In PostgreSQL, all is built around the concept of role.
在PostgreSQL中,所有内容都是围绕role概念构建的。
When first installing PostgreSQL on macOS, the script created a role with your macOS username, with a list of permissions granted.
在macOS上首次安装PostgreSQL时,该脚本使用您的macOS用户名创建了一个角色 ,并授予了权限列表。
There are no users in PostgreSQL, just roles.
PostgreSQL中没有用户,只有role 。
By running psql postgres in your terminal, you’ll automatically login with your macOS username to PostgreSQL, therefore accessing the role created.
通过在终端中运行psql postgres ,您将使用您的macOS用户名自动登录到PostgreSQL,从而访问创建的角色。
In my case the flaviocopes role was created, and I can see it by using the \du command:
就我而言,创建了flaviocopes角色,可以使用\du命令看到它:
See? I have the following roles attributes by default:
看到? 默认情况下,我具有以下角色属性 :
SuperuserSuperuserCreate roleCreate roleCreate DBCreate DBReplicationReplicationBypass RLSBypass RLS
and I’m not a member of any other role (more on this later)
而且我不是任何其他角色的成员(稍后再讨论)
创建一个新角色 (Creating a new role)
A new role is created using the CREATE ROLE command:
使用CREATE ROLE命令创建一个新角色:
CREATE ROLE <role>;For example:
例如:
CREATE ROLE testing;
We got a new role, with the Cannot login role attribute. Our newly created user will not be able to login.
我们有了一个Cannot login角色属性的新角色。 我们新创建的用户将无法登录。
You can try by typing the \q command, and then psql postgres -U testing, but you’ll see this error:
您可以先输入\q命令,然后再输入psql postgres -U testing尝试,但是您会看到此错误:
To fix this problem we must add the LOGIN role attribute at creation:
要解决此问题,我们必须在创建时添加LOGIN角色属性:
CREATE ROLE <role> WITH LOGIN;If we remove that role using:
如果我们使用以下方法删除该角色:
DROP ROLE <role>;and add WITH LOGIN this time:
并这次添加WITH LOGIN :
DROP ROLE testing;
CREATE ROLE testing WITH LOGIN;We can see that the testing role can login, because we don’t have the Cannot login role attribute this time:
我们可以看到testing角色可以登录,因为这次我们没有Cannot login role属性:
Try by adding the command \q to quit, and then psql postgres -U testing:
尝试添加命令\q退出,然后添加psql postgres -U testing :
Notice that the prompt changed from =# to => because we don’t have the Superuser role attribute now.
请注意, 提示已从=#更改为=>因为我们现在没有Superuser角色属性。
为角色添加密码 (Adding a password to a role)
In the previous CREATE ROLE command we created a role without password. Of course it’s very important to have (secure) passwords. You can add a password by using the PASSWORD keyword:
在上一个CREATE ROLE命令中,我们创建了一个没有密码的角色。 当然,拥有(安全)密码非常重要。 您可以使用PASSWORD关键字添加密码:
CREATE ROLE <role> WITH LOGIN PASSWORD '<password>';创建用户 (CREATE USER)
An alternative way to define roles with the LOGIN attribute automatically added (effectively creating users that can login) is to use CREATE USER:
使用自动添加的LOGIN属性来定义角色的另一种方法(有效地创建可以登录的用户)是使用CREATE USER :
CREATE USER <role> PASSWORD '<password>';向角色添加角色属性 (Adding a role attribute to a role)
A role attribute can be added later on to a role using the ALTER ROLE command.
稍后可以使用ALTER ROLE命令将角色属性添加到角色。
Let’s suppose we created a role without the LOGIN attribute:
假设我们创建了一个没有LOGIN属性的角色:
CREATE ROLE <username> PASSWORD '<password>';We can add it using:
我们可以使用以下方法添加它:
ALTER ROLE <role> WITH LOGIN;内置角色属性 (Built-in role attributes)
We saw the LOGIN role attribute already, to allow a role to login.
我们已经看到LOGIN角色属性,以允许角色登录。
But what are other built-in role attributes we can use?
但是,我们还可以使用其他哪些内置角色属性?
LOGIN/NOLOGIN: allow (or not) to login to PostgreSQLLOGIN/NOLOGIN:允许(或不允许)登录到PostgreSQLSUPERUSER/NOSUPERUSER: allow (or not) superuser permissions. A database superuser will bypass other permission checks, except forLOGIN(it must be granted separately).SUPERUSER/NOSUPERUSER:允许(或不允许)超级用户权限。 数据库超级用户将绕过除LOGIN(必须单独授予)以外的其他权限检查。CREATEDB/NOCREATEDB: allow (or not) the ability to create new databasesCREATEDB/NOCREATEDB:允许(或不允许)创建新数据库的能力CREATEROLE/NOCREATEROLE: allow (or not) the ability to create new rolesCREATEROLE/NOCREATEROLE:允许(或不允许)创建新角色CREATEUSER/NOCREATEUSER: allow (or not) the ability to create new usersCREATEUSER/NOCREATEUSER:允许(或不允许)创建新用户INHERIT/NOINHERIT: allow (or not) the ability to make the privileges inheritableINHERIT/NOINHERIT:允许(或不允许)使特权可继承REPLICATION/NOREPLICATION: grant (or not) replication permissions (an advanced topic we’ll not cover)REPLICATION/NOREPLICATION:授予(或不授予)复制权限(我们将不介绍的高级主题)
组角色 (Group roles)
In PostgreSQL, there are no groups of users.
在PostgreSQL中,没有用户组。
Instead you can create roles with certain permissions, and then grant those roles to other roles.
相反,您可以创建具有特定权限的角色,然后将这些角色授予其他角色。
Roles will inherit the permissions of roles granted to them, if those roles have the INHERIT attribute.
如果角色具有INHERIT属性,则角色将继承授予他们的角色的权限。
建立群组角色 (Create a group role)
To create a group role, type
要创建组角色,请键入
CREATE ROLE <groupname>;The syntax is the same as creating a role.
语法与创建角色相同。
Once the group role is created, you can add roles to the group role using GRANT:
创建组角色后,您可以使用GRANT将角色添加到组角色中:
GRANT <groupname> TO <role>For example, we can create a flavio user role, a “employee” group role, and assign the user to the group role:
例如,我们可以创建一个flavio用户角色,一个“雇员”组角色,并将该用户分配给该组角色:
CREATE USER flavio PASSWORD 'superSecret123$';
CREATE ROLE employee;
GRANT employee TO flavio;You can remove a role from a group role using:
您可以使用以下方法从组角色中删除角色:
REVOKE <groupname> FROM <username>Example:
例:
REVOKE employee FROM flavio;组角色属性 (Group role attributes)
By default, adding a role to a group role will not make the role inherit attributes (permissions) from the group role.
默认情况下,将角色添加到组角色不会使该角色继承组角色的属性(权限)。
You need to create the group role with the INHERIT attribute.
您需要使用INHERIT属性创建组角色。
Suppose you create the employee group role, and assign it the CREATEDB attribute:
假设您创建了雇员组角色,并为其分配了CREATEDB属性:
CREATE ROLE employee WITH CREATEDB INHERIT;Now create a new role using INHERIT:
现在使用INHERIT创建一个新角色:
CREATE ROLE flavio;
GRANT employee TO flavio;
扫一扫
169
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
