pg(hgdb)許可權實驗
阿新 • • 發佈:2019-01-29
建立使用者的語句為:
CREATE ROLE guest LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
注意上述Role guest擁有LOGIN的許可權,所以叫它使用者。
建立角色的語句為:
CREATE ROLE "group" NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
注意這裡沒有LOGIN許可權,所以是角色。
上述角色和使用者的建立語句中,都沒有賦予超級使用者、建立資料庫等許可權。
怎麼樣控制登入使用者操作資料庫物件的許可權呢?
答案是讓使用者成為角色的成員,此時使用者即可擁有角色的許可權,進一步限制了登入使用者操作資料庫物件的許可權。
如把上述角色group賦予guest使用者:
GRANT "group" TO guest;
之後,guest使用者就擁有了group角色所擁有的資料庫物件許可權。
==============================================================================
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=# create schema a;
CREATE SCHEMA
highgo=# create schema b;
CREATE SCHEMA
highgo=# create role a login password 'highgo123';
CREATE ROLE
highgo=# create role b login password 'highgo123';
CREATE ROLE
highgo=# alter schema a owner to a;
ALTER SCHEMA
highgo=# alter schema b owner to b;
ALTER SCHEMA
highgo=# create table a.test (id int);
CREATE TABLE
highgo=# insert into a.test values (1);
INSERT 0 1
highgo=# create table b.test (id int);
CREATE TABLE
highgo=# insert into b.test values (2);
INSERT 0 1
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from test;
錯誤: 對關係 test 許可權不夠
highgo=> select * from a.test;
錯誤: 對關係 test 許可權不夠
highgo=> select * from b.test;
錯誤: 對模式 b 許可權不夠
LINE 1: select * from b.test;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on a.test to a;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from a.test;
id
----
1
(1 row)
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.test;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.test;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on b.test to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from b.test;
錯誤: 對模式 b 許可權不夠
LINE 1: select * from b.test;
^
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from b.test;
id
----
2
(1 row)
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
a | | {}
b | | {}
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=> \d
List of relations
Schema | Name | Type | Owner
----------------+----------------+-------+--------
a | test | table | highgo
oracle_catalog | dual | view | highgo
public | my_colors | table | highgo
public | myt | table | highgo
public | pg_buffercache | view | highgo
(5 rows)
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
a | | {}
b | | {}
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=> \du a
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
a | | {}
highgo=> \du b
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
b | | {}
highgo=> \d
List of relations
Schema | Name | Type | Owner
----------------+----------------+-------+--------
b | test | table | highgo
oracle_catalog | dual | view | highgo
public | my_colors | table | highgo
public | myt | table | highgo
public | pg_buffercache | view | highgo
(5 rows)
==============================================================================================
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=>
highgo=>
highgo=>
highgo=> create table atest (id int);
CREATE TABLE
highgo=> insert into atest values (3);
INSERT 0 1
highgo=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
a | | {}
b | | {}
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=> \d
List of relations
Schema | Name | Type | Owner
----------------+----------------+-------+--------
a | atest | table | a
a | test | table | highgo
oracle_catalog | dual | view | highgo
public | my_colors | table | highgo
public | myt | table | highgo
public | pg_buffercache | view | highgo
(6 rows)
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> grant select on atest to b;
GRANT
highgo=> grant select on a.atest to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.atest;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.atest;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on a.atest to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.atest;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.atest;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# select * from atest;
錯誤: 關係 "atest" 不存在 第 15 個字元處
語句: select * from atest;
錯誤: 關係 "atest" 不存在
LINE 1: select * from atest;
^ ^
highgo=# select * from a.atest;
id
----
3
(1 row)
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=#
highgo=# revoke select on a.atest from a;
REVOKE
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from atest;
錯誤: 對關係 atest 許可權不夠
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on a.atest to a;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from atest;
id
----
3
(1 row)
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on all tables in schema a to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from b.test;
id
----
2
(1 row)
highgo=> select * from test;
id
----
2
(1 row)
highgo=> select * from a.test;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.test;
^
highgo=>
在PostgreSQL中,即使已經將schema中的表和函式的訪問許可權授予某個角色,在沒有此schema的USAGE許可權的情況下,此角色依然不能訪問此schema種的表或者函式物件。
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> grant usage on schema a to b; *****************************************************
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.test;
id
----
1
(1 row)
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.test;
id
----
1
(1 row)
highgo=> select * from a.atest;
id
----
3
(1 row)
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# revoke select on a.atest from b;
REVOKE
或者revoke usage on schema a from b;
REVOKE
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.atest;
錯誤: 對關係 atest 許可權不夠
highgo=>
CREATE ROLE guest LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
注意上述Role guest擁有LOGIN的許可權,所以叫它使用者。
建立角色的語句為:
CREATE ROLE "group" NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
注意這裡沒有LOGIN許可權,所以是角色。
上述角色和使用者的建立語句中,都沒有賦予超級使用者、建立資料庫等許可權。
怎麼樣控制登入使用者操作資料庫物件的許可權呢?
