postgresql - Postgres 角色和用户 - 表的权限被拒绝

标签 postgresql amazon-web-services amazon-rds

我按照 https://aws.amazon.com/blogs/database/managing-postgresql-users-and-roles/ 中的说明配置了在 RDS 上运行的 Postgres 11.2 数据库

  1. 我以创建 RDS 时创建的主用户身份登录
  2. 执行CREATE SCHEMA myschema;
  3. 从上面的链接执行脚本
-- Revoke privileges from 'public' role
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE mydatabase FROM PUBLIC;

-- Read-only role
CREATE ROLE readonly;
GRANT CONNECT ON DATABASE mydatabase TO readonly;
GRANT USAGE ON SCHEMA myschema TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO readonly;

-- Read/write role
CREATE ROLE readwrite;
GRANT CONNECT ON DATABASE mydatabase TO readwrite;
GRANT USAGE, CREATE ON SCHEMA myschema TO readwrite;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA myschema TO readwrite;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO readwrite;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA myschema TO readwrite;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT USAGE ON SEQUENCES TO readwrite;

-- Users creation
CREATE USER reporting_user1 WITH PASSWORD 'some_secret_passwd';
CREATE USER reporting_user2 WITH PASSWORD 'some_secret_passwd';
CREATE USER app_user1 WITH PASSWORD 'some_secret_passwd';
CREATE USER app_user2 WITH PASSWORD 'some_secret_passwd';

-- Grant privileges to users
GRANT readonly TO reporting_user1;
GRANT readonly TO reporting_user2;
GRANT readwrite TO app_user1;
GRANT readwrite TO app_user2;

之后,我以 app_user1 身份连接并创建了一个新表并向其中添加了一行。然后,我使用 reporting_user1 连接并尝试 SELECT * FROM 该新表,但在控制台上看到以下消息:

ERROR:  permission denied for table first_table
SQL state: 42501

我的配置中缺少什么?我希望 reporting_user1 能够读取 app_user1 在 myschema 中创建的所有表。

最佳答案

来自documentation of ALTER DEFAULT PRIVILEGES :

You can change default privileges only for objects that will be created by yourself or by roles that you are a member of. The privileges can be set globally (i.e., for all objects created in the current database), or just for objects created in specified schemas. Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type.

因此,以 master 身份运行 ALTER DEFAULT PRIVILEGES 的效果不会影响 app_user1 创建的表的默认权限。

要解决这个问题,您必须执行

ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO readonly;

也作为 app_user1

关于postgresql - Postgres 角色和用户 - 表的权限被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57949912/

上一篇:ruby-on-rails - 在 Rails 中调用 Postgres 存储函数的最佳方法是什么?

下一篇:ruby-on-rails - Postgres、Rails 和选择不在组子句中的列

相关文章:

SQL - 选择表中与其他行具有相似特征的行

sql - 向postgresql中的列添加递增值

java - 使用 AWS Java SDK 获取 CloudWatch 指标?

node.js - AWS CloudFormation 与 node.js 10.x 更新错误 "ZipFile can only be used when Runtime is set to <older node.js versions>"

Python boto3 从禁用备份的快照创建 rds 实例

amazon-ec2 - 尝试将本地 mysql 服务器迁移到 AWS

python - 主从 postgresql,具有 django 应用程序的日志记录和监控功能

regex - sed 替换匹配复杂正则表达式模式的文本

powershell - AWS Powershell - 按名称获取 SNS 主题

java - 在 AWS-EC2 上运行的 Spring Boot 应用程序无法连接到 MySQL AWS-RDS 数据库

©2024 IT工具网  联系我们