Користувальницькькі налаштування
programming:databases:postgresql:roles_example
Розбіжності
Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.
| Порівняння попередніх версій Попередня ревізія Наступна ревізія | Попередня ревізія | ||
|
programming:databases:postgresql:roles_example [2020/07/29 15:22] charon [Create basic roles: DO IT ONCE] |
programming:databases:postgresql:roles_example [2020/07/29 15:45] (поточний) charon [Grant usage for future tables, sequences, routines in schema for basic roles] |
||
|---|---|---|---|
| Рядок 16: | Рядок 16: | ||
| </ | </ | ||
| + | ---- | ||
| ===== Create basic roles: DO IT ONCE ===== | ===== Create basic roles: DO IT ONCE ===== | ||
| - | < | + | < |
| CREATE ROLE experiment_read_write NOLOGIN; | CREATE ROLE experiment_read_write NOLOGIN; | ||
| CREATE ROLE experiment_read_only NOLOGIN; | CREATE ROLE experiment_read_only NOLOGIN; | ||
| CREATE ROLE experiment_admin NOLOGIN; | CREATE ROLE experiment_admin NOLOGIN; | ||
| </ | </ | ||
| + | |||
| ===== Grant access to database ' | ===== Grant access to database ' | ||
| - | | + | <code postgresql> |
| - | + | GRANT CONNECT ON DATABASE postgres TO experiment_admin, | |
| + | </ | ||
| + | ---- | ||
| - | Create new scheme ' | + | ===== Create new scheme ' |
| - | Create new schema | + | ==== Create new schema |
| + | <code postgresql> | ||
| CREATE SCHEMA myschema; | CREATE SCHEMA myschema; | ||
| + | </ | ||
| - | Grant access to the schema | + | ==== Grant access to the schema |
| + | <code postgresql> | ||
| GRANT USAGE ON SCHEMA myschema TO experiment_read_write, | GRANT USAGE ON SCHEMA myschema TO experiment_read_write, | ||
| GRANT ALL PRIVILEGES ON SCHEMA myschema TO experiment_admin; | GRANT ALL PRIVILEGES ON SCHEMA myschema TO experiment_admin; | ||
| + | </ | ||
| - | Grant usage of existing tables, sequences, routines in schema for basic roles | + | All next commands in this section require that current user can administer roles // |
| + | <code postgresql> | ||
| + | GRANT experiment_admin, | ||
| + | </ | ||
| + | and | ||
| + | <code postgresql> | ||
| + | REVOKE experiment_admin, | ||
| + | </ | ||
| + | |||
| + | ==== Grant usage of existing tables, sequences, routines in schema for basic roles ==== | ||
| + | <code postgresql> | ||
| GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA myschema TO experiment_admin, | GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA myschema TO experiment_admin, | ||
| GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA myschema TO experiment_admin, | GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA myschema TO experiment_admin, | ||
| Рядок 43: | Рядок 61: | ||
| GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO experiment_read_only; | GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO experiment_read_only; | ||
| GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA myschema TO experiment_read_only; | GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA myschema TO experiment_read_only; | ||
| + | </ | ||
| - | Grant usage for future tables, sequences, routines in schema for basic roles | + | ==== Grant usage for future tables, sequences, routines in schema for basic roles ==== |
| - | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, | + | <code postgresql> |
| - | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, | + | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, |
| - | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, | + | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, |
| - | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, | + | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, |
| - | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, | + | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, |
| - | + | ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, | |
| + | </ | ||
| + | <WRAP center round info 60%> | ||
| + | These rules above will work only if user switches role (//SET ROLE experiment_admin// | ||
| + | </ | ||
| - | How to create new users | + | ---- |
| - | New read-only user | + | ===== How to create |
| - | This user can only read existing objects. But in schema public it can also create | + | |
| + | ==== New read-only user ==== | ||
