一����、角色與用戶的區別
角色就相當于崗位:角色可以是經理,助理��。
用戶就是具體的人:比如陳XX經理�����,朱XX助理�����,王XX助理��。
在PostgreSQL 里沒有區分用戶和角色的概念�����,"CREATE USER" 為 "CREATE ROLE" 的別名����,這兩個命令幾乎是完全相同的,唯一的區別是"CREATE USER" 命令創建的用戶默認帶有LOGIN屬性����,而"CREATE ROLE" 命令創建的用戶默認不帶LOGIN屬性(CREATE USER is equivalent to CREATE ROLE except that CREATE USER assumes LOGIN by default, while CREATE ROLE does not)��。
1.1 創建角色與用戶
CREATE ROLE 語法
CREATE ROLE name [ [ WITH ] option [ ... ] ]
where option can be:
SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| REPLICATION | NOREPLICATION
| CONNECTION LIMIT connlimit
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
| VALID UNTIL 'timestamp'
| IN ROLE role_name [, ...]
| IN GROUP role_name [, ...]
| ROLE role_name [, ...]
| ADMIN role_name [, ...]
| USER role_name [, ...]
| SYSID uid
創建david 角色和sandy 用戶
postgres=# CREATE ROLE david; //默認不帶LOGIN屬性
CREATE ROLE
postgres=# CREATE USER sandy; //默認具有LOGIN屬性
CREATE ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | Cannot login | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=#
postgres=# SELECT rolname from pg_roles ;
rolname
----------
postgres
david
sandy
(3 rows)
postgres=# SELECT usename from pg_user; //角色david 創建時沒有分配login權限�����,所以沒有創建用戶
usename
----------
postgres
sandy
(2 rows)
postgres=#
1.2 驗證LOGIN屬性
postgres@CS-DEV:~> psql -U david
psql: FATAL: role "david" is not permitted to log in
postgres@CS-DEV:~> psql -U sandy
psql: FATAL: database "sandy" does not exist
postgres@CS-DEV:~> psql -U sandy -d postgres
psql (9.1.0)
Type "help" for help.
postgres=> /dt
No relations found.
postgres=>
用戶sandy 可以登錄����,角色david 不可以登錄�����。
1.3 修改david 的權限����,增加LOGIN權限
postgres=# ALTER ROLE david LOGIN ;
ALTER ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=# SELECT rolname from pg_roles ;
rolname
----------
postgres
sandy
david
(3 rows)
postgres=# SELECT usename from pg_user; //給david 角色分配login權限,系統將自動創建同名用戶david
usename
----------
postgres
sandy
david
(3 rows)
postgres=#
1.4 再次驗證LOGIN屬性
postgres@CS-DEV:~> psql -U david -d postgres
psql (9.1.0)
Type "help" for help.
postgres=> /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=>
david 現在也可以登錄了��。
二�����、查看角色信息
psql 終端可以用/du 或/du+ 查看,也可以查看系統表 select * from pg_roles;
postgres=> /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | Cannot login | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=> /du+
List of roles
Role name | Attributes | Member of | Description
-----------+------------------------------------------------+-----------+-------------
david | Cannot login | {} |
postgres | Superuser, Create role, Create DB, Replication | {} |
sandy | | {} |
postgres=> SELECT * from pg_roles;
rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig | oid
----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+---------------+-----------+-------
postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10
david | f | t | f | f | f | f | f | -1 | ******** | | | 49438
sandy | f | t | f | f | f | t | f | -1 | ******** | | | 49439
(3 rows)
postgres=>
三�����、角色屬性(Role Attributes)
一個數據庫角色可以有一系列屬性��,這些屬性定義了他的權限����。
| 屬性 | 說明 |
| login | 只有具有 LOGIN 屬性的角色可以用做數據庫連接的初始角色名��。 |
| superuser | 數據庫超級用戶 |
| createdb | 創建數據庫權限 |
| createrole | 允許其創建或刪除其他普通的用戶角色(超級用戶除外) |
| replication | 做流復制的時候用到的一個用戶屬性��,一般單獨設定����。 |
| password | 在登錄時要求指定密碼時才會起作用,比如md5或者password模式,跟客戶端的連接認證方式有關 |
| inherit | 用戶組對組員的一個繼承標志����,成員可以繼承用戶組的權限特性 |
| ... | ... |
四��、創建用戶時賦予角色屬性
從pg_roles 表里查看到的信息��,在上面創建的david 用戶時�����,默認沒有創建數據庫等權限��。
postgres@CS-DEV:~> psql -U david -d postgres
psql (9.1.0)
Type "help" for help.
postgres=> /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=> CREATE DATABASE test;
ERROR: permission denied to create database
postgres=>
如果要在創建角色時就賦予角色一些屬性��,可以使用下面的方法����。
首先切換到postgres 用戶��。
4.1 創建角色bella 并賦予其CREATEDB 的權限�����。
postgres=# CREATE ROLE bella CREATEDB ;
CREATE ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
sandy | | {}
postgres=#
4.2 創建角色renee 并賦予其創建數據庫及帶有密碼登錄的屬性��。
postgres=# CREATE ROLE renee CREATEDB PASSWORD 'abc123' LOGIN;
CREATE ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create DB | {}
sandy | | {}
postgres=#
4.3 測試renee 角色
a. 登錄
postgres@CS-DEV:~> psql -U renee -d postgres
psql (9.1.0)
Type "help" for help.
