postgresql影子用户实践场景分析
在实际的生产环境,我们经常会碰到这样的情况:因为业务场景需要,本部门某些重要的业务数据表需要给予其他部门查看权限,因业务的扩展及调整,后期可能需要放开更多的表查询权限。为解决此种业务需求,我们可以采用创建视图的方式来解决,已可以通过创建影子用户的方式来满足需求,本文主要介绍影子用户的创建及授权方法。
场景1:只授予usageonschema权限
session1:
--创建readonly用户,并将test模式赋予readonly用户。
postgres=#createuserreadonlywithpassword'postgres'; CREATEROLE postgres=#grantusageonschematesttoreadonly; GRANT postgres=#\dn Listofschemas Name|Owner -------+------- test|postgres
session2:
--登陆readonly用户可以查询test模式下现存的所有表。
postgres=#\cpostgresreadonly Youarenowconnectedtodatabase"postgres"asuser"readonly". postgres=>select*fromtest.emp; empno|ename|job|mgr|hiredate|sal|comm|deptno -------+--------+-----------+------+------------+---------+---------+-------- 7499|ALLEN|SALESMAN|7698|1981-02-20|1600.00|300.00|30 7521|WARD|SALESMAN|7698|1981-02-22|1250.00|500.00|30 7566|JONES|MANAGER|7839|1981-04-02|2975.00||20 7654|MARTIN|SALESMAN|7698|1981-09-28|1250.00|1400.00|30 7698|BLAKE|MANAGER|7839|1981-05-01|2850.00||30 7782|CLARK|MANAGER|7839|1981-06-09|2450.00||10 7839|KING|PRESIDENT||1981-11-17|5000.00||10 7844|TURNER|SALESMAN|7698|1981-09-08|1500.00|0.00|30 7900|JAMES|CLERK|7698|1981-12-03|950.00||30 7902|FORD|ANALYST|7566|1981-12-03|3000.00||20 7934|MILLER|CLERK|7782|1982-01-23|1300.00||10 7788|test|ANALYST|7566|1982-12-09|3000.00||20 7876|ADAMS|CLERK|7788|1983-01-12|1100.00||20 1111|SMITH|CLERK|7902|1980-12-17|800.00||20 (14rows)
换到session1创建新表t1
postgres=#createtabletest.t1asselect*fromtest.emp; CREATETABLE
切换到session2readonly用户下,t1表无法查询
postgres=>select*fromtest.t1; 2021-03-0215:25:33.290CST[21059]ERROR:permissiondeniedfortablet1 2021-03-0215:25:33.290CST[21059]STATEMENT:select*fromtest.t1; **ERROR:permissiondeniedfortablet1
结论:如果只授予usageonschema权限,readonly只能查看test模式下已经存在的表和对象。在授予usageonschema权限之后创建的新表无法查看。
场景2:授予usageonschema权限之后,再赋予selectonalltablesinschema权限
针对上个场景session2**ERROR:permissiondeniedfortablet1错误的处理
postgres=>select*fromtest.t1; **ERROR:permissiondeniedfortablet1
session1:使用postgres用户授予readonly用户selectonalltables权限
postgres=#grantselectonalltablesinschematestTOreadonly;
session2:readonly用户查询t1表
postgres=>select*fromtest.t1; empno|ename|job|mgr|hiredate|sal|comm|deptno -------+--------+-----------+------+------------+---------+---------+-------- 7499|ALLEN|SALESMAN|7698|1981-02-20|1600.00|300.00|30 7521|WARD|SALESMAN|7698|1981-02-22|1250.00|500.00|30 7566|JONES|MANAGER|7839|1981-04-02|2975.00||20 7654|MARTIN|SALESMAN|7698|1981-09-28|1250.00|1400.00|30 7698|BLAKE|MANAGER|7839|1981-05-01|2850.00||30 7782|CLARK|MANAGER|7839|1981-06-09|2450.00||10 7839|KING|PRESIDENT||1981-11-17|5000.00||10 7844|TURNER|SALESMAN|7698|1981-09-08|1500.00|0.00|30 7900|JAMES|CLERK|7698|1981-12-03|950.00||30 7902|FORD|ANALYST|7566|1981-12-03|3000.00||20 7934|MILLER|CLERK|7782|1982-01-23|1300.00||10 7788|test|ANALYST|7566|1982-12-09|3000.00||20 7876|ADAMS|CLERK|7788|1983-01-12|1100.00||20 1111|SMITH|CLERK|7902|1980-12-17|800.00||20 (14rows)
