PostgreSQL 角色管理

1、角色與用戶的區別

角色就至關於崗位：角色能夠是經理，助理。

用戶就是具體的人：好比陳XX經理，朱XX助理，王XX助理。

在PostgreSQL 裏沒有區分用戶和角色的概念，"CREATE USER" 爲 "CREATE ROLE" 的別名，這兩個命令幾乎是徹底相同的，惟一的區別是"CREATE USER" 命令建立的用戶默認帶有LOGIN屬性，而"CREATE ROLE" 命令建立的用戶默認不帶LOGIN屬性(CREATE USER is equivalent to CREATE ROLE except that CREATE USER assumes LOGIN by default, while CREATE ROLE does not)。

1.1 建立角色與用戶

CREATE ROLE 語法

CREATE ROLE name [ [ WITH ] option [ ... ] ] where option can be: SUPERUSER | NOSUPERUSER | CREATEDB | NOCREATEDB | CREATEROLE | NOCREATEROLE | CREATEUSER | NOCREATEUSER | INHERIT | NOINHERIT | LOGIN | NOLOGIN | REPLICATION | NOREPLICATION | CONNECTION LIMIT connlimit | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password' | VALID UNTIL 'timestamp' | IN ROLE role_name [, ...] | IN GROUP role_name [, ...] | ROLE role_name [, ...] | ADMIN role_name [, ...] | USER role_name [, ...] | SYSID uid

建立david 角色和sandy 用戶

postgres=# CREATE ROLE david;　　//默認不帶LOGIN屬性 CREATE ROLE postgres=# CREATE USER sandy;　　//默認具備LOGIN屬性 CREATE ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- david | Cannot login | {} postgres | Superuser, Create role, Create DB, Replication | {} sandy | | {} postgres=# postgres=# SELECT rolname from pg_roles ; rolname ----------  postgres david sandy (3 rows) postgres=# SELECT usename from pg_user; //角色david 建立時沒有分配login權限，因此沒有建立用戶 usename ----------  postgres sandy (2 rows) postgres=#

1.2 驗證LOGIN屬性

postgres@CS-DEV:~> psql -U david psql: FATAL: role "david" is not permitted to log in postgres@CS-DEV:~> psql -U sandy psql: FATAL: database "sandy" does not exist postgres@CS-DEV:~> psql -U sandy -d postgres psql (9.1.0) Type "help" for help. postgres=> \dt No relations found. postgres=>

用戶sandy 能夠登陸，角色david 不能夠登陸。

1.3 修改david 的權限，增長LOGIN權限

postgres=# ALTER ROLE david LOGIN ; ALTER ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- david | | {} postgres | Superuser, Create role, Create DB, Replication | {} sandy | | {} postgres=# SELECT rolname from pg_roles ; rolname ----------  postgres sandy david (3 rows) postgres=# SELECT usename from pg_user;　　//給david 角色分配login權限，系統將自動建立同名用戶david usename ----------  postgres sandy david (3 rows) postgres=#

1.4 再次驗證LOGIN屬性

postgres@CS-DEV:~> psql -U david -d postgres psql (9.1.0) Type "help" for help. postgres=> \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- david | | {} postgres | Superuser, Create role, Create DB, Replication | {} sandy | | {} postgres=>

david 如今也能夠登陸了。

2、查看角色信息

psql 終端能夠用\du 或\du+ 查看，也能夠查看系統表 select * from pg_roles;

postgres=> \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- david | Cannot login | {} postgres | Superuser, Create role, Create DB, Replication | {} sandy | | {} postgres=> \du+ List of roles Role name | Attributes | Member of | Description -----------+------------------------------------------------+-----------+------------- david | Cannot login | {} | postgres | Superuser, Create role, Create DB, Replication | {} | sandy | | {} | postgres=> SELECT * from pg_roles; rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig | oid ----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+---------------+-----------+------- postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10 david | f | t | f | f | f | f | f | -1 | ******** | | | 49438 sandy | f | t | f | f | f | t | f | -1 | ******** | | | 49439 (3 rows) postgres=>

3、角色屬性（Role Attributes）

一個數據庫角色能夠有一系列屬性，這些屬性定義了他的權限。

屬性	說明
login	只有具備LOGIN屬性的角色能夠用作數據庫鏈接的初始角色名。
superuser	數據庫超級用戶
createdb	建立數據庫權限
createrole	容許其建立或刪除其餘普通的用戶角色(超級用戶除外)
replication	作流複製的時候用到的一個用戶屬性，通常單獨設定。
password	在登陸時要求指定密碼時纔會起做用，好比md5或者password模式，跟客戶端的鏈接認證方式有關
inherit	用戶組對組員的一個繼承標誌，成員能夠繼承用戶組的權限特性
...	...

