Postgres user rights management

1. User authority management

1.1 Create user and authorize

Postgre mainly has two syntaxes, create role and create user, to create roles or users. Both are basically the same in terms of function. Create user is a variant of create role. The only difference is that the default for create user is login, and the default for create role For nologin.

1. Create user syntax

CREATE USER name [ [ WITH ] option [ ... ] ]

这里 option 可以是：
    | SUPERUSER | NOSUPERUSER							//是否为“超级账号”的权限，默认NOSUPERUSER
    | CREATEDB | NOCREATEDB								//是否可以创建数据库的权限，默认NOCREATEDB
    | CREATEROLE | NOCREATEROLE						//是否可以创建新用户的权限，默认NOCREATEROLE
    | INHERIT | NOINHERIT											//当该用户是其他用户的角色是，其他用户是否可以继承该用户的权限，默认INHERIT
    | LOGIN | NOLOGIN												//是否允许登录数据库，默认NOLOGIN
    | REPLICATION | NOREPLICATION						//是否具有复制相关权限，默认NOREPLICATION
    | BYPASSRLS | NOBYPASSRLS							//是否可以绕过安全策略，默认NOBYPASSRLS
    | CONNECTION LIMIT connlimit								//用户并发连接限制，默认-1表示无限制
    | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL	//用户密码设置
    | VALID UNTIL 'timestamp'										//密码失效日期
    | IN ROLE role_name [, ...]										//
    | IN GROUP role_name [, ...]									//是in role的一种已经废弃的写法
    | ROLE role_name [, ...]											//
    | ADMIN role_name [, ...]
    | USER role_name [, ...]
    | SYSID uid

2. Some common authorization scenarios

1) Create a database account password, the account has read and write permissions by default

--创建用户并授权该用户
db1=# create user sansi_rw password '123';
CREATE ROLE

2) Create a read-only user

1. Create a user named sansi_ro and password 123

-- 创建只读数据库账号
CREATE USER sansi_ro WITH ENCRYPTED PASSWORD '123';
ALTER USER sansi_ro SET default_transaction_read_only=on;
-- 对只读数据库账号授予所有库把的usage权限
GRANT USAGE ON SCHEMA public to sansi_ro;
-- 进入到指定数据库，对只读账号授予该数据库下的查询权限
\c dbname
GRANT SELECT ON ALL TABLES IN SCHEMA public TO sansi_ro;

3) Grant some permissions other than DML permissions to existing users, such as creating DB

alter user sansi_rw with  CREATEDB;

1.2 postgres user login verification

1. pg_hba.conf file

The pg_hba.conf file is the authentication configuration file of pg. Whether it is our user login or master-slave replication, we need to fill in the relevant authentication configuration under this file to ensure that the database can be connected normally. pg_hba.conf mainly consists of 5 parameters: Type (host type), Database (database name), User (user name), Address (IP address and mask), Method (encryption method)

1) Type: Specify the allowed connection method

"local"表示使用 Unix-domain socket 进行连接；

"host" 表示可以使用 ssl或者非ssl加密的 TCP/IP socket 进行连接；

"hostssl" 表示必须通过ssl加密的 TCP/IP socket 进行连接；

"hostnossl" 表示通过使用非ssl的 TCP/IP socket 进行连接。

2) Database: Specify permission to access database information

It can be "all", "sameuser", "samerole", "replication", or the name of the business database. "All" does not include "replication". If you need to pass replication, you need to write a separate release rule; multiple databases are separated by commas

3) User: Specify allowed users

Represents the database user information of the authentication configuration. It can be "all" or a certain database user can be specified. Multiple user authorizations can be separated by commas; you can refer to the configuration information information authentication configuration in the external file, @${filename}

4) Address: Specify the allowable host IP information

Indicates the host IP information of the authentication configuration, which can be a host name or IP+mask; 0.0.0.0/0 means all hosts

5) Method: Specify the authentication strategy

Indicates the authentication policy, which can be set to "trust", "reject", "md5", "password", "scram-sha-256", "gss", "sspi", "ident", "peer", "pam" , "Ldap", "radius" or "cert"; password means to send the password in plain text;

2. Reference for writing common configuration files

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all				postgres					           	trust
local   all             all                                     md5
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
host    all             all             0.0.0.0/0               md5
# IPv6 local connections:
host    all             all             ::1/128                 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     trust
host    replication     all             127.0.0.1/32            trust
host    replication     all             ::1/128                 trust

[Local all postgres trust] This record should be noted that this record has a certain degree of danger. When we forget the super account password, we can add this record, log in to the database on the database server without password, and modify the account password. After modifying the configuration file, remember to use pg_ctl -reload to reload the configuration file.