| + | This user can only read existing objects. But in schema public it can also create and manage his own objects, like tables. | ||
| - | Basic setup | + | === Basic setup === |
| + | <code postgresql> | ||
| CREATE ROLE reader1 WITH LOGIN PASSWORD ' | CREATE ROLE reader1 WITH LOGIN PASSWORD ' | ||
| GRANT experiment_read_only TO reader1; | GRANT experiment_read_only TO reader1; | ||
| GRANT reader1 TO CURRENT_USER WITH ADMIN OPTION; | GRANT reader1 TO CURRENT_USER WITH ADMIN OPTION; | ||
| + | </ | ||
| - | Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA | + | === Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA |
| + | <code postgresql> | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, | ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; | ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; | ||
| Рядок 70: | Рядок 97: | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; | ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, | ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, | ||
| + | </ | ||
| - | Cleanup | + | === Cleanup |
| + | <code postgresql> | ||
| REVOKE reader1 FROM CURRENT_USER; | REVOKE reader1 FROM CURRENT_USER; | ||
| + | </ | ||
| - | + | ==== New read-write user ==== | |
| - | + | ||
| - | New read-write user | + | |
| This user cannot create new objects in schema, like tables. It can read, write, delete and update existing objects (for example, modify rows in tables). | This user cannot create new objects in schema, like tables. It can read, write, delete and update existing objects (for example, modify rows in tables). | ||
| - | Exception: in schema public it can also create and manage his own objects, like tables. | + | <WRAP center round important 60%> |
| + | Exception: in schema | ||
| + | </ | ||
| - | Basic setup | + | === Basic setup === |
| + | <code postgresql> | ||
| CREATE ROLE writer1 WITH LOGIN PASSWORD ' | CREATE ROLE writer1 WITH LOGIN PASSWORD ' | ||
| GRANT experiment_read_write TO writer1; | GRANT experiment_read_write TO writer1; | ||
| GRANT writer1 TO CURRENT_USER WITH ADMIN OPTION; | GRANT writer1 TO CURRENT_USER WITH ADMIN OPTION; | ||
| + | </ | ||
| - | Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA | + | === Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA |
| + | <code postgresql> | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, | ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; | ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; | ||
| Рядок 93: | Рядок 126: | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; | ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, | ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, | ||
| + | </ | ||
| - | Cleanup | + | === Cleanup |
| + | <code postgresql> | ||
| REVOKE writer1 FROM CURRENT_USER; | REVOKE writer1 FROM CURRENT_USER; | ||
| - | + | </ | |
| - | New admin user | + | ==== New admin user ==== |
| This user can create new objects in schema | This user can create new objects in schema | ||
| - | Basic setup | + | === Basic setup === |
| + | <code postgresql> | ||
| CREATE ROLE admin1 WITH LOGIN PASSWORD ' | CREATE ROLE admin1 WITH LOGIN PASSWORD ' | ||
| GRANT experiment_admin TO admin1; | GRANT experiment_admin TO admin1; | ||
| GRANT admin1 TO CURRENT_USER WITH ADMIN OPTION; | GRANT admin1 TO CURRENT_USER WITH ADMIN OPTION; | ||
| + | </ | ||
| - | Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA | + | === Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA |
| + | <code postgresql> | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, | ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; | ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; | ||
| Рядок 114: | Рядок 152: | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; | ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; | ||
| ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, | ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, | ||
| + | </ | ||
| - | Cleanup | + | === Cleanup |
| + | <code postgresql> | ||
| REVOKE admin1 FROM CURRENT_USER; | REVOKE admin1 FROM CURRENT_USER; | ||
| + | </ | ||
programming/databases/postgresql/roles_example.1596025369.txt.gz · Востаннє змінено: 2020/07/29 15:22 повз charon
Налаштування сторінки
Якщо не вказано інше, вміст цієї Вікі підпадає під дію такої ліцензії: GNU Free Documentation License 1.3
