Знання

Користувальницькькі налаштування

Налаштування сайту

Ви тут: start » programming » databases » postgresql » roles_example
Відвідано:
programming:databases:postgresql:roles_example

Розбіжності

Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.

Посилання на цей список змін

Порівняння попередніх версій Попередня ревізія
Наступна ревізія 		Попередня ревізія
programming:databases:postgresql:roles_example [2020/07/29 15:28]
charon 		programming:databases:postgresql:roles_example [2020/07/29 15:45] (поточний)
charon [Grant usage for future tables, sequences, routines in schema for basic roles]
Рядок 16: Рядок 16:
 </WRAP> </WRAP>
  
 +----
  
 ===== Create basic roles: DO IT ONCE ===== ===== Create basic roles: DO IT ONCE =====
Рядок 28: Рядок 29:
 GRANT CONNECT ON DATABASE postgres TO experiment_admin, experiment_read_write, experiment_read_only; GRANT CONNECT ON DATABASE postgres TO experiment_admin, experiment_read_write, experiment_read_only;
 </code>  </code> 
 +
 +----
  
 ===== Create new scheme 'myschema' and grant permissions: REPEAT FOR EVERY SCHEMA ===== ===== Create new scheme 'myschema' and grant permissions: REPEAT FOR EVERY SCHEMA =====
Рядок 40: Рядок 43:
 GRANT USAGE ON SCHEMA myschema TO experiment_read_write, experiment_read_only; GRANT USAGE ON SCHEMA myschema TO experiment_read_write, experiment_read_only;
 GRANT ALL PRIVILEGES ON SCHEMA myschema TO experiment_admin; GRANT ALL PRIVILEGES ON SCHEMA myschema TO experiment_admin;
 +</code>
 +
 +All next commands in this section require that current user can administer roles //experiment_admin//, //experiment_read_write//, //experiment_read_only//. To achieve it, use commands:
 +<code postgresql>
 +GRANT experiment_admin, experiment_read_write, experiment_read_only TO CURRENT_USER WITH ADMIN OPTION;
 +</code>
 +and
 +<code postgresql>
 +REVOKE experiment_admin, experiment_read_write, experiment_read_only FROM CURRENT_USER;
 </code> </code>
  
Рядок 53: Рядок 65:
 ==== Grant usage for future tables, sequences, routines in schema for basic roles ==== ==== Grant usage for future tables, sequences, routines in schema for basic roles ====
 <code postgresql> <code postgresql>
-ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; +ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; 
-ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, experiment_admin IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; +ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; 
-ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON SEQUENCES TO experiment_read_write, experiment_admin; +ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON SEQUENCES TO experiment_read_write, experiment_admin; 
-ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, experiment_admin IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; +ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; 
-ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, experiment_admin;+ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, experiment_admin;
 </code> </code>
 +
 +<WRAP center round info 60%>
 +These rules above will work only if user switches role (//SET ROLE experiment_admin//), otherwise DEFAULT PRIVILEGES for **user** will be used. DEFAULT PRIVILEGES are not inherited, unlike other permissions.
 +</WRAP>
 +
 +----
  
 ===== How to create new users ===== ===== How to create new users =====
Рядок 86: Рядок 104:
 </code> </code>
    
-New read-write user+==== New read-write user ====
 This user cannot create new objects in schema, like tables. It can read, write, delete and update existing objects (for example, modify rows in tables). This user cannot create new objects in schema, like tables. It can read, write, delete and update existing objects (for example, modify rows in tables).
  
-Exception: in schema public it can also create and manage his own objects, like tables.+<WRAP center round important 60%> 
 +Exception: in schema //public// it can also create and manage his own objects, like tables. 
 +</WRAP>
  
-Basic setup+ 
 +=== Basic setup ===
 <code postgresql> <code postgresql>
 CREATE ROLE writer1 WITH LOGIN PASSWORD 'mypass2'; CREATE ROLE writer1 WITH LOGIN PASSWORD 'mypass2';
Рядок 98: Рядок 119:
 </code> </code>
  
-Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA +=== Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA ===
 <code postgresql> <code postgresql>
 ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin;
Рядок 107: Рядок 128:
 </code> </code>
  
-Cleanup+=== Cleanup ===
 <code postgresql> <code postgresql>
 REVOKE writer1 FROM CURRENT_USER; REVOKE writer1 FROM CURRENT_USER;
 </code> </code>
-  
  
  
-New admin user+==== New admin user ====
 This user can create new objects in schema This user can create new objects in schema
  
  
-Basic setup+=== Basic setup ===
 <code postgresql> <code postgresql>
 CREATE ROLE admin1 WITH LOGIN PASSWORD 'mypass3'; CREATE ROLE admin1 WITH LOGIN PASSWORD 'mypass3';
Рядок 125: Рядок 145:
 </code> </code>
  
-Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA+=== Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA ===
 <code postgresql> <code postgresql>
 ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin;
Рядок 134: Рядок 154:
 </code> </code>
  
-Cleanup+=== Cleanup ===
 <code postgresql> <code postgresql>
 REVOKE admin1 FROM CURRENT_USER; REVOKE admin1 FROM CURRENT_USER;
 </code> </code>
programming/databases/postgresql/roles_example.1596025703.txt.gz · Востаннє змінено: 2020/07/29 15:28 повз charon

Налаштування сторінки

Якщо не вказано інше, вміст цієї Вікі підпадає під дію такої ліцензії: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki