如何在PostgreSQL中创建只读用户? [英] How do you create a read-only user in PostgreSQL?
问题描述
我想在PostgreSQL中创建一个只能从特定数据库执行SELECT的用户.在MySQL中,命令为:
I'd like to create a user in PostgreSQL that can only do SELECTs from a particular database. In MySQL the command would be:
GRANT SELECT ON mydb.* TO 'xxx'@'%' IDENTIFIED BY 'yyy';
PostgreSQL中的等效命令或一系列命令是什么?
What is the equivalent command or series of commands in PostgreSQL?
我尝试过...
postgres=# CREATE ROLE xxx LOGIN PASSWORD 'yyy';
postgres=# GRANT SELECT ON DATABASE mydb TO xxx;
但是,您似乎只能在数据库上授予的权限是CREATE,CONNECT,TEMPORARY和TEMP.
But it appears that the only things you can grant on a database are CREATE, CONNECT, TEMPORARY, and TEMP.
推荐答案
允许使用/选择单个表
如果仅将CONNECT授予数据库,则用户可以连接,但没有其他特权.您必须像这样分别授予对名称空间(schemas)的USAGE和对表和视图的SELECT的权限:
Grant usage/select to a single table
If you only grant CONNECT to a database, the user can connect but has no other privileges. You have to grant USAGE on namespaces (schemas) and SELECT on tables and views individually like so:
GRANT CONNECT ON DATABASE mydb TO xxx;
-- This assumes you're actually connected to mydb..
GRANT USAGE ON SCHEMA public TO xxx;
GRANT SELECT ON mytable TO xxx;
多个表/视图(PostgreSQL 9.0 +)
在最新版本的PostgreSQL中,您可以使用单个命令来授予模式中所有表/视图/等的权限,而不必一个个地键入它们:
Multiple tables/views (PostgreSQL 9.0+)
In the latest versions of PostgreSQL, you can grant permissions on all tables/views/etc in the schema using a single command rather than having to type them one by one:
GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx;
这仅影响已经创建的表.功能更强大的是,您可以自动将默认角色分配给新对象将来:
This only affects tables that have already been created. More powerfully, you can automatically have default roles assigned to new objects in future:
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO xxx;
请注意,默认情况下,这仅会影响发出此命令的用户创建的对象(表):尽管也可以在发出用户所属的任何角色上进行设置.但是,在创建新对象时,您不会为您所隶属的所有角色选择默认权限...因此仍然存在一些麻烦.如果采用数据库具有所有者角色的方式,并且以该所有者角色的身份进行模式更改,则应为该所有者角色分配默认特权.恕我直言,这有点令人困惑,您可能需要进行实验以提出功能正常的工作流程.
Note that by default this will only affect objects (tables) created by the user that issued this command: although it can also be set on any role that the issuing user is a member of. However, you don't pick up default privileges for all roles you're a member of when creating new objects... so there's still some faffing around. If you adopt the approach that a database has an owning role, and schema changes are performed as that owning role, then you should assign default privileges to that owning role. IMHO this is all a bit confusing and you may need to experiment to come up with a functional workflow.
为避免冗长的多表更改出错,建议使用以下自动"过程为每个表/视图生成所需的GRANT SELECT
:
To avoid errors in lengthy, multi-table changes, it is recommended to use the following 'automatic' process to generate the required GRANT SELECT
to each table/view:
SELECT 'GRANT SELECT ON ' || relname || ' TO xxx;'
FROM pg_class JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace
WHERE nspname = 'public' AND relkind IN ('r', 'v', 'S');
这应该将所有GRANT命令的相关GRANT命令公开输出到所有表,视图和序列的公共表上,以实现复制n粘贴.自然,这只会应用于已经创建的表.
This should output the relevant GRANT commands to GRANT SELECT on all tables, views, and sequences in public, for copy-n-paste love. Naturally, this will only be applied to tables that have already been created.
这篇关于如何在PostgreSQL中创建只读用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!