有時候我們會遇到這種情況(這種情況並不少見):用戶schema中有很多對象,並且你想授權題用戶訪問這些表。你可以通過grant直接授權,但是當對象屬主創建新的對象呢?你可能還需要再次授權,但是postgresql提供一個解決方案。
postgres=# create user a password 'a';
CREATE ROLE
postgres=# grant connect on database postgres to a;
GRANT
postgres=# create schema a authorization a;
CREATE SCHEMA
postgres=# alter user a set search_path=a;
ALTER ROLE
postgres=# create user b password 'b';
CREATE ROLE
postgres=# grant connect on database postgres to b;
GRANT
postgres=# create schema b authorization b;
CREATE SCHEMA
postgres=# alter user b set search_path=b;
ALTER ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------------------+-----------
a | | {}
b | | {}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
postgres=# \dn
List of schemas
Name | Owner
--------+----------
a | a
b | b
public | postgres
(3 rows)
postgres=#
這里用戶a是對象的屬主。創建兩張表:
postgres=> \c postgres a
You are now connected to database "postgres" as user "a".
postgres=> create table t1(a int);
CREATE TABLE
postgres=> create table t2(a int);
CREATE TABLE
postgres=> insert into t1(a) values(1);
INSERT 0 1
postgres=> insert into t2(a) values(2);
INSERT 0 1
postgres=> \d
List of relations
Schema | Name | Type | Owner
--------+------+-------+-------
a | t1 | table | a
a | t2 | table | a
(2 rows)
postgres=>
給用戶b授權:
postgres=> grant select on table t1 to b; GRANT postgres=> grant select on table t2 to b; GRANT postgres=>
現在用戶b是否可以查看a所創鍵的表的內容呢?
postgres=> \c postgres b
You are now connected to database "postgres" as user "b".
postgres=> select count(*) from a.t1;
ERROR: permission denied for schema a
LINE 1: select count(*) from a.t1;
^
postgres=>
這里還需要給b授權訪問schema a的權限:
postgres=> \c postgres a You are now connected to database "postgres" as user "a". postgres=> grant usage on schema a to b; GRANT postgres=>
這里只是授權b訪問schema a的權限,並不是授權訪問里面的表。
postgres=> \c postgres b
You are now connected to database "postgres" as user "b".
postgres=> select count(*) from a.t1;
count
-------
1
(1 row)
postgres=> select count(*) from a.t2;
count
-------
1
(1 row)
postgres=>
現在a再創建一個新表:
postgres=> \c postgres a
You are now connected to database "postgres" as user "a".
postgres=> create table t3 as select * from t1;
SELECT 1
postgres=> \d
List of relations
Schema | Name | Type | Owner
--------+----------------+----------+----------
public | t1 | table | a
public | t2 | table | a
public | t3 | table | a
(3 rows)
postgres=>
再次嘗試使用b訪問t3表:
postgres=> \c postgres b You are now connected to database "postgres" as user "b". postgres=> select count(*) from a.t3; ERROR: permission denied for table a.t3 postgres=>
現在修改一下default privileges:
postgres=> \c postgres a You are now connected to database "postgres" as user "a". postgres=# alter default privileges in schema a grant select on tables to b; ALTER DEFAULT PRIVILEGES postgres=#
那現在b可以訪問表t3了嗎?
postgres=# \c postgres b You are now connected to database "postgres" as user "b". postgres=> select count(*) from a.t3; ERROR: permission denied for table a.t3 postgres=>
還是不可以,修改了default privileges之后,只是對授權之后創建的對象有效。
現在a用戶再創建表t4:
postgres=# \c postgres a You are now connected to database "postgres" as user "a". postgres=> create table t4 as select from t1; SELECT 1 postgres=>
再次看看b是否查看表t4:
postgres=> \c postgres b
You are now connected to database "postgres" as user "b".
postgres=> select count(*) from a.t4;
count
-------
1
(1 row)
postgres=>