postgres中schema訪問權限設置

1、數據庫當前擁有的schema

postgres=# \dn+
                           List of schemas
   Name    |  Owner   |  Access privileges   |      Description       
-----------+----------+----------------------+------------------------
 my_schema | postgres | postgres=UC/postgres+| 
           |          | scott=UC/postgres   +| 
           |          | abc=U/postgres      +| 
 public    | postgres | postgres=UC/postgres+| standard public schema
           |          | =UC/postgres         | 
 u1        | postgres | postgres=UC/postgres+| 
           |          | test1=U/postgres     | 
 u2        | postgres |                      | 
(4 rows)

postgres=# 

2、創建一個新角色並賦予使用my_schema的權限

postgres=# create role aa login password 'aa';
CREATE ROLE
postgres=# 
postgres=# 
postgres=# grant USAGE on SCHEMA my_schema to aa;
GRANT
postgres=# 
postgres=# 

3、my_schema角色下面有一張T表

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# \dt
        List of relations
 Schema | Name | Type  |  Owner   
--------+------+-------+----------
 public | t    | table | postgres
 public | test | table | postgres
(2 rows)

postgres=# set search_path=my_schema;
SET
postgres=# \dt
          List of relations
  Schema   | Name | Type  |  Owner   
-----------+------+-------+----------
 my_schema | t    | table | postgres
(1 row)

4、切換到aa角色，並設置search_path

postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> set search_path=my_schema;
SET
postgres=> 
postgres=> \dt
          List of relations
  Schema   | Name | Type  |  Owner   
-----------+------+-------+----------
 my_schema | t    | table | postgres
(1 row)

5、aa角色查詢my_schema下面的表

postgres=> select * from my_schema.t;
ERROR:  permission denied for table t
postgres=> 
postgres=> 

6、切換到postgres用戶授權t表的select權限給aa角色

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# grant select on my_schema.t to aa;
GRANT
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select * from my_schema.t;
 id 
----
 20
(1 row)

postgres=> 

7、postgres提供了角色可以默認使用其他角色的權限的功能，看下面測試

切換到postgres用戶創建一張新表test1

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# 
postgres=# select * from pg_default_acl ;
 defaclrole | defaclnamespace | defaclobjtype |                   defaclacl                   
------------+-----------------+---------------+-----------------------------------------------
         10 |           24696 | r             | {scott=arwdDxt/postgres,abc=arwdDxt/postgres}
(1 row)

postgres=# create table my_schema.test1(id int); 
CREATE TABLE
postgres=# 

8、如果這個時候不執行grant select on my_schema.test1 to aa;是沒有權限訪問的

postgres=> \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> 
postgres=> 
postgres=> select * from my_schema.test1;
ERROR:  permission denied for table test1
postgres=> 
postgres=> select * from my_schema.t;
 id 
----
 20
(1 row)

9、設置aa角色繼承postgres權限

postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# ALTER DEFAULT PRIVILEGES for role postgres in schema my_schema grant select on tables to aa;
ALTER DEFAULT PRIVILEGE

10、再次訪問test1表

postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select * from pg_default_acl ;
 defaclrole | defaclnamespace | defaclobjtype |                          defaclacl                          
------------+-----------------+---------------+-------------------------------------------------------------
         10 |           24696 | r             | {scott=arwdDxt/postgres,abc=arwdDxt/postgres,aa=r/postgres}
(1 row)

postgres=> select *from my_schema.test1;
ERROR:  permission denied for table test1
postgres=> 

其中pg_default_acl 視圖的defaclacl列就顯示了類似的關係，比如 aa=r/postgres。角色aa繼承了對postgres角色中namespace OID=24696的schema的讀表權限。如果是讀寫權限則爲aa=rw/postgres

postgres=# ALTER DEFAULT PRIVILEGES for role postgres in schema my_schema grant update on tables to aa;
ALTER DEFAULT PRIVILEGES
postgres=# 
postgres=# select * from pg_default_acl ;
-[ RECORD 1 ]---+-------------------------------------------------------------
defaclrole      | 10
defaclnamespace | 24696
defaclobjtype   | r
defaclacl       | {scott=arwdDxt/postgres,abc=arwdDxt/postgres,aa=rw/postgres}

postgres=> select oid,  * from pg_namespace;
  oid  |      nspname       | nspowner |                                nspacl                                 
-------+--------------------+----------+-----------------------------------------------------------------------
    99 | pg_toast           |       10 | 
 11804 | pg_temp_1          |       10 | 
 11805 | pg_toast_temp_1    |       10 | 
    11 | pg_catalog         |       10 | {postgres=UC/postgres,=U/postgres}
  2200 | public             |       10 | {postgres=UC/postgres,=UC/postgres}
 12941 | information_schema |       10 | {postgres=UC/postgres,=U/postgres}
 24714 | u2                 |       10 | 
 24713 | u1                 |       10 | {postgres=UC/postgres,test1=U/postgres}
 24696 | my_schema          |       10 | {postgres=UC/postgres,scott=UC/postgres,abc=U/postgres,aa=U/postgres}
(9 rows)

postgres=> 

11、如果postgres新建一張表，該表的select權限自己會賦予aa角色

postgres=# create table my_schema.test2(id int);
CREATE TABLE
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select *from my_schema.test2;
 id 
----
(0 rows)

通過步驟10、11可以看到，設置ALTER DEFAULT PRIVILEGES時對之前已經存在的表是不起作用的，只有之後創建的表的權限才能被授權成功。