本文簡單介紹了PostgreSQL的權限和用戶管理基礎知識,原文詳見 PostgreSQL Privileges & User Management - What You Should Know ,有所刪減和調整.
Roles
PostgreSQL使用基于角色的權限管理系統.
PostgreSQL中的用戶user和角色role是一回事,區別是在創建用戶時具備了LOGIN權限而角色沒有,因此以下不再提及用戶均以角色描述.
testdb=# create role testrole with password 'test';
CREATE ROLE
testdb=# create user testuser with password 'test';
CREATE ROLE
退出psql,分別以testrole和testuser登錄
testdb=# \q
[pg12@localhost ~]$ psql -U testrole -d testdb
psql: error: could not connect to server: FATAL: role "testrole" is not permitted to log in
[pg12@localhost ~]$ psql -U testuser -d testdb
psql (12beta1)
Type "help" for help.
testdb=>
在創建角色時,以下權限是常用的選項:
SUPERUSER - 超級用戶,SUPERUSER可創建新的SUPERUSER,SUPERUSER可跳過所有的權限檢查.
CREATEDB - 可創建databases.
CREATEROLE - 可創建其他角色.
LOGIN - 可登錄.
事實上,如果沒有LOGIN權限,那么就算是SUPERUSER也登錄不了
testdb=# create role user1 with password 'test'
SUPERUSER CREATEROLE NOLOGIN;
CREATE ROLE
testdb=# \q
[pg12@localhost ~]$ psql -U user1 -d testdb
psql: error: could not connect to server: FATAL: role "user1" is not permitted to log in
[pg12@localhost ~]$
在psql下,使用\du命令可查看角色信息
testdb=# \du
List of roles
Role name | Attributes | Member of
------------+------------------------------------------------------------+-----------
pg12 | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
replicator | Replication | {}
testrole | Cannot login | {}
testuser | | {}
user1 | Superuser, Create role, Cannot login | {}
Informational
(options: S = show system objects, + = additional detail)
...
\du[S+] [PATTERN] list roles
...
pg_hba.conf
配置服務器與客戶端之間的連接,查詢pg_setting視圖可檢索當前的hba文件在什么地方
testdb=# SELECT name, setting
testdb-# FROM pg_settings WHERE name LIKE '%hba%';
name | setting
----------+---------------------------------
hba_file | /data/pgsql/pg12db1/pg_hba.conf
(1 row)
hba文件的條目形如以下的設置
local database user address auth-method [auth-options]
其中:
第一項是指連接方式,local是Unix-domain sockets,host是TCP/IP連接
第二項是數據庫,all表示所有
第三項是用戶,all表示所有
第四項是地址,如192.168.0.0/16
第五項auth-method是認證方法,包括trust,reject,scram-sha-256,md5,password,gss,sspi,ident,peer,ldap,radius,cert,pam,bsd.詳見的,trust表示不需要password,password表示明文密碼,md5表示使用md5加密密碼傳輸等
通過查詢pg_hba_file_rules視圖可查看當前的hba配置
testdb=# SELECT * FROM pg_hba_file_rules;
line_number | type | database | user_name | address | netmask | auth_method | options | error
-------------+-------+---------------+-----------+---------------+-----------------------------------------+-------------+---------+-------
84 | local | {all} | {all} | | | trust | |
86 | host | {all} | {all} | 127.0.0.1 | 255.255.255.255 | trust | |
87 | host | {all} | {all} | 192.168.0.0 | 255.255.0.0 | md5 | |
89 | host | {all} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | |
92 | local | {replication} | {all} | | | trust | |
93 | host | {replication} | {all} | 127.0.0.1 | 255.255.255.255 | trust | |
94 | host | {replication} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | |
95 | host | {replication} | {all} | 192.168.26.26 | 255.255.255.255 | trust | |
96 | host | {replication} | {all} | 192.168.26.27 | 255.255.255.255 | trust | |
97 | host | {replication} | {all} | 192.168.26.29 | 255.255.255.255 | trust | |
(10 rows)
修改pg_hba.conf文件后,可通過pg_ctl reload命令刷新配置文件到pg_hba_file_rules中.
比如刪除line_number = 97的條目,刷新
host replication all 192.168.26.26/32 trust
host replication all 192.168.26.27/32 trust
~
:x
[pg12@localhost pg12db1]$ pg_ctl reload
server signaled
testdb=# SELECT * FROM pg_hba_file_rules;
line_number | type | database | user_name | address | netmask | auth_method | options | error
-------------+-------+---------------+-----------+---------------+-----------------------------------------+-------------+---------+-------
84 | local | {all} | {all} | | | trust | |
86 | host | {all} | {all} | 127.0.0.1 | 255.255.255.255 | trust | |
87 | host | {all} | {all} | 192.168.0.0 | 255.255.0.0 | md5 | |
89 | host | {all} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | |
92 | local | {replication} | {all} | | | trust | |
93 | host | {replication} | {all} | 127.0.0.1 | 255.255.255.255 | trust | |
94 | host | {replication} | {all} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | |
95 | host | {replication} | {all} | 192.168.26.26 | 255.255.255.255 | trust | |
96 | host | {replication} | {all} | 192.168.26.27 | 255.255.255.255 | trust | |
(9 rows)
Database, Table, and Column level privileges
Role一旦創建,具備LOGIN權限,并且在hba中配置可以訪問數據庫,那么就具備了操縱數據庫的權限包括創建數據表/插入數據等DDL/DML的權限,但如果需要訪問其他owner創建的對象,則需要授權.
比如用戶pg12創建了數據表t1,但沒有授權給demouser,雖然demouser可以訪問t1,但無法查詢
[pg12@localhost ~]$ psql -h 192.168.26.28 -U demouser -d testdb
Password for user demouser:
psql (12beta1)
Type "help" for help.
testdb=> create table t2(id int);
CREATE TABLE
testdb=> drop table t2;
DROP TABLE
testdb=> \d+ t1
Table "public.t1"
Column | Type | Collation | Nullable | Default | Storage | Stats target | Description
--------+---------+-----------+----------+---------+---------+--------------+-------------
id | integer | | | | plain | |
c1 | integer | | | | plain | |
c2 | integer | | | | plain | |
Access method: heap
testdb=> select * from t1;
psql: ERROR: permission denied for table t1
另外,PostgreSQL為了實現精細化的權限管理,提供了列級的訪問授權,其GRANT語句語法如下,其中column_name部分可指定列權限:
GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
ON [ TABLE ] table_name [, ...]
TO role_specification [, ...] [ WITH GRANT OPTION ]
指定t1.id可以給demouser訪問:
testdb=# GRANT SELECT (id) ON TABLE t1 TO demouser;
GRANT
demouser可以訪問id列
testdb=> select * from t1;
psql: ERROR: permission denied for table t1
testdb=> select id from t1;
id
----
(0 rows)
參考資料
PostgreSQL Privileges & User Management - What You Should Know
CREATE ROLE
