查看pg 用户组_PostgreSQL 角色管理
一、角色與用戶的區別
角色就相當于崗位:角色可以是經理,助理。
用戶就是具體的人:比如陳XX經理,朱XX助理,王XX助理。
在PostgreSQL 里沒有區分用戶和角色的概念,"CREATE USER" 為 "CREATE ROLE" 的別名,這兩個命令幾乎是完全相同的,唯一的區別是"CREATE USER" 命令創建的用戶默認帶有LOGIN屬性,而"CREATE ROLE" 命令創建的用戶默認不帶LOGIN屬性(CREATE USER?is equivalent to?CREATE ROLE?except that?CREATE USER?assumes?LOGIN?by default, while?CREATE ROLE?does not)。
1.1 創建角色與用戶
CREATE ROLE 語法
CREATE ROLE name [[ WITH] option [...]]where optioncan be:
SUPERUSER|NOSUPERUSER| CREATEDB |NOCREATEDB| CREATEROLE |NOCREATEROLE| CREATEUSER |NOCREATEUSER| INHERIT |NOINHERIT| LOGIN |NOLOGIN| REPLICATION |NOREPLICATION|CONNECTION LIMIT connlimit| [ENCRYPTED | UNENCRYPTED] PASSWORD 'password'
| VALID UNTIL 'timestamp'
| IN ROLE role_name [, ...]
| IN GROUP role_name [, ...]
| ROLE role_name [, ...]
| ADMIN role_name [, ...]
| USER role_name [, ...]
| SYSID uid
創建david 角色和sandy 用戶
postgres=# CREATE ROLE david; //默認不帶LOGIN屬性CREATEROLE
postgres=# CREATE USER sandy; //默認具有LOGIN屬性CREATEROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
david | Cannot login |{}
postgres| Superuser, Create role, Create DB, Replication |{}
sandy| |{}
postgres=#
postgres=# SELECT rolname frompg_roles ;
rolname----------
postgres
david
sandy
(3rows)
postgres=# SELECT usename frompg_user; //角色david 創建時沒有分配login權限,所以沒有創建用戶
usename----------
postgres
sandy
(2rows)
postgres=#
1.2 驗證LOGIN屬性
postgres@CS-DEV:~> psql -U david
psql: FATAL: role "david"is not permitted to log inpostgres@CS-DEV:~> psql -U sandy
psql: FATAL:database "sandy" does notexist
postgres@CS-DEV:~> psql -U sandy -d postgres
psql (9.1.0)
Type "help"forhelp.
postgres=>\dt
No relations found.
postgres=>
用戶sandy 可以登錄,角色david 不可以登錄。
1.3 修改david 的權限,增加LOGIN權限
postgres=# ALTERROLE david LOGIN ;ALTERROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
david | |{}
postgres| Superuser, Create role, Create DB, Replication |{}
sandy| |{}
postgres=# SELECT rolname frompg_roles ;
rolname----------
postgres
sandy
david
(3rows)
postgres=# SELECT usename frompg_user; //給david 角色分配login權限,系統將自動創建同名用戶david
usename----------
postgres
sandy
david
(3rows)
postgres=#
1.4 再次驗證LOGIN屬性
postgres@CS-DEV:~> psql -U david -d postgres
psql (9.1.0)
Type "help"forhelp.
postgres=>\du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
david | |{}
postgres| Superuser, Create role, Create DB, Replication |{}
sandy| |{}
postgres=>
david 現在也可以登錄了。
二、查看角色信息
psql 終端可以用\du 或\du+ 查看,也可以查看系統表 select * from pg_roles;
postgres=>\du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
david | Cannot login |{}
postgres| Superuser, Create role, Create DB, Replication |{}
sandy| |{}
postgres=> \du+Listofroles
Role name| Attributes | Member of |Description-----------+------------------------------------------------+-----------+-------------
david | Cannot login | {} |postgres| Superuser, Create role, Create DB, Replication | {} |sandy| | {} |postgres=> SELECT * frompg_roles;
rolname| rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig |oid----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+---------------+-----------+-------
postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10david| f | t | f | f | f | f | f | -1 | ******** | | | 49438sandy| f | t | f | f | f | t | f | -1 | ******** | | | 49439(3rows)
postgres=>
三、角色屬性(Role Attributes)
一個數據庫角色可以有一系列屬性,這些屬性定義了他的權限。
屬性
說明
login
只有具有 LOGIN 屬性的角色可以用做數據庫連接的初始角色名。
superuser
數據庫超級用戶
createdb
創建數據庫權限
createrole
允許其創建或刪除其他普通的用戶角色(超級用戶除外)
replication
做流復制的時候用到的一個用戶屬性,一般單獨設定。
password
在登錄時要求指定密碼時才會起作用,比如md5或者password模式,跟客戶端的連接認證方式有關
inherit
用戶組對組員的一個繼承標志,成員可以繼承用戶組的權限特性
...
