在PG中,角色與用戶的概念比較模糊,可以認為帶LOGIN屬性的role就是用戶. #創建role
帶了login屬性.就可以登錄數據庫.
-
postgres= # create role role1;
-
CREATE ROLE
-
postgres= # \c - role1
-
FATAL: role "role1" is not permitted to log in
-
Previous connection kept
-
postgres= # alter role role1 login;
-
ALTER ROLE
-
postgres= # \c - role1
-
You are now connected to database "postgres" as user "role1".
create user role1 與create role role1 login 是等價的,避免混淆,我只記create role方式.
role的系統視圖是pg_roles
-
postgres => select rolname,rolsuper,rolcanlogin from pg_roles;
-
rolname | rolsuper | rolcanlogin
-
----------+----------+-------------
-
postgres | t | t
-
hippo | f | t
-
user2 | f | t
-
user1 | t | t
-
role1 | f | t
在使用initdb初始化cluster時,默認會創建一個superuser,名字是將執行initdb命令的操作系統用戶一樣的用戶,通常叫postgres
命令行工具如psql,pg_dump等都需要指定連接用戶及連接數據庫.默認用戶是操作系統用戶,默認數據庫名字跟連接用戶名保持一致.
指定數據庫名字
-
[postgres@fnddb ~]$ psql -d database1
-
psql ( 9.4.1)
-
Type "help" for help.
-
-
database1= # \c
-
You are now connected to database "database1" as user "postgres".
指定用戶名
-
[postgres @fnddb ~]$ psql -U role1 --不指定數據庫名字,默認數據庫跟用戶名一致,所以找不到
-
psql: FATAL: database "role1" does not exist
role屬性
可以認為是這個用戶所具有的系統權限.
- LOGIN --具有登錄權限
- SUPERUSER --超級用戶,具有所有系統權限,除了登錄驗證
- CREATEDB --創建數據庫權限
- CREATEROLE --創建role權限
- PASSWORD --設置密碼
修改屬性
-
postgres =# create role role2 login;
-
CREATE ROLE
-
-
postgres =# select * from pg_user where usename = 'role2';
-
usename | usesysid | usecreatedb | usesuper | usecatupd | userepl | passwd | valuntil | useconfig
-
---------+----------+-------------+----------+-----------+---------+----------+----------+-----------
-
role2 | 16494 | f | f | f | f | ******** | |
-
(1 row)
-
-
postgres =# alter role role2 createdb createrole password 'rolepasswd';
-
ALTER ROLE
-
postgres =# \du role2
-
List of roles
-
Role name | Attributes | Member of
-
-----------+------------------------+-----------
-
role2 | Create role, Create DB | {}
-
-
postgres =# alter role role2 nocreatedb nocreaterole superuser;
-
ALTER ROLE
-
postgres =# \du role2
-
List of roles
-
Role name | Attributes | Member of
-
-----------+------------+-----------
-
role2 | Superuser | {}
#role的參數 可以修改用戶的參數,來影響某用戶操作數據庫的特殊行為.這部分在講服務器參數修改時已提及.
-
postgres =# alter role role2 set enable_indexscan = f;
-
ALTER ROLE
#role membership(role 成員) 為了管理上的方便,我們可以創建一個role group,然后可以將各用戶或者有特殊權限的role組織在一起,各個role就是這個role group的membership.
role group 是不帶login的role,因為pg使用role來表示所有的角色,用戶,用戶組,所以不要混淆,創建語句都是create role.我們來測試一下.
我們創建一個用戶,兩個角色,分別有直屬一個表的查詢權限
-
postgres =# create role jack login inherit;
-
CREATE ROLE
-
postgres =# create role r1;
-
CREATE ROLE
-
postgres =# create role r2;
-
CREATE ROLE
-
postgres =# \c database1
-
You are now connected to database "database1" as user "postgres".
-
database1 =# create table tab1(id text);
-
CREATE TABLE
-
database1 =# create table tab2(id text);
-
CREATE TABLE
-
database1 =# create table tab3 (id text);
-
CREATE TABLE
-
database1 =# grant select on tab1 to r1;
-
GRANT
-
database1 =# grant select on tab2 to r2;
-
GRANT
-
database1 =# grant select on tab3 to jack;
-
GRANT
進行grant授權,使jack成為r1,r2的membership
-
database1 =# grant r1 to jack;
-
GRANT ROLE
-
database1 =# grant r2 to jack;
-
GRANT ROLE
-
database1 =# grant usage on schema public to public; --授權usage給所有用戶(后一個public),否則看不到數據庫中的表.
-
GRANT
測試角色切換
jack繼承了r1,r2的權限
-
database1 =# \c - jack
-
You are now connected to database "database1" as user "jack".
