我按照 https://aws.amazon.com/blogs/database/managing-postgresql-users-and-roles/ 中的说明配置了在 RDS 上运行的 Postgres 11.2 数据库
- 我以创建 RDS 时创建的主用户身份登录
- 执行
CREATE SCHEMA myschema;
- 从上面的链接执行脚本
-- Revoke privileges from 'public' role
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE mydatabase FROM PUBLIC;
-- Read-only role
CREATE ROLE readonly;
GRANT CONNECT ON DATABASE mydatabase TO readonly;
GRANT USAGE ON SCHEMA myschema TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO readonly;
-- Read/write role
CREATE ROLE readwrite;
GRANT CONNECT ON DATABASE mydatabase TO readwrite;
GRANT USAGE, CREATE ON SCHEMA myschema TO readwrite;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA myschema TO readwrite;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO readwrite;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA myschema TO readwrite;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT USAGE ON SEQUENCES TO readwrite;
-- Users creation
CREATE USER reporting_user1 WITH PASSWORD 'some_secret_passwd';
CREATE USER reporting_user2 WITH PASSWORD 'some_secret_passwd';
CREATE USER app_user1 WITH PASSWORD 'some_secret_passwd';
CREATE USER app_user2 WITH PASSWORD 'some_secret_passwd';
-- Grant privileges to users
GRANT readonly TO reporting_user1;
GRANT readonly TO reporting_user2;
GRANT readwrite TO app_user1;
GRANT readwrite TO app_user2;
之后,我以 app_user1
身份连接并创建了一个新表并向其中添加了一行。然后,我使用 reporting_user1 连接并尝试 SELECT * FROM
该新表,但在控制台上看到以下消息:
ERROR: permission denied for table first_table
SQL state: 42501
我的配置中缺少什么?我希望 reporting_user1 能够读取 app_user1 在 myschema 中创建的所有表。
最佳答案
来自documentation of ALTER DEFAULT PRIVILEGES
:
You can change default privileges only for objects that will be created by yourself or by roles that you are a member of. The privileges can be set globally (i.e., for all objects created in the current database), or just for objects created in specified schemas. Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type.
因此,以 master
身份运行 ALTER DEFAULT PRIVILEGES
的效果不会影响 app_user1
创建的表的默认权限。
要解决这个问题,您必须执行
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO readonly;
也作为 app_user1
。
关于postgresql - Postgres 角色和用户 - 表的权限被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57949912/