創建用戶/角色
ORDER BY
CASE
WHEN FileType='00' THEN 1
WHEN FileType='07' THEN 2
WHEN FileType='02' THEN 3
WHEN FileType='03' THEN 4
ELSE 5
END
等價於
order by field("FileType",'00','07','02','03')
COALESCE函數等價於IFNull
CREATE USER/ROLE name [ [ WITH ] option [ ... ] ] : 關鍵詞 USER,ROLE; name 用戶或角色名;
where option can be:
SUPERUSER | NOSUPERUSER :超級權限,擁有所有權限,默認nosuperuser。
| CREATEDB | NOCREATEDB :建庫權限,默認nocreatedb。
| CREATEROLE | NOCREATEROLE :建角色權限,擁有創建、修改、刪除角色,默認nocreaterole。
| INHERIT | NOINHERIT :繼承權限,可以把除superuser權限繼承給其他用戶/角色,默認inherit。
| LOGIN | NOLOGIN :登錄權限,作為連接的用戶,默認nologin,除非是create user(默認登錄)。
| REPLICATION | NOREPLICATION :復制權限,用於物理或則邏輯復制(復制和刪除slots),默認是noreplication。
| BYPASSRLS | NOBYPASSRLS :安全策略RLS權限,默認nobypassrls。
| CONNECTION LIMIT connlimit :限制用戶並發數,默認-1,不限制。正常連接會受限制,后台連接和prepared事務不受限制。
| [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL :設置密碼,密碼僅用於有login屬性的用戶,不使用密碼身份驗證,則可以省略此選項。可以選擇將空密碼顯式寫為PASSWORD NULL。
加密方法由配置參數password_encryption確定,密碼始終以加密方式存儲在系統目錄中。
| VALID UNTIL 'timestamp' :密碼有效期時間,不設置則用不失效。
| IN ROLE role_name [, ...] :新角色將立即添加為新成員。
| IN GROUP role_name [, ...] :同上
| ROLE role_name [, ...] :ROLE子句列出一個或多個現有角色,這些角色自動添加為新角色的成員。 (這實際上使新角色成為“組”)。
| ADMIN role_name [, ...] :與ROLE類似,但命名角色將添加到新角色WITH ADMIN OPTION,使他們有權將此角色的成員資格授予其他人。
| USER role_name [, ...] :同上
| SYSID uid :被忽略,但是為向后兼容性而存在。
示例:
創建不需要密碼登陸的用戶test:
postgres=# CREATE ROLE test LOGIN;
CREATE ROLE
創建需要密碼登陸的用戶test1:
postgres=# CREATE USER test1 WITH PASSWORD 'test1';
CREATE ROLE
和ROLE的區別是:USER帶LOGIN屬性。
創建有時間限制的用戶test2:
postgres=# CREATE ROLE test2 WITH LOGIN PASSWORD 'test2' VALID UNTIL '2020-06-30';
CREATE ROLE
創建有創建數據庫和管理角色權限的用戶admin:
postgres=# CREATE ROLE admin WITH CREATEDB CREATEROLE;
CREATE ROLE
注意:擁有創建數據庫,角色的用戶,也可以刪除和修改這些對象。
創建具有超級權限的用戶:admin
postgres=# CREATE ROLE admin WITH SUPERUSER LOGIN PASSWORD 'admin';
CREATE ROLE
創建復制賬號:repl
postgres=# CREATE USER repl REPLICATION LOGIN ENCRYPTED PASSWORD 'repl';
CREATE ROLE
其他說明
創建復制用戶
CREATE USER abc REPLICATION LOGIN ENCRYPTED PASSWORD '';
CREATE USER abc REPLICATION LOGIN ENCRYPTED PASSWORD 'abc';
ALTER USER work WITH ENCRYPTED password '';
創建scheme 角色
CREATE ROLE abc;
CREATE DATABASE abc WITH OWNER abc ENCODING UTF8 TEMPLATE template0;
\c abc
創建schema
CREATE SCHEMA abc;
ALTER SCHEMA abc OWNER to abc;
revoke create on schema public from public;
創建用戶
create user abc with ENCRYPTED password '';
GRANT abc to abc;
ALTER ROLE abc WITH abc;
##創建讀寫賬號
CREATE ROLE abc_rw;
CREATE ROLE abc_rr;
##賦予訪問數據庫權限,schema權限
grant connect ON DATABASE abc to abc_rw;
GRANT USAGE ON SCHEMA abc TO abc_rw;
##賦予讀寫權限
grant select,insert,update,delete ON ALL TABLES IN SCHEMA abc to abc;
賦予序列權限
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA abc to abc;
賦予默認權限
ALTER DEFAULT PRIVILEGES IN SCHEMA abc GRANT select,insert,update,delete ON TABLES TO abc;
賦予序列權限
ALTER DEFAULT PRIVILEGES IN SCHEMA abc GRANT ALL PRIVILEGES ON SEQUENCES TO abc;
#用戶對db要有連接權限
grant connect ON DATABASE abc to abc;
#用戶要對schema usage 權限,不然要select * from schema_name.table ,不能用搜索路徑
GRANT USAGE ON SCHEMA abc TO abc;
grant select ON ALL TABLES IN SCHEMA abc to abc;
ALTER DEFAULT PRIVILEGES IN SCHEMA abc GRANT select ON TABLES TO abc;
create user abc_w with ENCRYPTED password '';
create user abc_r with ENCRYPTED password '';
GRANT abc_rw to abc_w;
GRANT abc_rr to abc_r;
授權,定義訪問權限
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
##單表授權:授權test賬號可以訪問schema為test的t1表
grant select,insert,update,delete on test.t1 to test;
##所有表授權:
grant select,insert,update,delete on all tables in schema test to test;
GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
ON [ TABLE ] table_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##列授權,授權指定列(test schema下的t1表的name列)的更新權限給test用戶
grant update (name) on test.t1 to test;
##指定列授不同權限,test schema下的t1表,查看更新name、id字段,插入name字段
grant select (name,id),update (name,id),insert(name) on test.t1 to test;
GRANT { { USAGE | SELECT | UPDATE }
[, ...] | ALL [ PRIVILEGES ] }
ON { SEQUENCE sequence_name [, ...]
