OSC invites you to party! 1028 Suzhou Yuan Founding Association, let’s hunt for treasures in the AI era

This article is shared from Huawei Cloud Community " GRANT & REVOKE of GuassDB Database ", author: Gauss Squirrel Club Assistant 2.

1. Overview of GaussDB permissions

In the database, the creator of an object will become the owner of the object and has the authority to query, modify, and delete the object. At the same time, system administrators also have the same permissions as owners. Therefore, if you want other users to be able to use an object, you must grant the necessary permissions to the user or the role that contains the user.

GaussDB database object permissions:

object	Permissions	illustrate
DatabaseDATABASE	CONNECT	Allow users to connect to the specified database
CREATE	Allows the creation of new schemas in the database
SchemaSCHEMA	CREATE	Allows creation of new objects in the schema
USAGE	Allows access to objects contained in the specified schema. Without this permission, you can only see the names of these objects.
FUNCTION	EXECUTE	Allows the use of specified functions and operators implemented using these functions
TABLESPACE	CREATE	Allows tables to be created in table spaces and allows the table space to be designated as the default table space when creating databases and schemas.
TABLE	INSERT DELETE UPDATE SELECT	Allow users to add, delete, modify and query specified tables
TRUNCATE	Allows executing the TRUNCATE statement to delete all records in the specified table.
REFERENCES	To create a foreign key constraint, you must have REFERENCES permissions on the reference table and the referenced table.

To revoke permissions that have been granted, use REVOKE .

The object owner's permissions (such as ALTER, DROP, COMMENT, INDEX, VACUUM, GRANT, and REVOKE) are implicitly owned, that is, these implicit permissions of the object owner can be executed as long as the object is owned. Object owners can revoke their own normal permissions.

System tables and system views are either visible only to the system administrator or to all users. System tables and views that require system administrator permissions are identified and only system administrators can query them.

The database provides the object isolation feature. When the object isolation feature is turned on, users can only view objects (tables, views, fields, functions) that they have permission to access, and system administrators are not affected.

It is not recommended that users modify permissions on system tables and system views.

2. GaussDB permission design suggestions

Before business use, the database, schema (SCHEMA) and user (USER) must be created by the system administrator (root user). The relevant users then need to be granted the necessary permissions to access the object. If the user is not the owner of the schema, to access the objects in the schema, the user needs to be granted both the usage permission of the schema and the corresponding permissions of the object.

Use lowercase for DATABASE, SCHEMA, and USER names. The database will convert its name to lowercase by default. If an uppercase object name appears in the connection string, you cannot connect to the database.

When granting roles and users, the principle of least privilege should be used.

Prioritize managing permissions through roles. Use roles to manage permissions and assign roles to users. For example:

There is a many-to-many relationship between roles and users. A role can be assigned to multiple users. If the permissions in the role are modified, the permissions of the users assigned to the role can be updated at the same time.
When you delete a user, the role will not be affected.
After creating a new user, you can quickly obtain the required permissions by assigning roles.

When deleting a specified database, the user's CONNECT permissions on the database should be revoked to avoid failure due to active database connections still existing during deletion.

3. GRANT command of GaussDB

1. Function description

1) Grant system permissions to roles or users

System permissions are also called user attributes, including SYSADMIN, CREATEDB, CREATEROLE, AUDITADMIN, MONADMIN, OPRADMIN, POLADMIN, INHERIT, REPLICATION, VCADMIN and LOGIN, etc.

System permissions are generally specified through CREATE/ALTER ROLE syntax. Among them, SYSADMIN permission can be granted or revoked through GRANT/REVOKE ALL PRIVILEGE. However, system permissions cannot be inherited through the permissions of ROLE and USER, nor can they be granted to PUBLIC.

2) Authorize database objects to roles or users

Grant relevant permissions to database objects (tables and views, specified fields, databases, functions, schemas, table spaces, etc.) to specific roles or users;

The GRANT command grants specific permissions on database objects to one or more roles. These permissions will be appended to existing permissions.

The keyword PUBLIC indicates that this permission should be granted to all roles, including users created in the future. PUBLIC can be viewed as an implicitly defined group that always includes all roles. Any role or user will have the permissions granted directly through GRANT and the permissions they belong to, plus the permissions of PUBLIC.

If WITH GRANT OPTION is declared , authorized users can also grant this permission to others. This option cannot be given to PUBLIC (GaussDB-specific attribute).

GaussDB will grant permissions on certain types of objects to PUBLIC. By default, permissions on tables, table fields, sequences, external data sources, external servers, schemas, or tablespace objects are not granted to PUBLIC, but permissions on the following objects are granted to PUBLIC: CONNECT permission on the database and CREATE TEMP TABLE permission. , EXECUTE privilege for functions, USAGE privilege for languages and data types (including fields). Of course, the object owner can revoke the default permissions granted to PUBLIC and grant permissions specifically to other users. For greater security, it is recommended to create the object and set permissions in the same transaction so that other users do not have a time window to use the object.

The owner of an object has all permissions on the object by default. For security reasons, the owner can give up some permissions. However, ALTER, DROP, COMMENT, INDEX, VACUUM, and the re-grantable permissions of the object are inherent permissions of the owner and are implicitly style possession.

3) Authorize role or user permissions to other roles or users

Grant the permissions of one role or user to one or more other roles or users. In this case, each role or user can be considered a collection of one or more database permissions.

If WITH ADMIN OPTION is declared , the authorized user can grant the permission again to other roles or users, and revoke all permissions inherited by the role or user. When an authorized role or user is changed or revoked, the permissions of all users who inherit the role or user permissions will be changed accordingly.

Database system administrators can grant/revoke any permissions to any role or user. A role with CREATEROLE permissions can grant or revoke permissions from any non-system administrator role.

4) Grant ANY permissions to roles or users

Grant ANY permissions to specific roles and users. When WITH ADMIN OPTION is declared, the authorized user can grant the ANY permission again to other roles/users, or withdraw the ANY permission from other roles/users. ANY permissions can be inherited through roles, but cannot be granted to PUBLIC. The initial user and the system administrator user when separation of rights is turned off can grant or revoke ANY permissions to any role/user.

Currently the following ANY permissions are supported:

CREATE ANY TABLE	CREATE ANY SEQUENCE
ALTER ANY TABLE	CREATE ANY INDEX
DROP ANY TABLE	CREATE ANY FUNCTION
SELECT ANY TABLE	EXECUTE ANY FUNCTION
INSERT ANY TABLE	CREATE ANY PACKAGE
UPDATE ANY TABLE	EXECUTE ANY PACKAGE
DELETE ANY TABLE	CREATE ANY TYPE

2. Precautions

1) It is not allowed to grant ANY permission to PUBLIC, nor to withdraw ANY permission from PUBLIC.

2) The ANY permission belongs to the permissions in the database and is only valid for the objects in the database to which the permission is granted. For example, SELECT ANY TABLE only allows users to view all user table data in the current database and has no viewing permission for user tables in other databases.

3) Even if the user is granted ANY permission, he cannot perform access operations (INSERT, DELETE, UPDATE, SELECT) on objects under private users.

4) ANY permissions have no impact on the original permissions.

5) If the user is granted CREATE ANY TABLE permission, the owner of the table created under the schema with the same name is the creator of the schema. When the user performs other operations on the table, the corresponding operation permissions need to be granted.

6) You need to be careful to grant users the permission to CREATE ANY FUNMCTION to prevent other users from using SECURITY DEFINER type functions to escalate their permissions.

3. Common grammar

1) Grant access rights to the table or view to the specified user or role

GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | ALTER | DROP | COMMENT | INDEX | VACUUM } [, ...]

      | ALL [ PRIVILEGES ] }

    ON { [ TABLE ] table_name [, ...]

       | ALL TABLES IN SCHEMA schema_name [, ...] }

    TO { [ GROUP ] role_name | PUBLIC } [, ...]

    [ WITH GRANT OPTION ];

2) Grant access rights to the fields in the table to the specified user or role

GRANT { {{ SELECT | INSERT | UPDATE | REFERENCES | COMMENT } ( column_name [, ...] )} [, ...] 

      | ALL [ PRIVILEGES ] ( column_name [, ...] ) }

    ON [ TABLE ] table_name [, ...]

    TO { [ GROUP ] role_name | PUBLIC } [, ...]

    [ WITH GRANT OPTION ];

3) Grant database access rights to specified users or roles

GRANT { { CREATE | CONNECT | TEMPORARY | TEMP | ALTER | DROP | COMMENT } [, ...]

      | ALL [ PRIVILEGES ] }

    ON DATABASE database_name [, ...]

    TO { [ GROUP ] role_name | PUBLIC } [, ...]

    [ WITH GRANT OPTION ];

4) Grant access rights to the function to the specified user or role

GRANT { { EXECUTE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }

    ON { FUNCTION {function_name ( [ {[ argmode ] [ arg_name ] arg_type} [, ...] ] )} [, ...]

       | ALL FUNCTIONS IN SCHEMA schema_name [, ...] }

    TO { [ GROUP ] role_name | PUBLIC } [, ...]

    [ WITH GRANT OPTION ];

5) Grant access rights to the stored procedure to the specified user or role

GRANT { { EXECUTE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }

    ON { PROCEDURE {proc_name ( [ {[ argmode ] [ arg_name ] arg_type} [, ...] ] )} [, ...]

    TO { [ GROUP ] role_name | PUBLIC } [, ...]

    [ WITH GRANT OPTION ];

……

4. How to use the REVOKE command of GaussDB

1. Function description

REVOKE is used to revoke permissions from one or more users or roles.