postgres=>
用renee 用戶登錄數據庫,發現不需要輸入密碼既可登錄�����,不符合實際情況。
b. 查找原因
在角色屬性中關于password的說明��,在登錄時要求指定密碼時才會起作用,比如md5或者password模式��,跟客戶端的連接認證方式有關��。
查看pg_hba.conf 文件����,發現local 的METHOD 為trust����,所以不需要輸入密碼�����。
將local 的METHOD 更改為password��,然后保存重啟postgresql����。
c. 再次驗證
提示輸入密碼,輸入正確密碼后進入到數據庫����。
d. 測試創建數據庫
創建成功����。
五、給已存在用戶賦予各種權限
使用ALTER ROLE 命令����。
ALTER ROLE 語法:
ALTER ROLE name [ [ WITH ] option [ ... ] ]
where option can be:
SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| REPLICATION | NOREPLICATION
| CONNECTION LIMIT connlimit
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
| VALID UNTIL 'timestamp'
ALTER ROLE name RENAME TO new_name
ALTER ROLE name [ IN DATABASE database_name ] SET configuration_parameter { TO | = } { value | DEFAULT }
ALTER ROLE name [ IN DATABASE database_name ] SET configuration_parameter FROM CURRENT
ALTER ROLE name [ IN DATABASE database_name ] RESET configuration_parameter
ALTER ROLE name [ IN DATABASE database_name ] RESET ALL
5.1 賦予bella 登錄權限
a. 查看現在的角色屬性
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create DB | {}
sandy | | {}
postgres=#
b. 賦予登錄權限
postgres=# ALTER ROLE bella WITH LOGIN;
ALTER ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create DB | {}
sandy | | {}
postgres=#
5.2 賦予renee 創建角色的權限
postgres=# ALTER ROLE renee WITH CREATEROLE;
ALTER ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
postgres=#
5.3 賦予david 帶密碼登錄權限
postgres=# ALTER ROLE david WITH PASSWORD 'ufo456';
ALTER ROLE
postgres=#
5.4 設置sandy 角色的有效期
postgres=# ALTER ROLE sandy VALID UNTIL '2014-04-24';
ALTER ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
postgres=# SELECT * from pg_roles ;
rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig | oid
----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+------------------------+-----------+-------
postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10
bella | f | t | f | t | f | t | f | -1 | ******** | | | 49440
renee | f | t | t | t | f | t | f | -1 | ******** | | | 49442
david | f | t | f | f | f | t | f | -1 | ******** | | | 49438
sandy | f | t | f | f | f | t | f | -1 | ******** | 2014-04-24 00:00:00+08 | | 49439
(5 rows)
postgres=#
六��、角色賦權/角色成員
在系統的角色管理中��,通常會把多個角色賦予一個組����,這樣在設置權限時只需給該組設置即可,撤銷權限時也是從該組撤銷�����。在PostgreSQL中�����,首先需要創建一個代表組的角色����,之后再將該角色的membership 權限賦給獨立的角色即可。
6.1 創建組角色
postgres=# CREATE ROLE father login nosuperuser nocreatedb nocreaterole noinherit encrypted password 'abc123';
CREATE ROLE
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
father | No inheritance | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
postgres=#
6.2 給father 角色賦予數據庫test 連接權限和相關表的查詢權限��。
postgres=# GRANT CONNECT ON DATABASE test to father;
GRANT
postgres=# /c test renee
You are now connected to database "test" as user "renee".
test=> /dt
No relations found.
test=> CREATE TABLE emp (
test(> id serial,
test(> name text);
NOTICE: CREATE TABLE will create implicit sequence "emp_id_seq" for serial column "emp.id"
CREATE TABLE
test=> INSERT INTO emp (name) VALUES ('david');
INSERT 0 1
test=> INSERT INTO emp (name) VALUES ('sandy');
INSERT 0 1
test=> SELECT * from emp;
id | name
----+-------
1 | david
2 | sandy
(2 rows)
test=> /dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+-------
public | emp | table | renee
(1 row)
test=> GRANT USAGE ON SCHEMA public to father;
WARNING: no privileges were granted for "public"
GRANT
test=> GRANT SELECT on public.emp to father;
GRANT
test=>
6.3 創建成員角色
test=> /c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# CREATE ROLE son1 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123';
CREATE ROLE
postgres=#
這里創建了son1 角色��,并開啟inherit 屬性��。PostgreSQL 里的角色賦權是通過角色繼承(INHERIT)的方式實現的�����。
6.4 將father 角色賦給son1
postgres=# GRANT father to son1;
GRANT ROLE
postgres=#
還有另一種方法��,就是在創建用戶的時候賦予角色權限����。
postgres=# CREATE ROLE son2 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123' in role father;
CREATE ROLE
postgres=#
6.5 測試son1 角色
postgres=# /c test son1
You are now connected to database "test" as user "son1".
test=> /dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+-------
public | emp | table | renee
(1 row)
test=> SELECT * from emp;
id | name
----+-------
1 | david
2 | sandy
(2 rows)
test=>
用renee 角色新創建一張表,再次測試
test=> /c test renee
You are now connected to database "test" as user "renee".
test=> CREATE TABLE dept (
test(> deptid integer,
test(> deptname text);
CREATE TABLE
test=> INSERT INTO dept (deptid, deptname) values(1, 'ts');
INSERT 0 1
test=> /c test son1
You are now connected to database "test" as user "son1".
test=> SELECT * from dept ;
ERROR: permission denied for relation dept
test=>
son1 角色只能查詢emp 表的數據����,而不能查詢dept 表的數據����,測試成功。
6.6 查詢角色組信息
test=> /c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=#
postgres=# /du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB | {}
david | | {}
father | No inheritance | {}
postgres | Superuser, Create role, Create DB, Replication | {}
renee | Create role, Create DB | {}
sandy | | {}
son1 | | {father}
son2 | | {father}
postgres=#
“ Member of ” 項表示son1 和son2 角色屬于father 角色組��。
