Foreword:
Postgresql is a relatively complex relational heavy-duty database. Whether it is installation and deployment or later operation and maintenance, there are still many details that need to be paid attention to.
For example, the reasonable distribution of user rights, then, what is the reasonable distribution of rights? Naturally, it is the principle of minimizing authority, which means that each user can complete the work within the scope of authority without causing security risks due to hacker attacks, loopholes, and other reasons.
Before writing this article, it’s just a matter of simply empowering some ordinary users casually, and such management work is obviously not enough. Therefore, this article will make a relative comparison of user empowerment and de-authorization in the postgresql database. A complete summary, and an example to illustrate the difference between the usage permission and the select permission.
one,
What are the user's permissions?
SELECT: This permission is used to query tables or certain columns on tables, or views, sequences.
INSERT: This permission allows inserting data into a table or view, or using COPY FROM to insert data.
UPDATE: This permission allows the update operation on the table or specific columns or views on the table.
DELETE: This permission allows the operation of deleting data on the table or view.
TRUNCATE: Allows the table to be emptied.
REFERENCES: Allows to create foreign key constraints on the reference column and the referenced column.
TRIGGER: Allows the creation of triggers on tables.
CREATE: For the database, it is allowed to create a Schema on the database; for the Schema, it is allowed to create a database object on the Schema; for the table space, it is allowed to specify the table or index to the corresponding table space.
CONNECT: Allows the user to connect to the specified database.
TEMPORARY or TEMP: Allows the creation of temporary tables when specifying a database.
EXECUTE: Allows the execution of a function.
USAGE: For programming languages, it is allowed to use the specified programming language to create functions; for Schemas, it is allowed to search for objects under the Schema (excluding newly created objects after authorization); for sequences, it is allowed to use currval and nextval functions ;For foreign wrappers, allows the use of foreign wrappers to create foreign servers; for foreign servers, allows the creation of foreign tables.
ALL PRIVILEGES: Indicates a one-time grant of permissions that can be granted.
OK, adding, deleting, modifying and checking means that select, update, insert, delete and usage should be classified into one category, and select and usage are very similar, at least under the schema, the two are basically the same, but it should be noted that , for new objects after authorization, such as new tables, usage is not authorized to query, and select obviously does not have such problems.
two,
Correct read-only user authorization
1,
The first kind of empowerment
usage---usage right + select query right
First create the relevant schema named mytest and the relevant role named test
test=# \c test
You are now connected to database "test" as user "postgres".
test=# create schema mytest;
CREATE SCHEMA
test=# \du
List of roles
Role name | Attributes | Member of
--------------------+------------------------------------------------------------+-----------
drmc | | {}
pg1 | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
pms30 | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
postgres | Superuser | {}
postgres_exporter | | {}
postgres_exporter1 | | {}
power_common | | {}
power_tf | | {}
zsk | | {}
test=# create user test with password '123456';
CREATE ROLE
Empowerment:
test=# grant USAGE on SCHEMA mytest to test;
GRANT
test1=> grant SELECT on ALL tables in schema mytest to test;
The test will not be demonstrated, but it needs to be noted that there are two authorizations, usage and select, both of which are indispensable, that is to say, there must be two commands! ! ! ! !
OK, the above is the user test empowered to select the mytest schema under the test database. Next, in order to continue the test, delete the test user.
2,
Forcibly delete authorized users
OK, an error was reported when deleting, which makes people quite speechless. The error report said that the database named test has 5 objects that depend on the user test, but there is still a solution
postgres=# drop user test;
2023-08-09 01:15:34.031 CST [14975] ERROR: role "test" cannot be dropped because some objects depend on it
2023-08-09 01:15:34.031 CST [14975] DETAIL: 5 objects in database test
2023-08-09 01:15:34.031 CST [14975] STATEMENT: drop user test;
ERROR: role "test" cannot be dropped because some objects depend on it
DETAIL: 5 objects in database test
Force delete:
Three commands, reassign, drop owner by, and drop user are required, all of which are indispensable.
postgres=# \c test
You are now connected to database "test" as user "postgres".
