创建读写用户和只读用户

Mx *_*ter 7 postgresql permissions amazon-rds

我正在尝试对 RDS 实例上的 PostgreSQL 数据库进行我认为常见的设置。我希望有:

  • 无论是在public架构上,还是在自定义架构上,我都不太关心
  • 读写用户
  • 只读用户
  • 读写用户应该能够在架构中创建表
  • 只读用户应该能够自动从这个新表中读取数据,即无需额外的操作GRANT

我尝试关注此AWS 博客文章此答案,但似乎遇到了困难。

我已尝试以下操作但无济于事,postgres用户是由 RDS 创建的具有角色的用户rds_superuser

-- Making sure roles can't do anything on the database without explicit grant
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON DATABASE my_database FROM PUBLIC;
CREATE SCHEMA my_schema;

-- Read-write
CREATE ROLE read_write;

GRANT CONNECT ON DATABASE my_database TO read_write;
GRANT USAGE, CREATE ON SCHEMA my_schema TO read_write;

GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA my_schema TO read_write;
ALTER DEFAULT PRIVILEGES IN SCHEMA my_schema GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO read_write;

GRANT USAGE ON ALL SEQUENCES IN SCHEMA my_schema TO read_write;
ALTER DEFAULT PRIVILEGES IN SCHEMA my_schema GRANT USAGE ON SEQUENCES TO read_write;

-- Read-only
CREATE ROLE read_only;

GRANT CONNECT ON DATABASE my_database TO read_only;
GRANT USAGE ON SCHEMA my_schema TO read_only;

GRANT SELECT ON ALL TABLES IN SCHEMA my_schema TO read_only;
ALTER DEFAULT PRIVILEGES IN SCHEMA my_schema GRANT SELECT ON TABLES TO read_only;

-- Users
CREATE USER read_write_user WITH PASSWORD 'password_1';
GRANT read_write TO my_database;

CREATE USER read_only_user WITH PASSWORD 'password_2';
GRANT read_only TO my_database_read_only;
Run Code Online (Sandbox Code Playgroud)

当我使用 user 连接到数据库时read_write_user,我可以创建一个新表my_table,但是如果我使用 user 连接read_only_user,我无法访问它,我收到以下错误:permission denied for table my_table

我与用户重新连接postgres,发现我无权向read_only角色授予对此表的访问权限:

GRANT SELECT ON ALL TABLES IN SCHEMA my_schema TO read_only;
Run Code Online (Sandbox Code Playgroud)

导致此错误:no privileges were granted for "my_table"

因此,如果我理解正确,postgres用户没有足够的权限来授予对其创建的对象的访问权限read_write_user,并且ALTER DEFAULT PRIVILEGES没有执行我认为会执行的操作。

在撤销/授予任何内容之前,我尝试在新数据库上添加以下查询:

GRANT ALL ON DATABASE my_database TO postgres;
GRANT ALL ON SCHEMA my_schema TO postgres;
Run Code Online (Sandbox Code Playgroud)

但这没有帮助。

我有一种感觉,这与事实有关,这rds_superuser不是真实的superuser,但我不知道如何继续,有办法做我想做的事情吗?

Lau*_*lbe 4

ALTER DEFAULT PRIVILEGES只影响运行该语句的用户创建的表ALTER DEFAULT PRIVILEGES

你必须这样做:

ALTER DEFAULT PRIVILEGES FOR ROLE read_write IN SCHEMA my_schema
   GRANT SELECT ON TABLES TO read_only;
Run Code Online (Sandbox Code Playgroud)