 

 

 

 

 

 

 

 

 

4、建立用戶時賦予角色屬性

從pg_roles 表裏查看到的信息，在上面建立的david 用戶時，默認沒有建立數據庫等權限。

postgres@CS-DEV:~> psql -U david -d postgres psql (9.1.0) Type "help" for help. postgres=> \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- david | | {} postgres | Superuser, Create role, Create DB, Replication | {} sandy | | {} postgres=> CREATE DATABASE test; ERROR: permission denied to create database postgres=>

若是要在建立角色時就賦予角色一些屬性，可使用下面的方法。

首先切換到postgres 用戶。

4.1 建立角色bella 並賦予其CREATEDB 的權限。

postgres=# CREATE ROLE bella CREATEDB ; CREATE ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB, Cannot login | {} david | | {} postgres | Superuser, Create role, Create DB, Replication | {} sandy | | {} postgres=#

4.2 建立角色renee 並賦予其建立數據庫及帶有密碼登陸的屬性。

postgres=# CREATE ROLE renee CREATEDB PASSWORD 'abc123' LOGIN; CREATE ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB, Cannot login | {} david | | {} postgres | Superuser, Create role, Create DB, Replication | {} renee | Create DB | {} sandy | | {} postgres=#

4.3 測試renee 角色

a. 登陸

postgres@CS-DEV:~> psql -U renee -d postgres psql (9.1.0) Type "help" for help. postgres=>

用renee 用戶登陸數據庫，發現不須要輸入密碼既可登陸，不符合實際狀況。

b. 查找緣由

在角色屬性中關於password的說明，在登陸時要求指定密碼時纔會起做用，好比md5或者password模式，跟客戶端的鏈接認證方式有關。

查看pg_hba.conf 文件，發現local 的METHOD 爲trust，因此不須要輸入密碼。

將local 的METHOD 更改成password，而後保存重啓postgresql。

c. 再次驗證

提示輸入密碼，輸入正確密碼後進入到數據庫。

d. 測試建立數據庫

建立成功。

5、給已存在用戶賦予各類權限

使用ALTER ROLE 命令。

ALTER ROLE 語法：

ALTER ROLE name [ [ WITH ] option [ ... ] ] where option can be: SUPERUSER | NOSUPERUSER | CREATEDB | NOCREATEDB | CREATEROLE | NOCREATEROLE | CREATEUSER | NOCREATEUSER | INHERIT | NOINHERIT | LOGIN | NOLOGIN | REPLICATION | NOREPLICATION | CONNECTION LIMIT connlimit | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password' | VALID UNTIL 'timestamp' ALTER ROLE name RENAME TO new_name ALTER ROLE name [ IN DATABASE database_name ] SET configuration_parameter { TO | = } { value | DEFAULT } ALTER ROLE name [ IN DATABASE database_name ] SET configuration_parameter FROM CURRENT ALTER ROLE name [ IN DATABASE database_name ] RESET configuration_parameter ALTER ROLE name [ IN DATABASE database_name ] RESET ALL

5.1 賦予bella 登陸權限

a. 查看如今的角色屬性

postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB, Cannot login | {} david | | {} postgres | Superuser, Create role, Create DB, Replication | {} renee | Create DB | {} sandy | | {} postgres=#

b. 賦予登陸權限

postgres=# ALTER ROLE bella WITH LOGIN; ALTER ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB | {} david | | {} postgres | Superuser, Create role, Create DB, Replication | {} renee | Create DB | {} sandy | | {} postgres=#

5.2 賦予renee 建立角色的權限

postgres=# ALTER ROLE renee WITH CREATEROLE; ALTER ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB | {} david | | {} postgres | Superuser, Create role, Create DB, Replication | {} renee | Create role, Create DB | {} sandy | | {} postgres=#

