PG資料庫
建立使用者/角色
CREATE USER/ROLE name [ [ WITH ] option [ ... ] ] : 關鍵詞 USER,ROLE; name 使用者或角色名; where option can be: SUPERUSER | NOSUPERUSER :超級許可權,擁有所有許可權,預設nosuperuser。 | CREATEDB | NOCREATEDB :建庫許可權,預設nocreatedb。 | CREATEROLE | NOCREATEROLE :建角色許可權,擁有建立、修改、刪除角色,預設nocreaterole。 | INHERIT | NOINHERIT :繼承許可權,可以把除superuser許可權繼承給其他使用者/角色,預設inherit。 | LOGIN | NOLOGIN :登入許可權,作為連線的使用者,預設nologin,除非是create user(預設登入)。 | REPLICATION | NOREPLICATION :複製許可權,用於物理或則邏輯複製(複製和刪除slots),預設是noreplication。 | BYPASSRLS | NOBYPASSRLS :安全策略RLS許可權,預設nobypassrls。 | CONNECTION LIMIT connlimit :限制使用者併發數,預設-1,不限制。正常連線會受限制,後臺連線和prepared事務不受限制。 | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL :設定密碼,密碼僅用於有login屬性的使用者,不使用密碼身份驗證,則可以省略此選項。可以選擇將空密碼顯式寫為PASSWORD NULL。 加密方法由配置引數password_encryption確定,密碼始終以加密方式儲存在系統目錄中。 | VALID UNTIL 'timestamp' :密碼有效期時間,不設定則用不失效。 | IN ROLE role_name [, ...] :新角色將立即新增為新成員。 | IN GROUP role_name [, ...] :同上 | ROLE role_name [, ...] :ROLE子句列出一個或多個現有角色,這些角色自動新增為新角色的成員。 (這實際上使新角色成為“組”)。 | ADMIN role_name [, ...] :與ROLE類似,但命名角色將新增到新角色WITH ADMIN OPTION,使他們有權將此角色的成員資格授予其他人。 | USER role_name [, ...] :同上 | SYSID uid :被忽略,但是為向後相容性而存在。
示例:
建立不需要密碼登陸的使用者test:
postgres=# CREATE ROLE test LOGIN;
CREATE ROLE
建立需要密碼登陸的使用者test1:
postgres=# CREATE USER test1 WITH PASSWORD 'test1';
CREATE ROLE
和ROLE的區別是:USER帶LOGIN屬性。
建立有時間限制的使用者test2:
postgres=# CREATE ROLE test2 WITH LOGIN PASSWORD 'test2' VALID UNTIL '2020-06-30';
CREATE ROLE
建立有建立資料庫和管理角色許可權的使用者admin:
postgres=# CREATE ROLE admin WITH CREATEDB CREATEROLE;
CREATE ROLE
注意:擁有建立資料庫,角色的使用者,也可以刪除和修改這些物件。
建立具有超級許可權的使用者:admin
postgres=# CREATE ROLE admin WITH SUPERUSER LOGIN PASSWORD 'admin';
CREATE ROLE
建立複製賬號:repl
postgres=# CREATE USER repl REPLICATION LOGIN ENCRYPTED PASSWORD 'repl'; CREATE ROLE
其他說明
建立複製使用者
CREATE USER abc REPLICATION LOGIN ENCRYPTED PASSWORD '';
CREATE USER abc REPLICATION LOGIN ENCRYPTED PASSWORD 'abc';
ALTER USER work WITH ENCRYPTED password '';
建立scheme 角色
CREATE ROLE abc;
CREATE DATABASE abc WITH OWNER abc ENCODING UTF8 TEMPLATE template0;
\c abc
建立schema
CREATE SCHEMA abc;
ALTER SCHEMA abc OWNER to abc;
revoke create on schema public from public;
建立使用者
create user abc with ENCRYPTED password '';
GRANT abc to abc;
ALTER ROLE abc WITH abc;
##建立讀寫賬號
CREATE ROLE abc_rw;
CREATE ROLE abc_rr;
##賦予訪問資料庫許可權,schema許可權
grant connect ON DATABASE abc to abc_rw;
GRANT USAGE ON SCHEMA abc TO abc_rw;
##賦予讀寫許可權
grant select,insert,update,delete ON ALL TABLES IN SCHEMA abc to abc;
賦予序列許可權
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA abc to abc;
賦予預設許可權
ALTER DEFAULT PRIVILEGES IN SCHEMA abc GRANT select,insert,update,delete ON TABLES TO abc;
賦予序列許可權
ALTER DEFAULT PRIVILEGES IN SCHEMA abc GRANT ALL PRIVILEGES ON SEQUENCES TO abc;
#使用者對db要有連線許可權
grant connect ON DATABASE abc to abc;
#使用者要對schema usage 許可權,不然要select * from schema_name.table ,不能用搜索路徑
GRANT USAGE ON SCHEMA abc TO abc;
grant select ON ALL TABLES IN SCHEMA abc to abc;
ALTER DEFAULT PRIVILEGES IN SCHEMA abc GRANT select ON TABLES TO abc;
create user abc_w with ENCRYPTED password '';
create user abc_r with ENCRYPTED password '';
GRANT abc_rw to abc_w;
GRANT abc_rr to abc_r;
授權,定義訪問許可權
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
##單表授權:授權test賬號可以訪問schema為test的t1表
grant select,insert,update,delete on test.t1 to test;
##所有表授權:
grant select,insert,update,delete on all tables in schema test to test;
GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
ON [ TABLE ] table_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##列授權,授權指定列(test schema下的t1表的name列)的更新許可權給test使用者
grant update (name) on test.t1 to test;
##指定列授不同許可權,test schema下的t1表,檢視更新name、id欄位,插入name欄位
grant select (name,id),update (name,id),insert(name) on test.t1 to test;
GRANT { { USAGE | SELECT | UPDATE }
[, ...] | ALL [ PRIVILEGES ] }
ON { SEQUENCE sequence_name [, ...]
