postgresql GRANT USAGE ON SCHEMA具体是做什么的?

2lpgd968  于 2023-05-22  发布在  PostgreSQL
关注(0)|答案(4)|浏览(1010)

我第一次尝试创建Postgres数据库。
我为DB角色分配了基本的只读权限,该角色必须从我的PHP脚本访问数据库,我有一个好奇心:如果我执行

GRANT some_or_all_privileges ON ALL TABLES IN SCHEMA schema TO role;

有必要也执行这个吗?

GRANT USAGE ON SCHEMA schema TO role;

关于documentation
用法:对于模式,允许访问包含在指定模式中的对象(假设也满足对象自己的权限要求)。本质上,这允许被授权者在模式中“查找”对象。
我认为,如果我可以选择或操作模式中包含的任何数据,我就可以访问模式本身的任何对象。我说错了吗?如果不是,GRANT USAGE ON SCHEMA是用来做什么的?文档中的“假设对象自己的特权需求也得到满足”究竟是什么意思?

soat7uwm

soat7uwm1#

GRANT s在不同的对象上是分开的。在数据库上执行操作不会对其中的模式具有GRANT权限。类似地,对模式执行GRANT操作不会授予对其中表的权限。
如果您有权从表中访问SELECT,但无权在包含它的模式中查看它,则无法访问该表。
权限测试按以下顺序进行:

Do you have `USAGE` on the schema? 
    No:  Reject access. 
    Yes: Do you also have the appropriate rights on the table? 
        No:  Reject access. 
        Yes: Check column privileges.

您的困惑可能源于这样一个事实,即public模式对角色public具有所有权限的默认GRANT,每个用户/组都是该角色的成员。所以每个人都已经使用了这个模式。
短语:
(假设也满足对象自己的特权要求)
是说你必须在一个模式上拥有USAGE才能使用其中的对象,但是在一个模式上拥有USAGE本身并不足以使用模式中的对象,你还必须对对象本身拥有权限。
就像一个目录树。如果你创建了一个目录somedir,其中包含文件somefile,然后将其设置为只有你自己的用户可以访问该目录或文件(目录上的模式为rwx------,文件上的模式为rw-------),那么没有人可以列出该目录以查看该文件是否存在。
如果您授予文件的全局读取权限(模式rw-r--r--),但不更改目录权限,则没有任何区别。没有人可以看到文件来读取它,因为他们没有列出目录的权限。
如果您在目录上设置rwx-r-xr-x,设置它以便人们可以列出和遍历目录,但不更改文件权限,人们可以列出文件,但不能读取它,因为他们没有访问文件的权限。
您需要设置 both 权限,以便人们能够实际查看该文件。
同样的事情在PG。要对对象(如表中的SELECT)执行操作,您需要USAGE模式权限和对象权限。
(The这个类比福尔斯站不住脚,因为PostgreSQL还没有行级安全性,所以用户仍然可以通过直接从pg_class读取SELECT来“看到”表存在于模式中。他们不能以任何方式与它交互,虽然,所以它只是“列表”部分不太一样。

pftdvrlh

pftdvrlh2#

对于生产系统,您可以使用以下配置:

--ACCESS DB
REVOKE CONNECT ON DATABASE nova FROM PUBLIC;
GRANT  CONNECT ON DATABASE nova  TO user;

--ACCESS SCHEMA
REVOKE ALL     ON SCHEMA public FROM PUBLIC;
GRANT  USAGE   ON SCHEMA public  TO user;

--ACCESS TABLES
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM PUBLIC ;
GRANT SELECT                         ON ALL TABLES IN SCHEMA public TO read_only ;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO read_write ;
GRANT ALL                            ON ALL TABLES IN SCHEMA public TO admin ;
dxxyhpgq

dxxyhpgq3#

好了,这是我对Linux的简单db的最终解决方案:

# Read this before!
#
# * roles in postgres are users, and can be used also as group of users
# * $ROLE_LOCAL will be the user that access the db for maintenance and
#   administration. $ROLE_REMOTE will be the user that access the db from the webapp
# * you have to change '$ROLE_LOCAL', '$ROLE_REMOTE' and '$DB'
#   strings with your desired names
# * it's preferable that $ROLE_LOCAL == $DB

#-------------------------------------------------------------------------------

//----------- SKIP THIS PART UNTIL POSTGRES JDBC ADDS SCRAM - START ----------//

cd /etc/postgresql/$VERSION/main
sudo cp pg_hba.conf pg_hba.conf_bak
sudo -e pg_hba.conf

# change all `md5` with `scram-sha-256`
# save and exit

//------------ SKIP THIS PART UNTIL POSTGRES JDBC ADDS SCRAM - END -----------//

sudo -u postgres psql

# in psql:
create role $ROLE_LOCAL login createdb;
\password $ROLE_LOCAL
create role $ROLE_REMOTE login;
\password $ROLE_REMOTE

create database $DB owner $ROLE_LOCAL encoding "utf8";
\connect $DB $ROLE_LOCAL

# Create all tables and objects, and after that:

\connect $DB postgres

revoke connect on database $DB from public;
revoke all on schema public from public;
revoke all on all tables in schema public from public;

grant connect on database $DB to $ROLE_LOCAL;
grant all on schema public to $ROLE_LOCAL;
grant all on all tables in schema public to $ROLE_LOCAL;
grant all on all sequences in schema public to $ROLE_LOCAL;
grant all on all functions in schema public to $ROLE_LOCAL;

grant connect on database $DB to $ROLE_REMOTE;
grant usage on schema public to $ROLE_REMOTE;
grant select, insert, update, delete on all tables in schema public to $ROLE_REMOTE;
grant usage, select on all sequences in schema public to $ROLE_REMOTE;
grant execute on all functions in schema public to $ROLE_REMOTE;

alter default privileges for role $ROLE_LOCAL in schema public
    grant all on tables to $ROLE_LOCAL;

alter default privileges for role $ROLE_LOCAL in schema public
    grant all on sequences to $ROLE_LOCAL;

alter default privileges for role $ROLE_LOCAL in schema public
    grant all on functions to $ROLE_LOCAL;

alter default privileges for role $ROLE_REMOTE in schema public
    grant select, insert, update, delete on tables to $ROLE_REMOTE;

alter default privileges for role $ROLE_REMOTE in schema public
    grant usage, select on sequences to $ROLE_REMOTE;

alter default privileges for role $ROLE_REMOTE in schema public
    grant execute on functions to $ROLE_REMOTE;

# CTRL+D
dy1byipe

dy1byipe4#

只有在分配了用户之后,我才设法对数据库执行操作

GRANT ALL PRIVILEGES ON DATABASE chat_db to chat_user;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA security_user TO chat_user;
GRANT USAGE ON SCHEMA security_user TO chat_user;
GRANT ALL PRIVILEGES ON TABLE web_history_migration TO chat_user;
ALTER SCHEMA security_user OWNER TO chat_user;

因为我在那里使用了flywaydb。
也许这就足够了:

ALTER SCHEMA security_user OWNER TO chat_user;

相关问题