os: centos 7.4
db: postgresql 10.6
# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
# su - postgres -c "psql -c \"select version();\""
version
---------------------------------------------------------------------------------------------------------
PostgreSQL 10.6 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-28), 64-bit
(1 row)
默认角色
postgres=# select * from pg_roles;
rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolbypassrls | rolconfig | oid
----------------------+----------+------------+---------------+-------------+-------------+----------------+--------------+-------------+---------------+--------------+-----------+------
postgres | t | t | t | t | t | t | -1 | ******** | | t | | 10
pg_monitor | f | t | f | f | f | f | -1 | ******** | | f | | 3373
pg_read_all_settings | f | t | f | f | f | f | -1 | ******** | | f | | 3374
pg_read_all_stats | f | t | f | f | f | f | -1 | ******** | | f | | 3375
pg_stat_scan_tables | f | t | f | f | f | f | -1 | ******** | | f | | 3377
pg_signal_backend | f | t | f | f | f | f | -1 | ******** | | f | | 4200
(6 rows)
postgres=# \duS+
List of roles
Role name | Attributes | Member of | Description
----------------------+------------------------------------------------------------+--------------------------------------------------------------+-------------
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} |
pg_read_all_settings | Cannot login | {} |
pg_read_all_stats | Cannot login | {} |
pg_signal_backend | Cannot login | {} |
pg_stat_scan_tables | Cannot login | {} |
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {} |
postgres=# \dgS+
List of roles
Role name | Attributes | Member of | Description
----------------------+------------------------------------------------------------+--------------------------------------------------------------+-------------
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} |
pg_read_all_settings | Cannot login | {} |
pg_read_all_stats | Cannot login | {} |
pg_signal_backend | Cannot login | {} |
pg_stat_scan_tables | Cannot login | {} |
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {} |
postgres=#
简单说明下各角色的作用
postgres 这个角色的 rolcanlogin 为 true,说明已经是可以登录的用户,且是超级用户。
pg_signal_backend 这个角色表示可以给其他后端发送信号(比如: 取消查询、终止)。
下面是 postgresql 10 新加的角色:
pg_monitor 读取/执行各种监视视图和函数。 此角色是pg_read_all_settings、 pg_read_all_stats和 pg_stat_scan_tables的成员。
pg_read_all_settings 阅读所有配置变量,即使那些通常只对超级用户可见的配置变量。
pg_read_all_stats 阅读所有pg_stat_*视图并使用各种统计相关的扩展,甚至那些通常只对超级用户可见的扩展。
pg_stat_scan_tables 执行可能对表进行可能需要很长时间ACCESS SHARE锁定的监视功能。
pg_monitor、pg_read_all_settings、 pg_read_all_stats和pg_stat_scan_tables 角色旨在允许管理员轻松配置角色以监视数据库服务器。他们授予一组通用权限, 允许角色读取通常仅限于超级用户的各种有用的配置设置,统计信息和其他系统信息。
应小心授予这些角色,以确保只在需要执行所需监视的情况下才会使用这些角色。
换句话说,这个角色是从 postgres 角色里分离出来的,符合授予最小权限。
授予默认角色
postgres=# create user peiyb with login password 'rootroot';
CREATE ROLE
postgres=# \du+
List of roles
Role name | Attributes | Member of | Description
-----------+------------------------------------------------------------+-----------+-------------
peiyb | | {} |
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {} |
postgres=#
postgres=# create database peiybdb owner = peiyb;
CREATE DATABASE
postgres=# \q
$ psql -h 192.168.56.101 -U peiyb peiybdb
Password for user peiyb:
psql (10.6)
Type "help" for help.