答案是讓使用者成為角色的成員,此時使用者即可擁有角色的許可權,進一步限制了登入使用者操作資料庫物件的許可權。
如把上述角色group賦予guest使用者:
GRANT "group" TO guest;
之後,guest使用者就擁有了group角色所擁有的資料庫物件許可權。
==============================================================================
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=# create schema a;
CREATE SCHEMA
highgo=# create schema b;
CREATE SCHEMA
highgo=# create role a login password 'highgo123';
CREATE ROLE
highgo=# create role b login password 'highgo123';
CREATE ROLE
highgo=# alter schema a owner to a;
ALTER SCHEMA
highgo=# alter schema b owner to b;
ALTER SCHEMA
highgo=# create table a.test (id int);
CREATE TABLE
highgo=# insert into a.test values (1);
INSERT 0 1
highgo=# create table b.test (id int);
CREATE TABLE
highgo=# insert into b.test values (2);
INSERT 0 1
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from test;
錯誤: 對關係 test 許可權不夠
highgo=> select * from a.test;
錯誤: 對關係 test 許可權不夠
highgo=> select * from b.test;
錯誤: 對模式 b 許可權不夠
LINE 1: select * from b.test;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on a.test to a;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from a.test;
id
----
1
(1 row)
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.test;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.test;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on b.test to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from b.test;
錯誤: 對模式 b 許可權不夠
LINE 1: select * from b.test;
^
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from b.test;
id
----
2
(1 row)
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
a | | {}
b | | {}
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=> \d
List of relations
Schema | Name | Type | Owner
----------------+----------------+-------+--------
a | test | table | highgo
oracle_catalog | dual | view | highgo
public | my_colors | table | highgo
public | myt | table | highgo
public | pg_buffercache | view | highgo
(5 rows)
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
a | | {}
b | | {}
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=> \du a
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
a | | {}
highgo=> \du b
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
b | | {}
highgo=> \d
List of relations
Schema | Name | Type | Owner
----------------+----------------+-------+--------
b | test | table | highgo
oracle_catalog | dual | view | highgo
public | my_colors | table | highgo
public | myt | table | highgo
public | pg_buffercache | view | highgo
(5 rows)
==============================================================================================
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=>
highgo=>
highgo=>
highgo=> create table atest (id int);
CREATE TABLE
highgo=> insert into atest values (3);
INSERT 0 1
highgo=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
a | | {}
b | | {}
highgo | Superuser, Create role, Create DB, Replication | {}
highgo=> \d
List of relations
Schema | Name | Type | Owner
----------------+----------------+-------+--------
a | atest | table | a
a | test | table | highgo
oracle_catalog | dual | view | highgo
public | my_colors | table | highgo
public | myt | table | highgo
public | pg_buffercache | view | highgo
(6 rows)
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> grant select on atest to b;
GRANT
highgo=> grant select on a.atest to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.atest;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.atest;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on a.atest to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.atest;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.atest;
^
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# select * from atest;
錯誤: 關係 "atest" 不存在 第 15 個字元處
語句: select * from atest;
錯誤: 關係 "atest" 不存在
LINE 1: select * from atest;
^ ^
highgo=# select * from a.atest;
id
----
3
(1 row)
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=#
highgo=# revoke select on a.atest from a;
REVOKE
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from atest;
錯誤: 對關係 atest 許可權不夠
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on a.atest to a;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> select * from atest;
id
----
3
(1 row)
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# grant select on all tables in schema a to b;
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from b.test;
id
----
2
(1 row)
highgo=> select * from test;
id
----
2
(1 row)
highgo=> select * from a.test;
錯誤: 對模式 a 許可權不夠
LINE 1: select * from a.test;
^
highgo=>
在PostgreSQL中,即使已經將schema中的表和函式的訪問許可權授予某個角色,在沒有此schema的USAGE許可權的情況下,此角色依然不能訪問此schema種的表或者函式物件。
highgo=> \c
You are now connected to database "highgo" as user "a".
highgo=> grant usage on schema a to b; *****************************************************
GRANT
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.test;
id
----
1
(1 row)
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.test;
id
----
1
(1 row)
highgo=> select * from a.atest;
id
----
3
(1 row)
highgo=# \c
You are now connected to database "highgo" as user "highgo".
highgo=# revoke select on a.atest from b;
REVOKE
或者revoke usage on schema a from b;
REVOKE
highgo=> \c
You are now connected to database "highgo" as user "b".
highgo=> select * from a.atest;
錯誤: 對關係 atest 許可權不夠
highgo=>