【发布时间】:2016-10-14 20:12:57
【问题描述】:
我在获得按我希望的方式工作的权限时遇到了一点问题。
我有一个角色,通常应该允许在任何地方选择,这个角色有很多成员。不应允许其中一个从某个表中进行选择。
我认为这可以通过将角色成员资格授予一般读者角色并从受限表中撤消 SELECT 来实现。
似乎父角色的权限适用,而不是特定权限。有没有办法解决这个问题而不必维护更受限制的角色的权限,还是我在 PostgreSQL 中以错误的方式应用角色概念?
这是一个示例脚本:
-- as superuser
CREATE DATABASE permission_test;
\c permission_test
CREATE ROLE r_general_select;
CREATE ROLE r_restricted_select IN ROLE r_general_select;
-- set the default permissions
ALTER DEFAULT PRIVILEGES IN SCHEMA "public" GRANT SELECT ON TABLES TO "r_general_select";
CREATE TABLE "open"(
id SERIAL,
payload TEXT
);
insert into "open"(payload) values ('test');
-- covered by default privileges
GRANT SELECT ON "open" TO PUBLIC;
-- Tests
-- this is good
SET ROLE r_general_select;
SELECT * FROM "open";
RESET ROLE;
-- this is good
SET ROLE r_restricted_select;
SELECT * FROM "open";
RESET ROLE;
CREATE TABLE "restricted" (
id SERIAL,
payload TEXT
);
insert into "restricted"(payload) values ('test');
-- the role and it's members should be able to read
GRANT SELECT ON "restricted" TO r_general_select;
-- except for this one!
REVOKE SELECT ON "restricted" FROM r_restricted_select;
-- Tests
-- this is good
SET ROLE r_general_select;
SELECT * FROM restricted;
RESET ROLE;
-- this should barf with a permission violation
SET ROLE r_restricted_select;
SELECT * FROM restricted;
RESET ROLE;
--- CLEANUP
DROP OWNED BY "r_restricted_select" CASCADE;
DROP ROLE r_restricted_select ;
DROP OWNED BY "r_general_select" CASCADE;
DROP ROLE r_general_select ;
【问题讨论】:
标签: postgresql roles user-permissions postgresql-9.4 grant