session1:postgres用户的test模式下创建新表t2
postgres=#createtabletest.t2asselect*fromtest.emp; SELECT14
session2:readonly用户查询t2表权限不足
postgres=>select*fromtest.t2; ERROR:permissiondeniedfortablet2
session1:再次赋予grantselectonalltables
postgres=#grantselectonalltablesinschematestTOreadonly;
session2:readonly用户又可以查看T2表
postgres=>select*fromtest.t2; empno|ename|job|mgr|hiredate|sal|comm|deptno -------+--------+-----------+------+------------+---------+---------+-------- 7499|ALLEN|SALESMAN|7698|1981-02-20|1600.00|300.00|30 7521|WARD|SALESMAN|7698|1981-02-22|1250.00|500.00|30 7566|JONES|MANAGER|7839|1981-04-02|2975.00||20 7654|MARTIN|SALESMAN|7698|1981-09-28|1250.00|1400.00|30 7698|BLAKE|MANAGER|7839|1981-05-01|2850.00||30 7782|CLARK|MANAGER|7839|1981-06-09|2450.00||10 7839|KING|PRESIDENT||1981-11-17|5000.00||10 7844|TURNER|SALESMAN|7698|1981-09-08|1500.00|0.00|30 7900|JAMES|CLERK|7698|1981-12-03|950.00||30 7902|FORD|ANALYST|7566|1981-12-03|3000.00||20 7934|MILLER|CLERK|7782|1982-01-23|1300.00||10 7788|test|ANALYST|7566|1982-12-09|3000.00||20 7876|ADAMS|CLERK|7788|1983-01-12|1100.00||20 1111|SMITH|CLERK|7902|1980-12-17|800.00||20 (14rows)
影子用户创建
如果想让readonly只读用户不在每次postgres用户在test模式中创建新表后都要手工赋予grantselectonalltablesinschematestTOreadonly权限。则需要授予对test默认的访问权限,对于test模式新创建的也生效。
session1:未来访问test模式下所有新建的表赋权,创建t5表。
postgres=#alterdefaultprivilegesinschematestgrantselectontablestoreadonly; ALTERDEFAULTPRIVILEGES postgres=#createtabletest.t5asselect*fromtest.emp; CREATETABLE
session2:查询readonly用户
postgres=>select*fromtest.t5; empno|ename|job|mgr|hiredate|sal|comm|deptno -------+--------+-----------+------+------------+---------+---------+-------- 7499|ALLEN|SALESMAN|7698|1981-02-20|1600.00|300.00|30 7521|WARD|SALESMAN|7698|1981-02-22|1250.00|500.00|30 7566|JONES|MANAGER|7839|1981-04-02|2975.00||20 7654|MARTIN|SALESMAN|7698|1981-09-28|1250.00|1400.00|30 7698|BLAKE|MANAGER|7839|1981-05-01|2850.00||30 7782|CLARK|MANAGER|7839|1981-06-09|2450.00||10 7839|KING|PRESIDENT||1981-11-17|5000.00||10 7844|TURNER|SALESMAN|7698|1981-09-08|1500.00|0.00|30 7900|JAMES|CLERK|7698|1981-12-03|950.00||30 7902|FORD|ANALYST|7566|1981-12-03|3000.00||20 7934|MILLER|CLERK|7782|1982-01-23|1300.00||10 7788|test|ANALYST|7566|1982-12-09|3000.00||20 7876|ADAMS|CLERK|7788|1983-01-12|1100.00||20 1111|SMITH|CLERK|7902|1980-12-17|800.00||20 (14rows)
总结:影子用户创建的步骤
--创建影子用户 createuserreadonlywithpassword'postgres'; --将schema中usage权限赋予给readonly用户,访问所有已存在的表 grantusageonschematesttoreadonly; grantselectonalltablesinschematesttoreadonly; --未来访问test模式下所有新建的表 alterdefaultprivilegesinschematestgrantselectontablestoreadonly;
到此这篇关于postgresql影子用户实践的文章就介绍到这了,更多相关postgresql影子用户内容请搜索毛票票以前的文章或继续浏览下面的相关文章希望大家以后多多支持毛票票!
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。