Користувальницькькі налаштування
programming:databases:postgresql:roles_example
Зміст
Приклад організації системи ролей
Introduction
This is proposal of permission assignment. It includes creation (or reusage) of 3 roles:
- experiment_read_only - can only read objects (SELECT on tables)
- experiment_read_write - all of the above plus modify existing objects (SELECT, INSERT, UPDATE, DELETE on tables), but cannot create new tables.
- experiment_admin - all of the above plus create new objects in schema (create tables).
Example includes creating these roles, creating new schema, setting permissions for existing objects of schema, setting permissions for future objects of schema and creating users of all types.
After implementing this proposal all current and future users will have appropriate access to all current and future database objects, including rows, tables, routines etc.
Actually there’s one exception: schema public in every database. Every user will still be able to create new objects in this schema (for example, tables). This is default PostgreSQL setting.
Create basic roles: DO IT ONCE
CREATE ROLE experiment_read_write NOLOGIN; CREATE ROLE experiment_read_only NOLOGIN; CREATE ROLE experiment_admin NOLOGIN;
Grant access to database 'postgres': REPEAT FOR EVERY DATABASE
GRANT CONNECT ON DATABASE postgres TO experiment_admin, experiment_read_write, experiment_read_only;
Create new scheme 'myschema' and grant permissions: REPEAT FOR EVERY SCHEMA
Create new schema
CREATE SCHEMA myschema;
Grant access to the schema
GRANT USAGE ON SCHEMA myschema TO experiment_read_write, experiment_read_only; GRANT ALL PRIVILEGES ON SCHEMA myschema TO experiment_admin;
All next commands in this section require that current user can administer roles experiment_admin, experiment_read_write, experiment_read_only. To achieve it, use commands:
GRANT experiment_admin, experiment_read_write, experiment_read_only TO CURRENT_USER WITH ADMIN OPTION;
and
REVOKE experiment_admin, experiment_read_write, experiment_read_only FROM CURRENT_USER;
Grant usage of existing tables, sequences, routines in schema for basic roles
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA myschema TO experiment_admin, experiment_read_write; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA myschema TO experiment_admin, experiment_read_write; GRANT ALL PRIVILEGES ON ALL ROUTINES IN SCHEMA myschema TO experiment_admin, experiment_read_write; GRANT SELECT ON ALL TABLES IN SCHEMA myschema TO experiment_read_only; GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA myschema TO experiment_read_only;
Grant usage for future tables, sequences, routines in schema for basic roles
ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON SEQUENCES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE experiment_read_only, experiment_read_write, experiment_admin IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, experiment_admin;
These rules above will work only if user switches role (SET ROLE experiment_admin), otherwise DEFAULT PRIVILEGES for user will be used. DEFAULT PRIVILEGES are not inherited, unlike other permissions.
How to create new users
New read-only user
This user can only read existing objects. But in schema public it can also create and manage his own objects, like tables.
Basic setup
CREATE ROLE reader1 WITH LOGIN PASSWORD 'mypass1'; GRANT experiment_read_only TO reader1; GRANT reader1 TO CURRENT_USER WITH ADMIN OPTION;
Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA
ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON SEQUENCES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE reader1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, experiment_admin;
Cleanup
REVOKE reader1 FROM CURRENT_USER;
New read-write user
This user cannot create new objects in schema, like tables. It can read, write, delete and update existing objects (for example, modify rows in tables).
Exception: in schema public it can also create and manage his own objects, like tables.
Basic setup
CREATE ROLE writer1 WITH LOGIN PASSWORD 'mypass2'; GRANT experiment_read_write TO writer1; GRANT writer1 TO CURRENT_USER WITH ADMIN OPTION;
Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA
ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON SEQUENCES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE writer1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, experiment_admin;
Cleanup
REVOKE writer1 FROM CURRENT_USER;
New admin user
This user can create new objects in schema
Basic setup
CREATE ROLE admin1 WITH LOGIN PASSWORD 'mypass3'; GRANT experiment_admin TO admin1; GRANT admin1 TO CURRENT_USER WITH ADMIN OPTION;
Grant usage for future tables, sequences, routines in schema: REPEAT FOR EVERY SCHEMA
ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON TABLES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT SELECT ON TABLES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON SEQUENCES TO experiment_read_write, experiment_admin; ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT USAGE, SELECT ON SEQUENCES TO experiment_read_only; ALTER DEFAULT PRIVILEGES FOR ROLE admin1 IN SCHEMA myschema GRANT ALL PRIVILEGES ON ROUTINES TO experiment_read_write, experiment_admin;
Cleanup
REVOKE admin1 FROM CURRENT_USER;
programming/databases/postgresql/roles_example.txt · Востаннє змінено: 2020/07/29 15:45 повз charon
Налаштування сторінки
Якщо не вказано інше, вміст цієї Вікі підпадає під дію такої ліцензії: GNU Free Documentation License 1.3
