本文簡單介紹了PostgreSQL的權限和用戶管理基礎知識,原文詳見 PostgreSQL Privileges & User Management - What You Should Know ,有所刪減和調整.
Roles
PostgreSQL使用基於角色的權限管理系統.
PostgreSQL中的用戶user和角色role是一回事,區別是在創建用戶時具備了LOGIN權限而角色沒有,因此以下不再提及用戶均以角色描述.
testdb=# create role testrole with password 'test';CREATE ROLEtestdb=# create user testuser with password 'test';CREATE ROLE
退出psql,分別以testrole和testuser登錄
testdb=# \q[pg12@localhost ~]$ psql -U testrole -d testdbpsql: error: could not connect to server: FATAL: role "testrole" is not permitted to log in[pg12@localhost ~]$ psql -U testuser -d testdbpsql (12beta1)Type "help" for help.testdb=>
在創建角色時,以下權限是常用的選項:
SUPERUSER - 超級用戶,SUPERUSER可創建新的SUPERUSER,SUPERUSER可跳過所有的權限檢查.
CREATEDB - 可創建databases.
CREATEROLE - 可創建其他角色.
LOGIN - 可登錄.
事實上,如果沒有LOGIN權限,那麼就算是SUPERUSER也登錄不了
testdb=# create role user1 with password 'test'SUPERUSER CREATEROLE NOLOGIN;CREATE ROLEtestdb=# \q[pg12@localhost ~]$ psql -U user1 -d testdbpsql: error: could not connect to server: FATAL: role "user1" is not permitted to log in[pg12@localhost ~]$
在psql下,使用\du命令可查看角色信息
testdb=# \du List of roles Role name | Attributes | Member of ------------+------------------------------------------------------------+----------- pg12 | Superuser, Create role, Create DB, Replication, Bypass RLS | {} replicator | Replication | {} testrole | Cannot login | {} testuser | | {} user1 | Superuser, Create role, Cannot login | {}Informational (options: S = show system objects, + = additional detail) ... \du[S+] [PATTERN] list roles ...
pg_hba.conf
配置服務器與客戶端之間的連接,查詢pg_setting視圖可檢索當前的hba文件在什麼地方
testdb=# SELECT name, settingtestdb-# FROM pg_settings WHERE name LIKE '%hba%'; name | setting ----------+--------------------------------- hba_file | /data/pgsql/pg12db1/pg_hba.conf(1 row)
hba文件的條目形如以下的設置
local database user address auth-method [auth-options]
其中:
第一項是指連接方式,local是Unix-domain sockets,host是TCP/IP連接
第二項是數據庫,all表示所有
第三項是用戶,all表示所有
第四項是地址,如192.168.0.0/16
第五項auth-method是認證方法,包括trust,reject,scram-sha-256,md5,password,gss,sspi,ident,peer,ldap,radius,cert,pam,bsd.詳見的,trust表示不需要password,password表示明文密碼,md5表示使用md5加密密碼傳輸等
通過查詢pg_hba_file_rules視圖可查看當前的hba配置
testdb=# SELECT * FROM pg_hba_file_rules; line_number | type | database | user_name | address | netmask | auth_method | options | error -------------+-------+---------------+-----------+---------------+-----------------------------------------+-------------+---------+------- 84 | local | {all} | {all} | | | trust | | 86 | host | {all} | {all} | 127.0.0.1 | 255.255.255.255 | trust | | 87 | host | {all} | {all} | 192.168.0.0 | 255.255.0.0 | md5 | | 89 | host | {all} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | 92 | local | {replication} | {all} | | | trust | | 93 | host | {replication} | {all} | 127.0.0.1 | 255.255.255.255 | trust | | 94 | host | {replication} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | 95 | host | {replication} | {all} | 192.168.26.26 | 255.255.255.255 | trust | | 96 | host | {replication} | {all} | 192.168.26.27 | 255.255.255.255 | trust | | 97 | host | {replication} | {all} | 192.168.26.29 | 255.255.255.255 | trust | | (10 rows)
修改pg_hba.conf文件後,可通過pg_ctl reload命令刷新配置文件到pg_hba_file_rules中.
比如刪除line_number = 97的條目,刷新
host replication all 192.168.26.26/32 trusthost replication all 192.168.26.27/32 trust~ :x[pg12@localhost pg12db1]$ pg_ctl reloadserver signaledtestdb=# SELECT * FROM pg_hba_file_rules; line_number | type | database | user_name | address | netmask | auth_method | options | error -------------+-------+---------------+-----------+---------------+-----------------------------------------+-------------+---------+------- 84 | local | {all} | {all} | | | trust | | 86 | host | {all} | {all} | 127.0.0.1 | 255.255.255.255 | trust | | 87 | host | {all} | {all} | 192.168.0.0 | 255.255.0.0 | md5 | | 89 | host | {all} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | 92 | local | {replication} | {all} | | | trust | | 93 | host | {replication} | {all} | 127.0.0.1 | 255.255.255.255 | trust | | 94 | host | {replication} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | 95 | host | {replication} | {all} | 192.168.26.26 | 255.255.255.255 | trust | | 96 | host | {replication} | {all} | 192.168.26.27 | 255.255.255.255 | trust | | (9 rows)
Database, Table, and Column level privileges
Role一旦創建,具備LOGIN權限,並且在hba中配置可以訪問數據庫,那麼就具備了操縱數據庫的權限包括創建數據表/插入數據等DDL/DML的權限,但如果需要訪問其他owner創建的對象,則需要授權.
比如用戶pg12創建了數據表t1,但沒有授權給demouser,雖然demouser可以訪問t1,但無法查詢
[pg12@localhost ~]$ psql -h 192.168.26.28 -U demouser -d testdbPassword for user demouser: psql (12beta1)Type "help" for help.testdb=> create table t2(id int);CREATE TABLEtestdb=> drop table t2;DROP TABLEtestdb=> \d+ t1 Table "public.t1" Column | Type | Collation | Nullable | Default | Storage | Stats target | Description --------+---------+-----------+----------+---------+---------+--------------+------------- id | integer | | | | plain | | c1 | integer | | | | plain | | c2 | integer | | | | plain | | Access method: heaptestdb=> select * from t1;psql: ERROR: permission denied for table t1
另外,PostgreSQL爲了實現精細化的權限管理,提供了列級的訪問授權,其GRANT語句語法如下,其中column_name部分可指定列權限:
GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }ON [ TABLE ] table_name [, ...]TO role_specification [, ...] [ WITH GRANT OPTION ]
指定t1.id可以給demouser訪問: 鄭州婦科醫院:http://jbk.39.net/yiyuanzaixian/sysdfkyy/
testdb=# GRANT SELECT (id) ON TABLE t1 TO demouser;GRANT
demouser可以訪問id列
testdb=> select * from t1;psql: ERROR: permission denied for table t1testdb=> select id from t1; id ----(0 rows)
參考資料
PostgreSQL Privileges & User Management - What You Should Know
CREATE ROLE