Ουι*_*ευα 8 postgresql permissions
我已经在 Postgres CLI 上运行了这些语句(我使用的是 PostgreSQL v13.1):
CREATE ROLE blog_user;
GRANT blog_user TO current_user;
我创建了一个函数
CREATE FUNCTION SIGNUP(username TEXT, email TEXT, password TEXT)
RETURNS jwt_token AS
$$
DECLARE
token_information jwt_token;
BEGIN
....
END;
$$ LANGUAGE PLPGSQL VOLATILE SECURITY DEFINER;
最后我授予了权限:
GRANT EXECUTE ON FUNCTION SIGNUP(username TEXT, email TEXT, password TEXT) TO anonymous;
我希望列出我的架构/数据库中每个用户/角色的所有授权。\du并\du+显示基本信息,其中不包含最近授予(执行函数)的信息。
gsi*_*ems 15
虽然以下不是完整的解决方案(不包括列特权,它没有函数签名),但您应该希望能够获得您要求使用的大部分内容:
SELECT rug.grantor,
rug.grantee,
rug.object_catalog,
rug.object_schema,
rug.object_name,
rug.object_type,
rug.privilege_type,
rug.is_grantable,
null::text AS with_hierarchy
FROM information_schema.role_usage_grants rug
WHERE rug.object_schema NOT IN ( 'pg_catalog', 'information_schema' )
AND grantor <> grantee
UNION
SELECT rtg.grantor,
rtg.grantee,
rtg.table_catalog,
rtg.table_schema,
rtg.table_name,
tab.table_type,
rtg.privilege_type,
rtg.is_grantable,
rtg.with_hierarchy
FROM information_schema.role_table_grants rtg
LEFT JOIN information_schema.tables tab
ON ( tab.table_catalog = rtg.table_catalog
AND tab.table_schema = rtg.table_schema
AND tab.table_name = rtg.table_name )
WHERE rtg.table_schema NOT IN ( 'pg_catalog', 'information_schema' )
AND grantor <> grantee
UNION
SELECT rrg.grantor,
rrg.grantee,
rrg.routine_catalog,
rrg.routine_schema,
rrg.routine_name,
fcn.routine_type,
rrg.privilege_type,
rrg.is_grantable,
null::text AS with_hierarchy
FROM information_schema.role_routine_grants rrg
LEFT JOIN information_schema.routines fcn
ON ( fcn.routine_catalog = rrg.routine_catalog
AND fcn.routine_schema = rrg.routine_schema
AND fcn.routine_name = rrg.routine_name )
WHERE rrg.specific_schema NOT IN ( 'pg_catalog', 'information_schema' )
AND grantor <> grantee
UNION
SELECT rug.grantor,
rug.grantee,
rug.udt_catalog,
rug.udt_schema,
rug.udt_name,
''::text AS udt_type,
rug.privilege_type,
rug.is_grantable,
null::text AS with_hierarchy
FROM information_schema.role_udt_grants rug
WHERE rug.udt_schema NOT IN ( 'pg_catalog', 'information_schema' )
AND substr ( rug.udt_schema, 1, 3 ) <> 'pg_'
AND grantor <> grantee ;
更新了 2023 年 1 月 26 日,添加了使用 pg 目录表而不是 information_schema 视图的更新查询。此更新的查询还包含列授权和函数/过程签名。
WITH rol AS (
SELECT oid,
rolname::text AS role_name
FROM pg_authid
UNION
SELECT 0::oid AS oid,
'public'::text
),
schemas AS ( -- Schemas
SELECT oid AS schema_oid,
n.nspname::text AS schema_name,
n.nspowner AS owner_oid,
'schema'::text AS object_type,
coalesce ( n.nspacl, acldefault ( 'n'::"char", n.nspowner ) ) AS acl
FROM pg_catalog.pg_namespace n
WHERE n.nspname !~ '^pg_'
AND n.nspname <> 'information_schema'
),
classes AS ( -- Tables, views, etc.