peiybdb=>
peiybdb=> \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------------------+-----------
peiyb | | {}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
peiybdb=> select session_user,current_user;
session_user | current_user
--------------+--------------
peiyb | peiyb
(1 row)
peiybdb=> create table tmp_t0(c0 varchar(100),c1 varchar(100));
CREATE TABLE
peiybdb=> insert into tmp_t0(c0,c1) select id::varchar,md5(id::varchar) from generate_series(1,10000) as id;
INSERT 0 10000
peiybdb=> select * from pg_stat_user_tables;
relid | schemaname | relname | seq_scan | seq_tup_read | idx_scan | idx_tup_fetch | n_tup_ins | n_tup_upd | n_tup_del | n_tup_hot_upd | n_live_tup | n_dead_tup | n_mod_since_analyze | last_vacuum | last_autovacuum | last_analyze | last_autoanalyze | vacuum_count | autovacuum_count | analyze_count | autoanalyze_count
-------+------------+---------+----------+--------------+----------+---------------+-----------+-----------+-----------+---------------+------------+------------+---------------------+-------------+-----------------+--------------+-------------------------------+--------------+------------------+---------------+-------------------
16419 | public | tmp_t0 | 0 | 0 | | | 10000 | 0 | 0 | 0 | 10000 | 0 | 0 | | | | 2018-11-21 20:26:03.097176+08 | 0 | 0 | 0 | 1
(1 row)
peiybdb=> select * from pg_stat_bgwriter;
checkpoints_timed | checkpoints_req | checkpoint_write_time | checkpoint_sync_time | buffers_checkpoint | buffers_clean | maxwritten_clean | buffers_backend | buffers_backend_fsync | buffers_alloc | stats_reset
-------------------+-----------------+-----------------------+----------------------+--------------------+---------------+------------------+-----------------+-----------------------+---------------+-------------------------------
402 | 5 | 750889 | 1886 | 41321 | 154003 | 1169 | 762346 | 0 | 979767 | 2018-11-14 09:20:51.781414+08
(1 row)
peiybdb=> select * from pg_stat_archiver;
archived_count | last_archived_wal | last_archived_time | failed_count | last_failed_wal | last_failed_time | stats_reset
----------------+-------------------+--------------------+--------------+-----------------+------------------+-------------------------------
0 | | | 0 | | | 2018-11-14 09:20:51.781414+08
(1 row)
查看这几个性能视图,貌似不需要而外权限。
peiybdb=> select * from pg_stat_activity;
datid | datname | pid | usesysid | usename | application_name | client_addr | client_hostname | client_port | backend_start | xact_start | query_start | state_change | wait_event_type | wait_event | state | backend_xid | backend_xmin | query | backend_type
-------+----------+-------+----------+----------+------------------+----------------+-----------------+-------------+-------------------------------+------------------------------+------------------------------+-------------------------------+-----------------+------------+--------+-------------+--------------+---------------------------------+----------------
| | 30486 | | | | | | | | | | | | | | | | <insufficient privilege> |
| | 30488 | 10 | postgres | | | | | | | | | | | | | | <insufficient privilege> |
16418 | peiybdb | 30534 | 16417 | peiyb | psql | 192.168.56.101 | | 32812 | 2018-11-21 20:22:45.822674+08 | 2018-11-21 20:35:09.25764+08 | 2018-11-21 20:35:09.25764+08 | 2018-11-21 20:35:09.257642+08 | | | active | | 664962 | select * from pg_stat_activity; | client backend
13806 | postgres | 31587 | 10 | postgres | psql | | | | | | | | | | | | | <insufficient privilege> |
| | 30484 | | | | | | | | | | | | | | | | <insufficient privilege> |
| | 30483 | | | | | | | | | | | | | | | | <insufficient privilege> |
| | 30485 | | | | | | | | | | | | | | | | <insufficient privilege> |
(7 rows)
注意query列,显示的很多 ,对应的backend_type则为空白。
现授予 pg_read_all_stats 角色试下
postgres=# grant pg_read_all_stats to peiyb;
GRANT ROLE
postgres=# \du
List of roles
Role name | Attributes | Member of
-----------+------------------------------------------------------------+---------------------
peiyb | | {pg_read_all_stats}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
peiybdb=> select * from pg_stat_activity;
datid | datname | pid | usesysid | usename | application_name | client_addr | client_hostname | client_port | backend_start | xact_start | query_start | state_change | wait_event_type | wait_event | state | backend_xid | backend_xmin | query | backend_type
-------+----------+-------+----------+----------+------------------+----------------+-----------------+-------------+-------------------------------+-------------------------------+-------------------------------+-------------------------------+-----------------+---------------------+--------+-------------+--------------+---------------------------------+---------------------
| | 30486 | | | | | | | 2018-11-21 20:22:02.827542+08 | | | | Activity | AutoVacuumMain | | | | | autovacuum launcher
| | 30488 | 10 | postgres | | | | | 2018-11-21 20:22:02.8281+08 | | | | Activity | LogicalLauncherMain | | | | | background worker
16418 | peiybdb | 30534 | 16417 | peiyb | psql | 192.168.56.101 | | 32812 | 2018-11-21 20:22:45.822674+08 | 2018-11-21 20:40:00.679449+08 | 2018-11-21 20:40:00.679449+08 | 2018-11-21 20:40:00.679451+08 | | | active | | 664963 | select * from pg_stat_activity; | client backend
13806 | postgres | 31587 | 10 | postgres | psql | | | -1 | 2018-11-21 20:39:25.112376+08 | | | 2018-11-21 20:39:25.114622+08 | Client | ClientRead | idle | | | | client backend
| | 30484 | | | | | | | 2018-11-21 20:22:02.8269+08 | | | | Activity | BgWriterHibernate | | | | | background writer
| | 30483 | | | | | | | 2018-11-21 20:22:02.826741+08 | | | | Activity | CheckpointerMain | | | | | checkpointer
| | 30485 | | | | | | | 2018-11-21 20:22:02.82711+08 | | | | Activity | WalWriterMain | | | | | walwriter
(7 rows)
可以注意到 query,不再显示 ,对应的backend_type也已填充。