1、數據庫當前擁有的schema
postgres=# \dn+
List of schemas
Name | Owner | Access privileges | Description
-----------+----------+----------------------+------------------------
my_schema | postgres | postgres=UC/postgres+|
| | scott=UC/postgres +|
| | abc=U/postgres +|
public | postgres | postgres=UC/postgres+| standard public schema
| | =UC/postgres |
u1 | postgres | postgres=UC/postgres+|
| | test1=U/postgres |
u2 | postgres | |
(4 rows)
postgres=#
2、創建一個新角色並賦予使用my_schema的權限
postgres=# create role aa login password 'aa';
CREATE ROLE
postgres=#
postgres=#
postgres=# grant USAGE on SCHEMA my_schema to aa;
GRANT
postgres=#
postgres=#
3、my_schema角色下面有一張T表
postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# \dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+----------
public | t | table | postgres
public | test | table | postgres
(2 rows)
postgres=# set search_path=my_schema;
SET
postgres=# \dt
List of relations
Schema | Name | Type | Owner
-----------+------+-------+----------
my_schema | t | table | postgres
(1 row)
4、切換到aa角色,並設置search_path
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> set search_path=my_schema;
SET
postgres=>
postgres=> \dt
List of relations
Schema | Name | Type | Owner
-----------+------+-------+----------
my_schema | t | table | postgres
(1 row)
5、aa角色查詢my_schema下面的表
postgres=> select * from my_schema.t;
ERROR: permission denied for table t
postgres=>
postgres=>
6、切換到postgres用戶授權t表的select權限給aa角色
postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# grant select on my_schema.t to aa;
GRANT
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select * from my_schema.t;
id
----
20
(1 row)
postgres=>
7、postgres提供了角色可以默認使用其他角色的權限的功能,看下面測試
切換到postgres用戶創建一張新表test1
postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=#
postgres=# select * from pg_default_acl ;
defaclrole | defaclnamespace | defaclobjtype | defaclacl
------------+-----------------+---------------+-----------------------------------------------
10 | 24696 | r | {scott=arwdDxt/postgres,abc=arwdDxt/postgres}
(1 row)
postgres=# create table my_schema.test1(id int);
CREATE TABLE
postgres=#
8、如果這個時候不執行grant select on my_schema.test1 to aa;是沒有權限訪問的
postgres=> \c - aa
You are now connected to database "postgres" as user "aa".
postgres=>
postgres=>
postgres=> select * from my_schema.test1;
ERROR: permission denied for table test1
postgres=>
postgres=> select * from my_schema.t;
id
----
20
(1 row)
9、設置aa角色繼承postgres權限
postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# ALTER DEFAULT PRIVILEGES for role postgres in schema my_schema grant select on tables to aa;
ALTER DEFAULT PRIVILEGE
10、再次訪問test1表
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select * from pg_default_acl ;
defaclrole | defaclnamespace | defaclobjtype | defaclacl
------------+-----------------+---------------+-------------------------------------------------------------
10 | 24696 | r | {scott=arwdDxt/postgres,abc=arwdDxt/postgres,aa=r/postgres}
(1 row)
postgres=> select *from my_schema.test1;
ERROR: permission denied for table test1
postgres=>
其中pg_default_acl 視圖的defaclacl列就顯示了類似的關係,比如 aa=r/postgres。角色aa繼承了對postgres角色中namespace OID=24696的schema的讀表權限。如果是讀寫權限則爲aa=rw/postgres
postgres=# ALTER DEFAULT PRIVILEGES for role postgres in schema my_schema grant update on tables to aa;
ALTER DEFAULT PRIVILEGES
postgres=#
postgres=# select * from pg_default_acl ;
-[ RECORD 1 ]---+-------------------------------------------------------------
defaclrole | 10
defaclnamespace | 24696
defaclobjtype | r
defaclacl | {scott=arwdDxt/postgres,abc=arwdDxt/postgres,aa=rw/postgres}
postgres=> select oid, * from pg_namespace;
oid | nspname | nspowner | nspacl
-------+--------------------+----------+-----------------------------------------------------------------------
99 | pg_toast | 10 |
11804 | pg_temp_1 | 10 |
11805 | pg_toast_temp_1 | 10 |
11 | pg_catalog | 10 | {postgres=UC/postgres,=U/postgres}
2200 | public | 10 | {postgres=UC/postgres,=UC/postgres}
12941 | information_schema | 10 | {postgres=UC/postgres,=U/postgres}
24714 | u2 | 10 |
24713 | u1 | 10 | {postgres=UC/postgres,test1=U/postgres}
24696 | my_schema | 10 | {postgres=UC/postgres,scott=UC/postgres,abc=U/postgres,aa=U/postgres}
(9 rows)
postgres=>
11、如果postgres新建一張表,該表的select權限自己會賦予aa角色
postgres=# create table my_schema.test2(id int);
CREATE TABLE
postgres=# \c - aa
You are now connected to database "postgres" as user "aa".
postgres=> select *from my_schema.test2;
id
----
(0 rows)
通過步驟10、11可以看到,設置ALTER DEFAULT PRIVILEGES時對之前已經存在的表是不起作用的,只有之後創建的表的權限才能被授權成功。