需要用postgres 授權指定的schema 的使用（USAGE）權限給特定用戶

　　　　　　　2　然后授權postgres 需要的權限到特定用戶

　　缺一不可