PGN*_*EWB 3 postgresql read-only-database
在 Ubuntu 16.04 上使用 PostGIS 2.2 全新安装 PostgreSQL 9.5 时,我似乎无法为数据库创建只读用户。这是我到目前为止所做的:
跑了这个,
CREATE ROLE dbowner LOGIN ENCRYPTED PASSWORD 'dbownerpassword';
CREATE DATABASE thedb WITH OWNER dbowner;
GRANT ALL PRIVILEGES ON DATABASE thedb TO dbowner;
CREATE EXTENSION postgis;
CREATE EXTENSION postgis_topology;
GRANT ALL ON ALL TABLES IN SCHEMA public to dbowner;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public to dbowner;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public to dbowner;
CREATE ROLE readonly LOGIN ENCRYPTED PASSWORD 'ropassword';
GRANT CONNECT ON DATABASE thedb TO readonly;
GRANT USAGE ON SCHEMA public TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO readonly;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO readonly;
然后我重启了,sudo service postgresql restart
现在,
psql -h localhost -U dbowner thedb
thedb=> CREATE TABLE testtable(col1 VARCHAR(100));
CREATE TABLE
thedb=> INSERT INTO testtable values('123');
INSERT 0 1
thedb=> SELECT * FROM testtable;
col1
------
123
(1 row)
psql -h localhost -U readonly thedb
thedb=> SELECT * FROM testtable;
ERROR: permission denied for relation testtable
pg_hba.conf 已经有local all all md5和host all all 127.0.0.1/32 md5。还有什么我可能会遗漏的吗?
该问题未指定执行以下语句的用户:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly;
但根据周围的代码,让我们猜测它是postgres. 这就是为什么readonly尝试读取它的权限被拒绝的原因:它是表的未来创建者dbowner, ,应该执行此语句。(当然,请注意,您还应该在运行上述命令时提及您连接的数据库)。
正如https://www.postgresql.org/docs/9.5/static/sql-alterdefaultprivileges.html 上的文档(强调我的)所述:
您只能更改将由您自己或您所属的角色创建的对象的默认权限。