@H_404_0@The GRANT command has two basic variants: one that grants privileges on @H_404_0@ a database object (table,column,view,foreign table,sequence, @H_404_0@ database,foreign-data wrapper,foreign server,function,procedural @H_404_0@ language,schema,or tablespace),and one that grants membership in a @H_404_0@ role. These variants are similar in many ways,but they are different @H_404_0@ enough to be described separately. @H_404_0@@H_404_0@这个是9.4.1最新的官方文档,pgsql的权限控制很精细,精确到子段.表,子段,试图,外表,序列,数据库,外键表的数据,外键服务器,函数,过程语言,模式,表空间 @H_404_0@先创建测试数据:
@H_404_0@create table member(uid serial primary key,username varchar(40),email varchar(100),password varchar(32));
@H_404_0@insert into member(username,email,password) values('admin','[email protected]','e10adc3949ba59abbe56e057f20f883e'),('test','[email protected]','e10adc3949ba59abbe56e057f20f883e');
@H_404_0@testdb2=> select * from member; @H_404_0@uid | username | email | password @H_404_0@-----+----------+--------------+---------------------------------- @H_404_0@ 1 | admin | [email protected] | e10adc3949ba59abbe56e057f20f883e @H_404_0@ 2 | test | [email protected] | e10adc3949ba59abbe56e057f20f883e @H_404_0@(2 rows)
@H_404_0@testdb2=> \d @H_404_0@ List of relations @H_404_0@Schema | Name | Type | Owner @H_404_0@--------+----------------+----------+------- @H_404_0@public | member | table | sec @H_404_0@public | member_uid_seq | sequence | sec@H_404_0@数据库:testdb2 @H_404_0@表与数据库所属用户为sec: @H_404_0@回收sec在member表的所有权限:
@H_404_0@REVOKE ALL ON sec FROM member;@H_404_0@再执行update,query,delete会出现错误:
@H_404_0@testdb2=> select * from member; @H_404_0@ERROR: permission denied for relation member@H_404_0@查询某个表的权限:使用\dp命令
@H_404_0@testdb2=> \dp member; @H_404_0@ Access privileges @H_404_0@Schema | Name | Type | Access privileges | Column access privileges @H_404_0@--------+--------+-------+-------------------+-------------------------- @H_404_0@public | member | table | | @H_404_0@(1 row)@H_404_0@把回收的所有权限重新授权回去:
@H_404_0@注:上面子段access privilages中arwdDxt的解释 @H_404_0@r -- SELECT ("read") @H_404_0@ w -- UPDATE ("write") @H_404_0@ a -- INSERT ("append") @H_404_0@ d -- DELETE @H_404_0@ D -- TruncATE @H_404_0@ x -- REFERENCES @H_404_0@ t -- TRIGGER @H_404_0@ X -- EXECUTE @H_404_0@ U -- USAGE @H_404_0@ C -- CREATE @H_404_0@ c -- CONNECT @H_404_0@ T -- TEMPORARY @H_404_0@回收某个指定查询权限(select,update,delete,truncate,insert):testdb2=> grant all on member to sec;
GRANT
testdb2=> \dp member;
Access privileges
Schema | Name | Type | Access privileges | Column access privileges
--------+--------+-------+-------------------+--------------------------
public | member | table | sec=arwdDxt/sec |
(1 row)
@H_404_0@revoke select on member from sec; @H_404_0@REVOKE upate,delete ON member FROM sec;@H_404_0@授权查询的权限:
@H_404_0@GRANT select ON member to sec;@H_404_0@指定子段(password)权限的授权:(以查询为例) @H_404_0@1,首先你需要先回收用户sec对表member的select权限
@H_404_0@REVOKE select ON member FROM sec;@H_404_0@2,授予用户sec,email与username的查询权限.
@H_404_0@GRANT select(username,password) ON member TO sec;@H_404_0@如果先不做第一步,那么第二步是无效的,尽管对password这个子段作权限回收也是无效的.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
