Recently, some students have responded, what is going on with POSTGRESQL users, why are they so messy, it is MYSQL DB students who said these words. Yes, if you were operating MYSQL before, you would feel it after using POSTGRESQL, which is a bit weird , But if you used ORACLE, SQL SERVER and other databases before, it would be a bit weird. Are you weird? So let’s talk about the POSTGRESQL account and user issues.
Let’s use this diagram to first conceptually understand what the account of POSTGRESQL is. First of all, users and roles in POSTGRESQL can be considered as a concept. The difference between them is that roles have no password and cannot log in, so the following diagram is roughly meaning
If a POSTGRESQL Role gives the login permission and assigns a password, then this role can be considered as a user, and conversely, if we do not give this account login permission, but a collection of permissions, and we use This "user" is to give permissions to more users, then this "user" is ROLE.
After talking about the above concept, let’s talk about the schema below. If you have used SQL SERVER, perhaps you can quickly understand what the POSTGRESQL schema means, and if you are a senior DB in MYSQL or ORACLE, That might say a little bit.
1 ORACLE database itself does not have the concept of database. It divides a bunch of tables through SCHEMA. This pair of tables belongs to this SCHEMA and the other pile of tables belongs to another SCHEMA.
2 MYSQL does not have the concept of SCHEMA, but there is a concept of mounting multiple databases under INSTANCE.
The relationship between the SCHEMA + MYSQL DATABASE = SQL SERVER AND POSTGRESQL user of ORACLE and the SCHEMA and DATABASE.
The above figure perfectly explains the relationship between DATABASE SCHEMA USER, you are in me and you are in me.
After talking about this problem, there is actually another problem that makes beginners very distressed, that is, after creating a ROLE that users can log in, create a new database, and you can do any operation including table creation when you go up, then let's see what is this What's going on, generally, administrators who have used other databases may not understand this problem.
What we want to emphasize is that the newly created user will definitely have permissions for the PUBLIC of various databases. If you use the database perspective, the SQL SERVER administrator may not be able to figure it out, but if you use the permissions of the WINDOWS folder The idea of PUBLIC can be understood by thinking about it.
The first thing we need to do to create a user here is,
Remove all permissions under PUBLIC of the database, and execute the following statement under the database you belong to, so that the newly created user does not have all the permissions under the public schema for the database
revoke all on schema public from public;
In this way, newly created users will not be able to create any OBJECT on PUBLIC SCHEMA at will on logging in to a database
After solving this problem, the ORACLE DB staff did not understand POSTGRESQL in terms of the relationship between the schema and the user.
First of all, can we delete the public schema?
We can see that public can be deleted, and it will fail to create the table, then we create a schema to see what happens
So what to do, we can change the detection order of POSTGRESQL's SCHEMA
show search_path;
We use search_path to adjust
No error will be reported when the table is created, but according to the relevant order, own as the first SCHEMA of the current database is the default.
This approach can change some security issues in the user's default state, and all created things default to PUBLIC.
In fact, this question has the same meaning as the default SCHEMA in SQL SERVER, which is DBO. The main creation tables of each database are in the DBO SCHEMA mode for unified management of permissions. There is nothing wrong with this, but it is changed to ORACLE DB. It is not easy to understand.
Therefore, POSTGRESQL's authorization under the mode of authority management and SCHEMA, ORACLE and MYSQL DB may feel confused.