Source From Here
Question
I'd like to create a user in PostgreSQL that can only do SELECTs from a particular database. In MySQL the command would be:
What is the equivalent command or series of commands in PostgreSQL?
How-To
Grant usage/select to a single table
If you only grant CONNECT to a database, the user can connect but has no other privileges. You have to grant USAGE on namespaces (schemas) and SELECT on tables and views individually like so:
Multiple tables/views (PostgreSQL 9.0+)
In the latest versions of PostgreSQL, you can grant permissions on all tables/views/etc in the schema using a single command rather than having to type them one by one:
This only affects tables that have already been created. More powerfully, you can automatically have default roles assigned to new objects in future:
Note that by default this will only affect objects (tables) created by the user that issued this command: although it can also be set on any role that the issuing user is a member of. However, you don't pick up default privileges for all roles you're a member of when creating new objects... so there's still some faffing around. If you adopt the approach that a database has an owning role, and schema changes are performed as that owning role, then you should assign default privileges to that owning role. IMHO this is all a bit confusing and you may need to experiment to come up with a functional workflow.
Multiple tables/views (PostgreSQL versions before 9.0)
To avoid errors in lengthy, multi-table changes, it is recommended to use the following 'automatic' process to generate the required GRANT SELECT to each table/view:
This should output the relevant GRANT commands to GRANT SELECT on all tables, views, and sequences in public, for copy-n-paste love. Naturally, this will only be applied to tables that have already been created.
Supplement
* oinopion/read-access.sql
* PostgreSQL Doc - Chapter 18. Database Roles and Privileges
* PostgreSQL - ALTER USER
Question
I'd like to create a user in PostgreSQL that can only do SELECTs from a particular database. In MySQL the command would be:
- GRANT SELECT ON mydb.* TO 'xxx'@'%' IDENTIFIED BY 'yyy';
How-To
Grant usage/select to a single table
If you only grant CONNECT to a database, the user can connect but has no other privileges. You have to grant USAGE on namespaces (schemas) and SELECT on tables and views individually like so:
- GRANT CONNECT ON DATABASE mydb TO xxx;
- -- This assumes you're actually connected to mydb..
- GRANT USAGE ON SCHEMA public TO xxx;
- GRANT SELECT ON mytable TO xxx;
In the latest versions of PostgreSQL, you can grant permissions on all tables/views/etc in the schema using a single command rather than having to type them one by one:
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx;
- ALTER DEFAULT PRIVILEGES IN SCHEMA public
- GRANT SELECT ON TABLES TO xxx;
Multiple tables/views (PostgreSQL versions before 9.0)
To avoid errors in lengthy, multi-table changes, it is recommended to use the following 'automatic' process to generate the required GRANT SELECT to each table/view:
- SELECT 'GRANT SELECT ON ' || relname || ' TO xxx;'
- FROM pg_class JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace
- WHERE nspname = 'public' AND relkind IN ('r', 'v', 'S');
Supplement
* oinopion/read-access.sql
- -- Create a group
- CREATE ROLE readaccess;
- -- Grant access to existing tables
- GRANT USAGE ON SCHEMA public TO readaccess;
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
- -- Grant access to future tables
- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
- -- Create a final user with password
- CREATE USER tomek WITH PASSWORD 'secret';
- GRANT readaccess TO tomek;
* PostgreSQL - ALTER USER
沒有留言:
張貼留言