2. Precautions

When the non-object owner has REVOKE permission, the following rules are followed:

1) If the authorized user does not have permissions on the object, the command fails immediately.

2) If the authorized user has partial permissions, only those permissions with authorization options will be revoked.

3) If the authorized user does not have the authorization option, the REVOKE ALL PRIVILEGES form will issue an error message. For other forms of commands, if the permission with the name specified in the command does not have the corresponding authorization option, the command will issue a warning.

3. Common grammar

1) Reclaim permissions on the specified table or view

REVOKE [ GRANT OPTION FOR ]

    { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | ALTER | DROP | COMMENT | INDEX | VACUUM }[, ...] 

    | ALL [ PRIVILEGES ] }

    ON { [ TABLE ] table_name [, ...]

       | ALL TABLES IN SCHEMA schema_name [, ...] }

    FROM { [ GROUP ] role_name | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ];

2) Recycle the permissions of the specified fields on the table

REVOKE [ GRANT OPTION FOR ]

    { {{ SELECT | INSERT | UPDATE | REFERENCES | COMMENT } ( column_name [, ...] )}[, ...] 

    | ALL [ PRIVILEGES ] ( column_name [, ...] ) }

    ON [ TABLE ] table_name [, ...]

    FROM { [ GROUP ] role_name | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ];

3) Recover permissions on the specified database

REVOKE [ GRANT OPTION FOR ]

    { { CREATE | CONNECT | TEMPORARY | TEMP | ALTER | DROP | COMMENT } [, ...] 

    | ALL [ PRIVILEGES ] }

    ON DATABASE database_name [, ...]

    FROM { [ GROUP ] role_name | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ];

4) Reclaim permissions on the specified function

REVOKE [ GRANT OPTION FOR ]

    { { EXECUTE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }

    ON { FUNCTION {function_name ( [ {[ argmode ] [ arg_name ] arg_type} [, ...] ] )} [, ...]

       | ALL FUNCTIONS IN SCHEMA schema_name [, ...] }

    FROM { [ GROUP ] role_name | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ];

5) Recover permissions on the specified stored procedure

REVOKE [ GRANT OPTION FOR ]

    { { EXECUTE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }

    ON { PROCEDURE {proc_name ( [ {[ argmode ] [ arg_name ] arg_type} [, ...] ] )} [, ...]

       | ALL PROCEDURE IN SCHEMA schema_name [, ...] }

    FROM { [ GROUP ] role_name | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ];

……

5. GaussDB example

1.GRANT statement example

1) Grant user user_name SELECT, INSERT, UPDATE, and DELETE permissions on the database_name.table_name table.

GRANT SELECT,INSERT,UPDATE,DELETE ON database_name.table_name TO user_name;

2) Grant user user_name all permissions to database_name.table_name.

GRANT ALL PRIVILEGES ON database_name.table_name TO user_name;

3) Grant user user_name the SELECT, INSERT, UPDATE, and DELETE permissions on database_name.table_name, and allow him to pass the permissions to other users.

GRANT SELECT,INSERT,UPDATE,DELETE ON database_name.table_name TO user_name WITH GRANT OPTION;

2.REVOKE statement example:

1) Revoke the SELECT, INSERT, UPDATE, and DELETE permissions of user user_name on the database_name.table_name table.

REVOKE SELECT,INSERT,UPDATE,DELETE on database_name.table_name FROM user_name;

2) Revoke all permissions of user user_name on database_name.table_name.

REVOKE ALL PRIVILEGES ON database_name.table_name FROM user_name;

3) Revoke the SELECT, INSERT, UPDATE, and DELETE permissions of user user_name on the database_name.table_name table.

Tip: A user can only revoke permissions directly granted by himself. Dependent permissions still exist, but if CASCADE is declared, all dependent permissions are revoked.

REVOKE SELECT,INSERT,UPDATE,DELETE ON database_name.table_name FROM user_name WITH GRANT OPTION;

Summary : The GRANT & REVOKE commands of the database are commands used to manage database user permissions. These commands are typically used to assign permissions to users in the database so that the users can access and manipulate data in the database. GRANT & REVOKE is a very important command in the GaussDB cloud database. It can be used to revoke and manage access rights to different objects in the database, thereby ensuring the security and reliability of the database.

Click to follow and learn about Huawei Cloud’s new technologies as soon as possible~

Detailed explanation of GuassDB database permission commands: GRANT and REVOKE

1. Overview of GaussDB permissions

GaussDB database object permissions:

2. GaussDB permission design suggestions

3. GRANT command of GaussDB

1. Function description

2. Precautions

3. Common grammar

4. How to use the REVOKE command of GaussDB

1. Function description

2. Precautions

3. Common grammar

5. GaussDB example

1.GRANT statement example

2.REVOKE statement example:

Guess you like