| ALL SEQUENCES IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
##序列(自增鍵)屬性授權,指定test schema下的seq_id_seq 給test使用者
grant select,update on sequence test.seq_id_seq to test;
##序列(自增鍵)屬性授權,給使用者test授權test schema下的所有序列
grant select,update on all sequences in schema test to test;
GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE database_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##連線資料庫許可權,授權test使用者連線資料庫testdb
grant connect on database test to testdb;
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON DOMAIN domain_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER fdw_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN SERVER server_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { EXECUTE | ALL [ PRIVILEGES ] }
ON { { FUNCTION | PROCEDURE | ROUTINE } routine_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...]
| ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE lang_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##
GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
ON LARGE OBJECT loid [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]##
GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
ON SCHEMA schema_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
##連線schema許可權,授權demo訪問test schema許可權
grant usage on schema test to demo;
GRANT { CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespace_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON TYPE type_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
where role_specification can be:
[ GROUP ] role_name
| PUBLIC
| CURRENT_USER
| SESSION_USER
GRANT role_name [, ...] TO role_name [, ...] [ WITH ADMIN OPTION ]
##把test使用者的許可權授予使用者demo。
grant test to demo;
許可權說明:
SELECT:允許從指定表,檢視或序列的任何列或列出的特定列進行SELECT。也允許使用COPY TO。在UPDATE或DELETE中引用現有列值也需要此許可權。對於序列,此許可權還允許使用currval函式。對於大物件,此許可權允許讀取物件。
INSERT:允許將新行INSERT到指定的表中。如果列出了特定列,則只能在INSERT命令中為這些列分配(因此其他列將接收預設值)。也允許COPY FROM。
UPDATE:允許更新指定表的任何列或列出的特定列,需要SELECT許可權。
DELETE:允許刪除指定表中的行,需要SELECT許可權。
TRUNCATE:允許在指定的表上建立觸發器。
REFERENCES:允許建立引用指定表或表的指定列的外來鍵約束。
TRIGGER:允許在指定的表上建立觸發器。
CREATE:對於資料庫,允許在資料庫中建立新的schema、table、index。
CONNECT:允許使用者連線到指定的資料庫。在連線啟動時檢查此許可權。
TEMPORARY、TEMP:允許在使用指定資料庫時建立臨時表。
EXECUTE:允許使用指定的函式或過程以及在函式。
USAGE:對於schema,允許訪問指定模式中包含的物件;對於sequence,允許使用currval和nextval函式。對於型別和域,允許在建立表,函式和其他模式物件時使用型別或域。
ALL PRIVILEGES:一次授予所有可用許可權。
使用者授權官方英文文件地址 https://www.postgresql.org/docs/12/sql-grant.html
使用者授權官方中文文件地址 http://www.postgres.cn/docs/11/sql-grant.html
撤銷許可權
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##移除使用者test在schema test上所有表的select許可權
revoke select on all tables in schema test from test;
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
ON [ TABLE ] table_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##移除使用者test在test schema的t1表的id列的查詢許可權
revoke select (id) on test.t1 from test;
REVOKE [ GRANT OPTION FOR ]
{ { USAGE | SELECT | UPDATE }
[, ...] | ALL [ PRIVILEGES ] }
ON { SEQUENCE sequence_name [, ...]
| ALL SEQUENCES IN SCHEMA schema_name [, ...] }
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##序列
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE database_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##庫
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON DOMAIN domain_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER fdw_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN SERVER server_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT]
##
REVOKE [ GRANT OPTION FOR ]
{ EXECUTE | ALL [ PRIVILEGES ] }
ON { { FUNCTION | PROCEDURE | ROUTINE } function_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...]
| ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] }
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE lang_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
ON LARGE OBJECT loid [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
ON SCHEMA schema_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##schema許可權
REVOKE [ GRANT OPTION FOR ]
{ CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespace_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON TYPE type_name [, ...]
FROM { [ GROUP ] role_name | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
##
REVOKE [ ADMIN OPTION FOR ]
role_name [, ...] FROM role_name [, ...]
[ CASCADE | RESTRICT ]
注意:任何使用者對public的schema都有all的許可權,為了安全可以禁止使用者對public schema 的create許可權。
##移除所有使用者(public),superuser除外,對指定DB下的public schema的create 許可權。
testdb=# revoke create on schema public from public;