-
database1 => select * from tab3;
-
id
-
----
-
( 0 rows)
-
-
database1 => select * from tab1;
-
id
-
----
-
( 0 rows)
-
-
database1 => select * from tab2;
-
id
-
----
-
( 0 rows)
間接繼承的也可以
-
database1 => \c - postgres
-
You are now connected to database "database1" as user "postgres".
-
database1 =# revoke r2 from jack;
-
REVOKE ROLE
-
database1 =# grant r2 to r1;
-
GRANT ROLE
-
database1 =# \c - jack;
-
You are now connected to database "database1" as user "jack".
-
database1 => select * from tab2;
-
id
-
----
-
( 0 rows)
關閉r1的繼承
-
database1 => \c - postgres
-
You are now connected to database "database1" as user "postgres".
-
database1 =# alter role r1 noinherit;
-
ALTER ROLE
-
database1 =# \c - jack;
-
You are now connected to database "database1" as user "jack".
-
database1 => select * from tab2; --已經查詢不了r2的權限
-
ERROR: permission denied for relation tab2
-
database1 => select * from tab1;
-
id
-
----
-
( 0 rows)
直接切換到r2角色,你已經不是jack了:)
-
database1 => set role r1;
-
SET
-
database1 => select * from tab1;
-
id
-
----
-
( 0 rows)
-
-
database1 => select * from tab2;
-
ERROR: permission denied for relation tab2
-
database1 => select * from tab3;
-
ERROR: permission denied for relation tab3
授權不能形成回路
-
database1=> \c - postgres
-
You are now connected to database "database1" as user "postgres".
-
database1= # \du
-
List of roles
-
Role name | Attributes | Member of
-
-----------+------------------------------------------------+-----------
-
hippo | | {}
-
jack | | {r1}
-
postgres | Superuser, Create role, Create DB, Replication | {}
-
r1 | No inheritance, Cannot login | {r2}
-
r2 | Cannot login | {}
-
user1 | Superuser, Create role, Create DB | {}
-
user2 | Create DB | {}
-
-
database1= # grant jack to r2;
-
ERROR: role "jack" is a member of role "r2"
系統權限任何時候都不會繼承,只有主動set過去才生效
-
database1 =# alter role r1 createrole;
-
ALTER ROLE
-
database1 =# \c - jack;
-
You are now connected to database "database1" as user "jack".
-
database1 => create role jacktest1;
-
ERROR: permission denied to create role
-
database1 => set role r1;
-
SET
-
database1 => create role jacktest1;
-
CREATE ROLE
三種方式還原到最初的jack角色
-
database1 => set role jack;
-
SET
-
database1 => set role none;
-
SET
-
database1 => reset role;
-
RESET
#角色刪除
在什么角色下建的對象,歸屬於哪個角色,而非登錄者
-
database1 => \c - postgres
-
You are now connected to database "database1" as user "postgres".
-
database1 =# grant create on database database1 to r1;
-
GRANT
-
database1 =# \c - jack
-
You are now connected to database "database1" as user "jack".
-
database1 => set role r1;
-
SET
-
database1 => create table tab4(id text);
-
CREATE TABLE
-
database1 => \dt tab4 --這里要注意:owner變成了r1而不是jack
-
List of relations
-
Schema | Name | Type | Owner
-
--------+------+-------+-------
-
public | tab4 | table | r1
-
( 1 row)
刪除role,role下有權限或者是對象屬於此role,則刪除不了
-
database1 => \c - postgres
-
You are now connected to database "database1" as user "postgres".
-
database1 =# drop role r1;
-
ERROR: role "r1" cannot be dropped because some objects depend on it
-
DETAIL: owner of table tab4
-
privileges for database database1
-
privileges for table tab1
移除掉相關權限關聯后進行刪除
-
database1 =# drop table tab1;
-
DROP TABLE
-
database1 =# drop table tab4;
-
DROP TABLE
-
database1 =# revoke create on database database1 from r1;
-
REVOKE
-
database1 =# drop role r1;
-
DROP ROLE
涉及到r1的成員或者是角色租(role group) 自動釋放
-
database1 =# \du
-
List of roles
-
Role name | Attributes | Member of
-
-----------+------------------------------------------------+-----------
-
hippo | | {}
-
jack | | {}
-
jacktest1 | Cannot login | {}
-
postgres | Superuser, Create role, Create DB, Replication | {}
-
r2 | Cannot login | {}
-
user1 | Superuser, Create role, Create DB | {}
-
user2 | Create DB | {}
#ROLE總結
- PG中的role包含了用戶,角色,角色組,成員等所有含義.都使用create role來創建.
- 一個role可以成為多個role的成員,根據role的inherit屬性來決定是否集成其他role的各種權限
- 繼承關系不能形成回路.
- role上的屬性如createdb,createrole不會直接繼承,需要顯式通過set role切換過去.
- 刪除role需要先清理此role關聯的各種權限.
//END
轉載於:https://my.oschina.net/hippora/blog/376733