postgresql - 创建具有架构完全访问权限的角色，并将其分配给用户

Question

我尝试创建将由开发人员帐户使用的角色，并将授予对一个架构下的所有表的访问权限。一切看起来都正确，但用户仍然没有所需的访问权限。有人能指出我做错了什么吗？

1. 创建新角色 DEVELOPER_R，其中包含所有权利

创建角色DEVELOPER_R

添加角色对数据库的完全访问权限

将数据库 postgres 上的所有权限授予 DEVELOPER_R；

创建新架构TEST_SCHEMA

创建架构TEST_SCHEMA；

授予 DEVELOPER_R 角色对 TEST_SCHEMA 的所有访问权限

将 SCHEMA TEST_SCHEMA 上的所有内容授予 DEVELOPER_R；

将 SCHEMA TEST_SCHEMA 中所有表的所有权限授予 DEVELOPER_R；

创建具有角色的用户

在组 DEVELOPER_R LOGIN 中创建用户 testuser PASSWORD 'password';

从TEST_TABLE中选择

从 TEST_SCHEMA.TEST_TABLE 中选择*

结果，我希望拥有表中的所有行，但只有我得到的是表的权限被拒绝:

当我查看 TEST_SCHEMA 属性时，我可以看到 DEVELOPER_R 具有 UC 访问权限:

并且 testuser 位于 DEVELOPER_R 组中。

有人可以指出我缺少什么吗？

Answer 1

运行 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA TEST_SCHEMA TO DEVELOPER_R; 命令后是否创建了表？因为它可以解释为什么您收到权限被拒绝的错误消息。您需要对在 test_schema 中创建的任何新表再次授予权限，如下例所示:

postgres=# \conninfo
You are connected to database "postgres" as user "postgres" via socket in "/var/run/postgresql" at port "5432".

postgres=# create database test_database;
CREATE DATABASE

postgres=# create role developer_r;
CREATE ROLE

postgres=# grant all privileges on database test_database to developer_r;
GRANT

postgres=# \c test_database
You are now connected to database "test_database" as user "postgres".

test_database=# create schema test_schema;
CREATE SCHEMA

test_database=# grant all on schema test_schema to developer_r;
GRANT

test_database=# grant all privileges on all tables in schema test_schema to developer_r;
GRANT

test_database=# create user test_user password 'password' in group developer_r login;
CREATE ROLE

test_database=# create table test_schema.test_table (col1 int);
CREATE TABLE

test_database=# insert into test_schema.test_table values (1);
INSERT 0 1

test_database=# select col1 from test_schema.test_table;
 col1
------
    1
(1 row)

现在验证到目前为止创建和授予的内容:

test_database=# \dg+ (test_user|developer_r)
                      List of roles
  Role name  |  Attributes  |   Member of   | Description
-------------+--------------+---------------+-------------
 developer_r | Cannot login | {}            |
 test_user   |              | {developer_r} |


test_database=# \dn+ test_schema
                        List of schemas
    Name     |  Owner   |    Access privileges    | Description
-------------+----------+-------------------------+-------------
 test_schema | postgres | postgres=UC/postgres   +|
             |          | developer_r=UC/postgres |
(1 row)

test_database=# \dt+ test_schema.*
                                          List of relations
   Schema    |    Name    | Type  |  Owner   | Persistence | Access method |    Size    | Description
-------------+------------+-------+----------+-------------+---------------+------------+-------------
 test_schema | test_table | table | postgres | permanent   | heap          | 8192 bytes |
(1 row)

test_database=# \dp+ test_schema.test_table
                                  Access privileges
   Schema    |    Name    | Type  | Access privileges | Column privileges | Policies
-------------+------------+-------+-------------------+-------------------+----------
 test_schema | test_table | table |                   |                   |
(1 row)

请注意，尚未向 test_schema.test_table 授予任何权限，因为它是在发出第一个 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA TEST_SCHEMA TO DEVELOPER_R; 后创建的:

test_database=> \conninfo
You are connected to database "test_database" as user "test_user" on host "127.0.0.1" at port "5432".

test_database=> select col1 from test_schema.test_table;
ERROR:  permission denied for table test_table

现在再次运行GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA TEST_SCHEMA TO DEVELOPER_R;以向developer_r角色授予所需的权限:

postgres=# \conninfo
You are connected to database "postgres" as user "postgres" via socket in "/var/run/postgresql" at port "5432".

test_database=# grant all privileges on all tables in schema test_schema to developer_r;
GRANT

test_database=# \dp+ test_schema.test_table
                                       Access privileges
   Schema    |    Name    | Type  |      Access privileges       | Column privileges | Policies
-------------+------------+-------+------------------------------+-------------------+----------
 test_schema | test_table | table | postgres=arwdDxt/postgres   +|                   |
             |            |       | developer_r=arwdDxt/postgres |                   |
(1 row)

正如我们所看到的，developer_r 角色拥有所有权限 (arwdDxt)，现在 test_user 应该拥有至少从 test_schema.test_table 表中进行 SELECT 所需的权限:

test_database=> \conninfo
You are connected to database "test_database" as user "test_user" on host "127.0.0.1" at port "5432".

test_database=> select col1 from test_schema.test_table;
 col1
------
    1
(1 row)