说明:
数据库对象上的权限有:SELECT,INSERT, UPDATE,DELETE,RULE, REFERENCES,TRIGGER,CREATE, TEMPORARY,EXECUTE,和USAGE等
我们可以用特殊的保留字 PUBLIC 把对象的权限赋予系统中的所有角色。 在权限声明的位置上写 ALL,表示把适用于该对象的所有权限都赋予目标角色。
比如:
grant all on schema csm_ca to public;
revoke all on schema csm_ca from public;
PostgreSQL里的角色赋权是通过角色继承(INHERIT)的方式实现的。
举例1:
1、创建角色:
create role dw_dev with login password ‘xxxxxx’;
2、修改密码:
alter role gpadmin with password ‘xxxxxx’;
3、授予权限:
grant all privileges on database test to dw_dev;
4、创建用户并继承角色权限:
create user chq with password ‘xxxxxx’ in role dw_dev;
等同于:
create user chq with password ‘xxxxxx’; grant dw_dev to chq;
举例2:
1、创建角色:
CREATE ROLE father login noinherit encrypted password ‘xxxxxx’;
2、授予角色基本的连接属性:
GRANT CONNECT ON DATABASE test to father;
— GRANT USAGE ON SCHEMA public to father;
3、授予表的查询权限:
GRANT SELECT on public.emp to father;
4、创建角色并开启继承属性:
CREATE ROLE son1 login inherit encrypted password ‘xxxxxx’;
5、将father的权限授予角色son1:
GRANT father to son1;
— 另一种方法,在创建用户的时候赋予角色权限
CREATE ROLE son2 login inherit encrypted password ‘xxxxxx’ in role father;
##########################################################
postgres=# create role role_a with password ‘123456’ login;
CREATE ROLE
postgres=# grant all on database postgres to role_a;
GRANT
postgres=# grant select on all tables in schema schema1 to role_a;
GRANT
postgres=# grant all on schema schema1 to role_a;
#########################################################
删除用户
方式一(必须回收所有权限):
postgres=# revoke all on schema schema1 from role_a;
REVOKE
postgres=# drop role role_a;
ERROR: role “role_a” cannot be dropped because some objects depend on it
DETAIL: privileges for table test
privileges for database postgres
postgres=# revoke all on all tables in schema schema1 from role_a;
REVOKE
postgres=# drop role role_a;
ERROR: role “role_a” cannot be dropped because some objects depend on it
DETAIL: privileges for database postgres
postgres=# revoke all on database postgres from role_a;
REVOKE
postgres=# drop role role_a;
DROP ROLE
方式二:
REASSIGN OWNED BY old_user TO postgres;
DROP OWNED BY ole_user;
DROP USER old_user;
注意:REASSIGN OWNED BY和DROP OWNED BY命令只能删除对应库中的权限,如果在其他库中仍有要收回的权限,要切换到其他库执行。