何时在\ l中列出特权,何时不列出?


10

\ l何时列出访问特权,什么时候不列出?\ l列出的访问权限可以在授予并撤消后更改:

$ createuser -EP my_readonly
$ psql development
development=# \l
                                           List of databases
            Name             |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------------------------+----------+----------+-------------+-------------+-----------------------
 development                 | vagrant  | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 | 
...
development=# grant usage on schema public to my_readonly;
development=# grant connect on database development to my_readonly;
development=# \l
                                             List of databases
            Name             |  Owner   | Encoding |   Collate   |    Ctype    |     Access privileges      
-----------------------------+----------+----------+-------------+-------------+----------------------------
 development                 | vagrant  | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 | =Tc/vagrant               +
                             |          |          |             |             | vagrant=CTc/vagrant       +
                             |          |          |             |             | my_readonly=c/vagrant
...
development=# revoke connect on database development from my_readonly;
REVOKE
development=# revoke usage on schema public from my_readonly;
REVOKE
development=# \l
                                           List of databases
            Name             |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------------------------+----------+----------+-------------+-------------+-----------------------
 development                 | vagrant  | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 | =Tc/vagrant          +
                             |          |          |             |             | vagrant=CTc/vagrant

这是为什么?什么状态改变了?我相信my_readonly用户的连接能力在整个psql会话中没有改变(因为我猜PUBLIC角色具有连接权限),但显然有所改变:那是什么?

附带问题:我如何明确询问postgres PUBLIC实际上是否具有连接特权(它们可能已被撤销-请参阅为什么新用户可以从任何表中选择?)?

Answers:


4

psql中的反斜杠命令是查询或查询系统目录的查询的快捷方式。该\l命令查看中的信息pg_catalog.pg_database,特别是以下查询:

SELECT d.datname as "Name",
   pg_catalog.pg_get_userbyid(d.datdba) as "Owner",
   pg_catalog.pg_encoding_to_char(d.encoding) as "Encoding",
   d.datcollate as "Collate",
   d.datctype as "Ctype",
   pg_catalog.array_to_string(d.datacl, E'\n') AS "Access privileges"
FROM pg_catalog.pg_database d
ORDER BY 1;

psql通过-E在命令行上调用反斜杠,可以将其传递给反斜杠命令,以显示其用途。

如果数据库或其他对象的权限是默认的PostgreSQL所用,来创建他们的*acl列会NULL。如果您更改了默认设置,则将在ACL列中填充与您已运行的GRANTand和/或REVOKE语句相关的信息。

您可以通过\z或专门查看权限/ ACL\dp

如果您在这里进一步阅读:

http://www.postgresql.org/docs/9.4/static/sql-grant.html

如果向下滚动(或搜索单词psql),则可以查看显示如何解释\l在ACL列中或ACL列中看到的ACL的表。

例如:

=Tc/vagrant

意味着PUBLIC(包含所有角色的隐式角色)具有创建临时表T和connect的权限c,因为ACL行=xxxxx表示应用于PUBLIC的权限,而rolname=xxxx适用于该特定角色。

Dalibo的演示文稿还应该进一步阐明这一点:在PostgreSQL中管理权限

希望能有所帮助。=)

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.