test=# \dn
List of schemas
Name | Owner
--------+-------
mytest | test
public | pg1
(2 rows)
test=# REASSIGN OWNED BY test TO postgres;
REASSIGN OWNED
test=# \dn
List of schemas
Name | Owner
--------+----------
mytest | postgres
public | pg1
(2 rows)
test=# drop owned BY test cascade;
NOTICE: drop cascades to 4 other objects
DETAIL: drop cascades to table mytest.dept
drop cascades to table mytest.emp
drop cascades to table mytest.bonus
drop cascades to table mytest.salgrade
DROP OWNED
OK, query whether the user test is deleted:
It can be seen that there is indeed no more, and people with obsessive-compulsive disorder are very comfortable.
However, special attention should be paid to the fact that the forced deletion of users is a cascading deletion, so there is a high probability that the dependent schema and table will be deleted. Therefore, this method of forced deletion of users needs to be backed up in advance to prevent accidents .
test1=# \du+
List of roles
Role name | Attributes | Member of | Description
--------------------+------------------------------------------------------------+-----------+-------------
drmc | | {} |
pg1 | Superuser, Create role, Create DB, Replication, Bypass RLS | {} |
pms30 | Superuser, Create role, Create DB, Replication, Bypass RLS | {} |
postgres | Superuser | {} |
postgres_exporter | | {} |
postgres_exporter1 | | {} |
power_common | | {} |
power_tf | | {} |
zsk | | {} |
3,
second empowerment
grant select+ owner
test=# create user test with password '123456';
CREATE ROLE
test=# \c
You are now connected to database "test" as user "postgres".
test=# grant SELECT on ALL tables in schema mytest to test;
GRANT
test=# set search_path to mytest ;
SET
test=# alter schema mytest owner to test;
ALTER SCHEMA
test:
test=> \c
You are now connected to database "test" as user "test".
test=> set search_path to mytest ;
SET
test=> \dp
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+----------+-------+---------------------------+-------------------+----------
mytest | bonus | table | postgres=arwdDxt/postgres+| |
| | | test=r/postgres | |
mytest | dept | table | postgres=arwdDxt/postgres+| |
| | | test=r/postgres | |
mytest | emp | table | postgres=arwdDxt/postgres+| |
| | | test=r/postgres | |
mytest | salgrade | table | postgres=arwdDxt/postgres+| |
| | | test=r/postgres | |
(4 rows)
test=> \dn
List of schemas
Name | Owner
--------+-------
mytest | test
public | pg1
(2 rows)
test=> set search_path to mytest ;
SET
test=> select * from emp;
empno | ename | job | mgr | hiredate | sal | comm | deptno
-------+--------+-----------+------+------------+---------+---------+--------
7369 | SMITH | CLERK | 7902 | 1980-12-17 | 800.00 | | 20
7499 | ALLEN | SALESMAN | 7698 | 1981-02-20 | 1600.00 | 300.00 | 30
7521 | WARD | SALESMAN | 7698 | 1981-02-22 | 1250.00 | 500.00 | 30
7566 | JONES | MANAGER | 7839 | 1981-04-02 | 2975.00 | | 20
7654 | MARTIN | SALESMAN | 7698 | 1981-09-28 | 1250.00 | 1400.00 | 30
7698 | BLAKE | MANAGER | 7839 | 1981-05-01 | 2850.00 | | 30
7782 | CLARK | MANAGER | 7839 | 1981-06-09 | 2450.00 | | 10
7788 | SCOTT | ANALYST | 7566 | 0087-04-19 | 3000.00 | | 20
7839 | KING | PRESIDENT | | 1981-11-17 | 5000.00 | | 10
7844 | TURNER | SALESMAN | 7698 | 1981-09-08 | 1500.00 | 0.00 | 30
7876 | ADAMS | CLERK | 7788 | 0087-05-23 | 1100.00 | | 20
7900 | JAMES | CLERK | 7698 | 1981-12-03 | 950.00 | | 30
7902 | FORD | ANALYST | 7566 | 1981-12-03 | 3000.00 | | 20
7934 | MILLER | CLERK | 7782 | 1982-01-23 | 1300.00 | | 10
(14 rows)