...
四、創建用戶時賦予角色屬性
從pg_roles 表里查看到的信息,在上面創建的david 用戶時,默認沒有創建數據庫等權限。
postgres@CS-DEV:~> psql -U david -d postgres
psql (9.1.0)
Type "help"forhelp.
postgres=>\du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
david | |{}
postgres| Superuser, Create role, Create DB, Replication |{}
sandy| |{}
postgres=> CREATE DATABASEtest;
ERROR: permission deniedto create databasepostgres=>
如果要在創建角色時就賦予角色一些屬性,可以使用下面的方法。
首先切換到postgres 用戶。
4.1 創建角色bella 并賦予其CREATEDB 的權限。
postgres=# CREATEROLE bella CREATEDB ;CREATEROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login |{}
david| |{}
postgres| Superuser, Create role, Create DB, Replication |{}
sandy| |{}
postgres=#
4.2 創建角色renee 并賦予其創建數據庫及帶有密碼登錄的屬性。
postgres=# CREATE ROLE renee CREATEDB PASSWORD 'abc123'LOGIN;CREATEROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login |{}
david| |{}
postgres| Superuser, Create role, Create DB, Replication |{}
renee| Create DB |{}
sandy| |{}
postgres=#
4.3 測試renee 角色
a. 登錄
postgres@CS-DEV:~> psql -U renee -d postgres
psql (9.1.0)
Type "help"forhelp.
postgres=>
用renee 用戶登錄數據庫,發現不需要輸入密碼既可登錄,不符合實際情況。
b. 查找原因
在角色屬性中關于password的說明,在登錄時要求指定密碼時才會起作用,比如md5或者password模式,跟客戶端的連接認證方式有關。
查看pg_hba.conf 文件,發現local 的METHOD 為trust,所以不需要輸入密碼。
將local 的METHOD 更改為password,然后保存重啟postgresql。
c.?再次驗證
提示輸入密碼,輸入正確密碼后進入到數據庫。
d. 測試創建數據庫
創建成功。
五、給已存在用戶賦予各種權限
使用ALTER ROLE 命令。
ALTER ROLE 語法:
ALTER ROLE name [[ WITH] option [...]]where optioncan be:
SUPERUSER|NOSUPERUSER| CREATEDB |NOCREATEDB| CREATEROLE |NOCREATEROLE| CREATEUSER |NOCREATEUSER| INHERIT |NOINHERIT| LOGIN |NOLOGIN| REPLICATION |NOREPLICATION|CONNECTION LIMIT connlimit| [ENCRYPTED | UNENCRYPTED] PASSWORD 'password'
| VALID UNTIL 'timestamp'
ALTER ROLE name RENAME TOnew_nameALTER ROLE name [IN DATABASE database_name] SET configuration_parameter { TO | = } { value | DEFAULT}ALTER ROLE name [IN DATABASE database_name] SET configuration_parameter FROM CURRENT
ALTER ROLE name [IN DATABASE database_name]RESET configuration_parameterALTER ROLE name [IN DATABASE database_name] RESET ALL
5.1 賦予bella 登錄權限
a. 查看現在的角色屬性
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB, Cannot login |{}
david| |{}
postgres| Superuser, Create role, Create DB, Replication |{}
renee| Create DB |{}
sandy| |{}
postgres=#
b. 賦予登錄權限
postgres=# ALTER ROLE bella WITHLOGIN;ALTERROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB |{}
david| |{}
postgres| Superuser, Create role, Create DB, Replication |{}
renee| Create DB |{}
sandy| |{}
postgres=#
5.2 賦予renee 創建角色的權限
postgres=# ALTER ROLE renee WITHCREATEROLE;ALTERROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB |{}
david| |{}
postgres| Superuser, Create role, Create DB, Replication |{}
renee| Create role, Create DB |{}
sandy| |{}
postgres=#
5.3 賦予david 帶密碼登錄權限
postgres=# ALTER ROLE david WITH PASSWORD 'ufo456';ALTERROLE
postgres=#
5.4 設置sandy 角色的有效期
postgres=# ALTER ROLE sandy VALID UNTIL '2014-04-24';ALTERROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB |{}
david| |{}
postgres| Superuser, Create role, Create DB, Replication |{}
renee| Create role, Create DB |{}
sandy| |{}
postgres=# SELECT * frompg_roles ;
rolname| rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig |oid----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+------------------------+-----------+-------
postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10bella| f | t | f | t | f | t | f | -1 | ******** | | | 49440renee| f | t | t | t | f | t | f | -1 | ******** | | | 49442david| f | t | f | f | f | t | f | -1 | ******** | | | 49438sandy| f | t | f | f | f | t | f | -1 | ******** | 2014-04-24 00:00:00+08 | | 49439(5rows)
postgres=#
六、角色賦權/角色成員
在系統的角色管理中,通常會把多個角色賦予一個組,這樣在設置權限時只需給該組設置即可,撤銷權限時也是從該組撤銷。在PostgreSQL中,首先需要創建一個代表組的角色,之后再將該角色的membership 權限賦給獨立的角色即可。
6.1 創建組角色
postgres=# CREATE ROLE father login nosuperuser nocreatedb nocreaterole noinherit encrypted password 'abc123';CREATEROLE
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB |{}
david| |{}
father| No inheritance |{}
postgres| Superuser, Create role, Create DB, Replication |{}
renee| Create role, Create DB |{}
sandy| |{}
postgres=#
6.2?給father 角色賦予數據庫test 連接權限和相關表的查詢權限。
postgres=# GRANT CONNECT ON DATABASE test tofather;GRANTpostgres=# \c test renee
You are now connectedto database "test" as user"renee".
test=>\dt
No relations found.
test=> CREATE TABLEemp (
test(>id serial,
test(> name text);
NOTICE:CREATE TABLE will create implicit sequence "emp_id_seq" for serial column"emp.id"CREATE TABLEtest=> INSERT INTO emp (name) VALUES ('david');INSERT 0 1test=> INSERT INTO emp (name) VALUES ('sandy');INSERT 0 1test=> SELECT * fromemp;
id|name----+-------
1 |david2 |sandy
(2rows)
test=>\dt
ListofrelationsSchema | Name | Type |Owner--------+------+-------+-------
public | emp | table |renee
(1row)
test=> GRANT USAGE ON SCHEMA public tofather;
WARNING: noprivileges were granted for "public"GRANTtest=> GRANT SELECT on public.emp tofather;GRANTtest=>
6.3 創建成員角色
test=>\c postgres postgres
You are now connectedto database "postgres" as user"postgres".
postgres=# CREATE ROLE son1 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123';CREATEROLE
postgres=#
這里創建了son1 角色,并開啟inherit 屬性。PostgreSQL 里的角色賦權是通過角色繼承(INHERIT)的方式實現的。
6.4 將father 角色賦給son1
postgres=# GRANT father toson1;GRANTROLE
postgres=#
還有另一種方法,就是在創建用戶的時候賦予角色權限。
postgres=# CREATE ROLE son2 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123' inrole father;CREATEROLE
postgres=#
6.5 測試son1 角色
postgres=# \c test son1
You are now connectedto database "test" as user"son1".
test=>\dt
ListofrelationsSchema | Name | Type |Owner--------+------+-------+-------
public | emp | table |renee
(1row)
test=> SELECT * fromemp;
id|name----+-------
1 |david2 |sandy
(2rows)
test=>
用renee 角色新創建一張表,再次測試
test=>\c test renee
You are now connectedto database "test" as user"renee".
test=> CREATE TABLEdept (
test(> deptid integer,
test(> deptname text);CREATE TABLEtest=> INSERT INTO dept (deptid, deptname) values(1, 'ts');INSERT 0 1test=>\c test son1
You are now connectedto database "test" as user"son1".
test=> SELECT * fromdept ;
ERROR: permission deniedforrelation dept
test=>
son1 角色只能查詢emp 表的數據,而不能查詢dept 表的數據,測試成功。
6.6 查詢角色組信息
test=>\c postgres postgres
You are now connectedto database "postgres" as user"postgres".
postgres=#
postgres=# \du
Listofroles
Role name| Attributes | Member of
-----------+------------------------------------------------+-----------
bella | Create DB |{}
david| |{}
father| No inheritance |{}
postgres| Superuser, Create role, Create DB, Replication |{}
renee| Create role, Create DB |{}
sandy| |{}
son1| |{father}
son2| |{father}
postgres=#
“ Member of ” 項表示son1 和son2 角色屬于father 角色組。
七、參考
總結
以上是生活随笔為你收集整理的查看pg 用户组_PostgreSQL 角色管理的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: ab压力 failed_Apache a
- 下一篇: pgsql数据库默认配置事务类型_Pos