Mx *_*ter 7 postgresql permissions amazon-rds
我正在尝试对 RDS 实例上的 PostgreSQL 数据库进行我认为常见的设置。我希望有:
public
架构上,还是在自定义架构上,我都不太关心GRANT
我已尝试以下操作但无济于事,postgres
用户是由 RDS 创建的具有角色的用户rds_superuser
:
-- Making sure roles can't do anything on the database without explicit grant
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE my_database FROM PUBLIC;
CREATE SCHEMA my_schema;
-- Read-write
CREATE ROLE read_write;
GRANT CONNECT ON DATABASE my_database TO read_write;
GRANT USAGE, CREATE ON SCHEMA my_schema TO read_write;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA my_schema TO read_write;
ALTER DEFAULT PRIVILEGES IN SCHEMA my_schema GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO read_write;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA my_schema TO read_write;
ALTER DEFAULT PRIVILEGES IN SCHEMA my_schema GRANT USAGE ON SEQUENCES TO read_write;
-- Read-only
CREATE ROLE read_only;
GRANT CONNECT ON DATABASE my_database TO read_only;
GRANT USAGE ON SCHEMA my_schema TO read_only;
GRANT SELECT ON ALL TABLES IN SCHEMA my_schema TO read_only;
ALTER DEFAULT PRIVILEGES IN SCHEMA my_schema GRANT SELECT ON TABLES TO read_only;
-- Users
CREATE USER read_write_user WITH PASSWORD 'password_1';
GRANT read_write TO my_database;
CREATE USER read_only_user WITH PASSWORD 'password_2';
GRANT read_only TO my_database_read_only;
Run Code Online (Sandbox Code Playgroud)
当我使用 user 连接到数据库时read_write_user
,我可以创建一个新表my_table
,但是如果我使用 user 连接read_only_user
,我无法访问它,我收到以下错误:permission denied for table my_table
。
我与用户重新连接postgres
,发现我无权向read_only
角色授予对此表的访问权限:
GRANT SELECT ON ALL TABLES IN SCHEMA my_schema TO read_only;
Run Code Online (Sandbox Code Playgroud)
导致此错误:no privileges were granted for "my_table"
。
因此,如果我理解正确,postgres
用户没有足够的权限来授予对其创建的对象的访问权限read_write_user
,并且ALTER DEFAULT PRIVILEGES
没有执行我认为会执行的操作。
在撤销/授予任何内容之前,我尝试在新数据库上添加以下查询:
GRANT ALL ON DATABASE my_database TO postgres;
GRANT ALL ON SCHEMA my_schema TO postgres;
Run Code Online (Sandbox Code Playgroud)
但这没有帮助。
我有一种感觉,这与事实有关,这rds_superuser
不是真实的superuser
,但我不知道如何继续,有办法做我想做的事情吗?
ALTER DEFAULT PRIVILEGES
只影响运行该语句的用户创建的表ALTER DEFAULT PRIVILEGES
。
你必须这样做:
ALTER DEFAULT PRIVILEGES FOR ROLE read_write IN SCHEMA my_schema
GRANT SELECT ON TABLES TO read_only;
Run Code Online (Sandbox Code Playgroud)
归档时间: |
|
查看次数: |
18864 次 |
最近记录: |