| ALL SEQUENCES IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
##序列(自增鍵)屬性授權,指定test schema下的seq_id_seq 給test用戶
grant select,update on sequence test.seq_id_seq to test;
##序列(自增鍵)屬性授權,給用戶test授權test schema下的所有序列
grant select,update on all sequences in schema test to test;
GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE database_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##連接數據庫權限,授權test用戶連接數據庫testdb
grant connect on database test to testdb;
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON DOMAIN domain_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER fdw_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN SERVER server_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { EXECUTE | ALL [ PRIVILEGES ] }
ON { { FUNCTION | PROCEDURE | ROUTINE } routine_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...]
| ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE lang_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
ON LARGE OBJECT loid [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]##
GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
ON SCHEMA schema_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##連接schema權限,授權demo訪問test schema權限
grant usage on schema test to demo;
GRANT { CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespace_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON TYPE type_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
where role_specification can be:
[ GROUP ] role_name
| PUBLIC
| CURRENT_USER
| SESSION_USER
GRANT role_name [, ...] TO role_name [, ...] [ WITH ADMIN OPTION ]
##把test用戶的權限授予用戶demo。
grant test to demo;
權限說明:
SELECT:允許從指定表,視圖或序列的任何列或列出的特定列進行SELECT。也允許使用COPY TO。在UPDATE或DELETE中引用現有列值也需要此權限。對於序列,此權限還允許使用currval函數。對於大對象,此權限允許讀取對象。
INSERT:允許將新行INSERT到指定的表中。如果列出了特定列,則只能在INSERT命令中為這些列分配(因此其他列將接收默認值)。也允許COPY FROM。
UPDATE:允許更新指定表的任何列或列出的特定列,需要SELECT權限。
DELETE:允許刪除指定表中的行,需要SELECT權限。
TRUNCATE:允許在指定的表上創建觸發器。
REFERENCES:允許創建引用指定表或表的指定列的外鍵約束。
TRIGGER:允許在指定的表上創建觸發器。
CREATE:對於數據庫,允許在數據庫中創建新的schema、table、index。
CONNECT:允許用戶連接到指定的數據庫。在連接啟動時檢查此權限。
TEMPORARY、TEMP:允許在使用指定數據庫時創建臨時表。
EXECUTE:允許使用指定的函數或過程以及在函數。
USAGE:對於schema,允許訪問指定模式中包含的對象;對於sequence,允許使用currval和nextval函數。對於類型和域,允許在創建表,函數和其他模式對象時使用類型或域。
ALL PRIVILEGES:一次授予所有可用權限。
用戶授權官方英文文檔地址 https://www.postgresql.org/docs/12/sql-grant.html
用戶授權官方中文文檔地址 http://www.postgres.cn/docs/11/sql-grant.html
撤銷權限
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##移除用戶test在schema test上所有表的select權限
revoke select on all tables in schema test from test;
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
ON [ TABLE ] table_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##移除用戶test在test schema的t1表的id列的查詢權限
revoke select (id) on test.t1 from test;
REVOKE [ GRANT OPTION FOR ]
{ { USAGE | SELECT | UPDATE }
[, ...] | ALL [ PRIVILEGES ] }
ON { SEQUENCE sequence_name [, ...]
| ALL SEQUENCES IN SCHEMA schema_name [, ...] }
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##序列
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE database_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##庫
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON DOMAIN domain_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER fdw_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN SERVER server_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT]
##
REVOKE [ GRANT OPTION FOR ]
{ EXECUTE | ALL [ PRIVILEGES ] }
ON { { FUNCTION | PROCEDURE | ROUTINE } function_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...]
| ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] }
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE lang_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
ON LARGE OBJECT loid [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
ON SCHEMA schema_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##schema權限
REVOKE [ GRANT OPTION FOR ]
{ CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespace_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON TYPE type_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ ADMIN OPTION FOR ]
role_name [, ...] FROM role_name [, ...]
[ CASCADE | RESTRICT ]
注意:任何用戶對public的schema都有all的權限,為了安全可以禁止用戶對public schema 的create權限。
##移除所有用戶(public),superuser除外,對指定DB下的public schema的create 權限。
testdb=# revoke create on schema public from public;