SELECT schemas.schema_oid,
schemas.schema_name AS object_schema,
c.oid,
c.relname::text AS object_name,
c.relowner AS owner_oid,
CASE
WHEN c.relkind = 'r' THEN 'table'
WHEN c.relkind = 'v' THEN 'view'
WHEN c.relkind = 'm' THEN 'materialized view'
WHEN c.relkind = 'c' THEN 'type'
WHEN c.relkind = 'i' THEN 'index'
WHEN c.relkind = 'S' THEN 'sequence'
WHEN c.relkind = 's' THEN 'special'
WHEN c.relkind = 't' THEN 'TOAST table'
WHEN c.relkind = 'f' THEN 'foreign table'
WHEN c.relkind = 'p' THEN 'partitioned table'
WHEN c.relkind = 'I' THEN 'partitioned index'
ELSE c.relkind::text
END AS object_type,
CASE
WHEN c.relkind = 'S' THEN coalesce ( c.relacl, acldefault ( 's'::"char", c.relowner ) )
ELSE coalesce ( c.relacl, acldefault ( 'r'::"char", c.relowner ) )
END AS acl
FROM pg_class c
JOIN schemas
ON ( schemas.schema_oid = c.relnamespace )
WHERE c.relkind IN ( 'r', 'v', 'm', 'S', 'f', 'p' )
),
cols AS ( -- Columns
SELECT c.object_schema,
null::integer AS oid,
c.object_name || '.' || a.attname::text AS object_name,
'column' AS object_type,
c.owner_oid,
coalesce ( a.attacl, acldefault ( 'c'::"char", c.owner_oid ) ) AS acl
FROM pg_attribute a
JOIN classes c
ON ( a.attrelid = c.oid )
WHERE a.attnum > 0
AND NOT a.attisdropped
),
procs AS ( -- Procedures and functions
SELECT schemas.schema_oid,
schemas.schema_name AS object_schema,
p.oid,
p.proname::text AS object_name,
p.proowner AS owner_oid,
CASE p.prokind
WHEN 'a' THEN 'aggregate'
WHEN 'w' THEN 'window'
WHEN 'p' THEN 'procedure'
ELSE 'function'
END AS object_type,
pg_catalog.pg_get_function_arguments ( p.oid ) AS calling_arguments,
coalesce ( p.proacl, acldefault ( 'f'::"char", p.proowner ) ) AS acl
FROM pg_proc p
JOIN schemas
ON ( schemas.schema_oid = p.pronamespace )
),
udts AS ( -- User defined types
SELECT schemas.schema_oid,
schemas.schema_name AS object_schema,
t.oid,
t.typname::text AS object_name,
t.typowner AS owner_oid,
CASE t.typtype
WHEN 'b' THEN 'base type'
WHEN 'c' THEN 'composite type'
WHEN 'd' THEN 'domain'
WHEN 'e' THEN 'enum type'
WHEN 't' THEN 'pseudo-type'
WHEN 'r' THEN 'range type'
WHEN 'm' THEN 'multirange'
ELSE t.typtype::text
END AS object_type,
coalesce ( t.typacl, acldefault ( 'T'::"char", t.typowner ) ) AS acl
FROM pg_type t
JOIN schemas
ON ( schemas.schema_oid = t.typnamespace )
WHERE ( t.typrelid = 0
OR ( SELECT c.relkind = 'c'
FROM pg_catalog.pg_class c
WHERE c.oid = t.typrelid ) )
AND NOT EXISTS (
SELECT 1
FROM pg_catalog.pg_type el
WHERE el.oid = t.typelem
AND el.typarray = t.oid )
),
fdws AS ( -- Foreign data wrappers
SELECT null::oid AS schema_oid,
null::text AS object_schema,
p.oid,
p.fdwname::text AS object_name,
p.fdwowner AS owner_oid,
'foreign data wrapper' AS object_type,
coalesce ( p.fdwacl, acldefault ( 'F'::"char", p.fdwowner ) ) AS acl
FROM pg_foreign_data_wrapper p
),
fsrvs AS ( -- Foreign servers
SELECT null::oid AS schema_oid,
null::text AS object_schema,
p.oid,
p.srvname::text AS object_name,
p.srvowner AS owner_oid,
'foreign server' AS object_type,
coalesce ( p.srvacl, acldefault ( 'S'::"char", p.srvowner ) ) AS acl
FROM pg_foreign_server p
),
all_objects AS (
SELECT schema_name AS object_schema,
object_type,
schema_name AS object_name,
null::text AS calling_arguments,
owner_oid,
acl
FROM schemas
UNION
SELECT object_schema,
object_type,
object_name,
null::text AS calling_arguments,
owner_oid,
acl
FROM classes
UNION
SELECT object_schema,
object_type,
object_name,
null::text AS calling_arguments,
owner_oid,
acl
FROM cols
UNION
SELECT object_schema,
object_type,
object_name,
calling_arguments,
owner_oid,
acl
FROM procs
UNION
SELECT object_schema,
object_type,
object_name,
null::text AS calling_arguments,
owner_oid,
acl
FROM udts
UNION
SELECT object_schema,
object_type,
object_name,
null::text AS calling_arguments,
owner_oid,
acl
FROM fdws
UNION
SELECT object_schema,
object_type,
object_name,
null::text AS calling_arguments,
owner_oid,
acl
FROM fsrvs
),
acl_base AS (
SELECT object_schema,
object_type,
object_name,
calling_arguments,
owner_oid,
( aclexplode ( acl ) ).grantor AS grantor_oid,
( aclexplode ( acl ) ).grantee AS grantee_oid,
( aclexplode ( acl ) ).privilege_type AS privilege_type,
( aclexplode ( acl ) ).is_grantable AS is_grantable
FROM all_objects
)
SELECT acl_base.object_schema,
acl_base.object_type,
acl_base.object_name,
acl_base.calling_arguments,
owner.role_name AS object_owner,
grantor.role_name AS grantor,
grantee.role_name AS grantee,
acl_base.privilege_type,
acl_base.is_grantable
FROM acl_base
JOIN rol owner
ON ( owner.oid = acl_base.owner_oid )
JOIN rol grantor
ON ( grantor.oid = acl_base.grantor_oid )
JOIN rol grantee
ON ( grantee.oid = acl_base.grantee_oid )
WHERE acl_base.grantor_oid <> acl_base.grantee_oid ;
| 归档时间: |
|
| 查看次数: |
31458 次 |
| 最近记录: |