5.3 賦予david 帶密碼登陸權限

postgres=# ALTER ROLE david WITH PASSWORD 'ufo456'; ALTER ROLE postgres=#

5.4 設置sandy 角色的有效期

postgres=# ALTER ROLE sandy VALID UNTIL '2014-04-24'; ALTER ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB | {} david | | {} postgres | Superuser, Create role, Create DB, Replication | {} renee | Create role, Create DB | {} sandy | | {} postgres=# SELECT * from pg_roles ; rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolconfig | oid ----------+----------+------------+---------------+-------------+--------------+-------------+----------------+--------------+-------------+------------------------+-----------+------- postgres | t | t | t | t | t | t | t | -1 | ******** | | | 10 bella | f | t | f | t | f | t | f | -1 | ******** | | | 49440 renee | f | t | t | t | f | t | f | -1 | ******** | | | 49442 david | f | t | f | f | f | t | f | -1 | ******** | | | 49438 sandy | f | t | f | f | f | t | f | -1 | ******** | 2014-04-24 00:00:00+08 | | 49439 (5 rows) postgres=#

6、角色賦權/角色成員

在系統的角色管理中，一般會把多個角色賦予一個組，這樣在設置權限時只需給該組設置便可，撤銷權限時也是從該組撤銷。在PostgreSQL中，首先須要建立一個表明組的角色，以後再將該角色的membership 權限賦給獨立的角色便可。

6.1 建立組角色

postgres=# CREATE ROLE father login nosuperuser nocreatedb nocreaterole noinherit encrypted password 'abc123'; CREATE ROLE postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB | {} david | | {} father | No inheritance | {} postgres | Superuser, Create role, Create DB, Replication | {} renee | Create role, Create DB | {} sandy | | {} postgres=#

6.2 給father 角色賦予數據庫test 鏈接權限和相關表的查詢權限。

postgres=# GRANT CONNECT ON DATABASE test to father; GRANT postgres=# \c test renee You are now connected to database "test" as user "renee". test=> \dt No relations found. test=> CREATE TABLE emp ( test(> id serial, test(> name text); NOTICE: CREATE TABLE will create implicit sequence "emp_id_seq" for serial column "emp.id" CREATE TABLE test=> INSERT INTO emp (name) VALUES ('david'); INSERT 0 1 test=> INSERT INTO emp (name) VALUES ('sandy'); INSERT 0 1 test=> SELECT * from emp; id | name ----+------- 1 | david 2 | sandy (2 rows) test=> \dt List of relations Schema | Name | Type | Owner --------+------+-------+------- public | emp | table | renee (1 row) test=> GRANT USAGE ON SCHEMA public to father; WARNING: no privileges were granted for "public" GRANT test=> GRANT SELECT on public.emp to father; GRANT test=>

6.3 建立成員角色

test=> \c postgres postgres You are now connected to database "postgres" as user "postgres". postgres=# CREATE ROLE son1 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123'; CREATE ROLE postgres=#

這裏建立了son1 角色，並開啓inherit 屬性。PostgreSQL 裏的角色賦權是經過角色繼承（INHERIT）的方式實現的。

6.4 將father 角色賦給son1

postgres=# GRANT father to son1; GRANT ROLE postgres=#

還有另外一種方法，就是在建立用戶的時候賦予角色權限。

postgres=# CREATE ROLE son2 login nosuperuser nocreatedb nocreaterole inherit encrypted password 'abc123' in role father; CREATE ROLE postgres=#

6.5 測試son1 角色

postgres=# \c test son1 You are now connected to database "test" as user "son1". test=> \dt List of relations Schema | Name | Type | Owner --------+------+-------+------- public | emp | table | renee (1 row) test=> SELECT * from emp; id | name ----+------- 1 | david 2 | sandy (2 rows) test=>

用renee 角色新建立一張表，再次測試

test=> \c test renee You are now connected to database "test" as user "renee". test=> CREATE TABLE dept ( test(> deptid integer, test(> deptname text); CREATE TABLE test=> INSERT INTO dept (deptid, deptname) values(1, 'ts'); INSERT 0 1 test=> \c test son1 You are now connected to database "test" as user "son1". test=> SELECT * from dept ; ERROR: permission denied for relation dept test=>

son1 角色只能查詢emp 表的數據，而不能查詢dept 表的數據，測試成功。

6.6 查詢角色組信息

test=> \c postgres postgres You are now connected to database "postgres" as user "postgres". postgres=# postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- bella | Create DB | {} david | | {} father | No inheritance | {} postgres | Superuser, Create role, Create DB, Replication | {} renee | Create role, Create DB | {} sandy | | {} son1 | | {father} son2 | | {father} postgres=#

「 Member of 」 項表示son1 和son2 角色屬於father 角色組。

7、參考

• PostgreSQL 官方資料：http://www.postgresql.org/docs/9.2/static/user-manag.html