我如何继承角色的特权? [英] How do I inherit a role's priveleges?

问题描述

我在 psql 中创建了一个 engineering 角色，然后创建了一个用户角色.当我将 engineering 角色授予用户角色时，用户角色没有获得任何权限.请注意，engineering 是使用 login 权限创建的.

I have created an engineering role in psql, then created a user role. When I grant the engineering role to the user role, the user role does not get any of the privileges. Note that engineering was created with login privileges.

postgres=# create role johnnyb inherit;
CREATE ROLE
postgres=# grant engineering to johnnyb;
GRANT ROLE
postgres=# \du
                                      List of roles
  Role name  |                         Attributes                         |   Member of
-------------+------------------------------------------------------------+---------------
 engineering | Create role, Create DB                                     | {}
 johnnyb     | Cannot login                                               | {engineering}
 postgres    | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

inherit 关键字似乎没有效果.我错过了什么?我希望能够向少数用户授予工程权限(开始).

The inherit keyword seems to have no effect. What am I missing? I'd like to be able to grant engineering priveleges to a few users (to start).

推荐答案

LOGIN 是一种特殊的特权，不能继承.根据对数据库对象的权限(例如表上的 SELECT )测试您的继承，它应该可以正常工作.确保在测试时您知道 public 的权限是什么，以避免任何问题.

LOGIN is a special privilage that is not inherited. Test your inheritance out based on permissions to database objects, such as SELECT on a table, it should work fine. Ensure that when you are testing you know what the permissions are for public to avoid any gotchas.

来自手册

角色属性 LOGIN、SUPERUSER、CREATEDB 和 CREATEROLE 可以被认为是特殊权限，但它们永远不会像数据库对象的普通权限那样被继承.您实际上必须将角色设置为具有这些属性之一的特定角色才能使用该属性.继续上面的示例，我们可能会选择将 CREATEDB 和 CREATEROLE 授予管理员角色.那么作为 joe 角色连接的会话将不会立即拥有这些权限，只有在执行 SET ROLE admin 之后.

The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute. Continuing the above example, we might choose to grant CREATEDB and CREATEROLE to the admin role. Then a session connecting as role joe would not have these privileges immediately, only after doing SET ROLE admin.

这篇关于我如何继承角色的特权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！