在Postgres上创建角色
[英]Role creation on postgres
问题描述
I'm developing a small database for a library but I'm completely ignorant when it comes to roles and privileges. 
我正在为图书馆开发一个小型数据库,但是对于角色和特权我一无所知。 I've spent quite some time googling but I still don't truly get the mechanisms. 我花了很多时间进行谷歌搜索,但是我仍然没有真正了解这些机制。 My aim is to create 3 basic roles: 我的目标是创建3个基本角色:
- User with no login (not really an user, just someone who wants to see the books the library has in store, but he can't do any action besides just watching) 没有登录的用户(不是真正的用户,只是想要查看图书馆存储的书籍的人,但是他只能观看而不能执行任何操作)
- User with login (He can preorder books and do other actions) 登录用户(他可以预订书籍并执行其他操作)
- Admin (He can add new books, authors, genres and can give the admin privileges to other users) 管理员(他可以添加新书,作者,体裁,并可以向其他用户授予管理员权限)
At first I thought I could create these 3 roles specifying the various privileges each one has and then, on the related website, every time someone would connect he would have been considered an "User with no login" until the login which would've determinated whether he is an Admin or not; 一开始我以为我可以创建这3个角色,分别指定每个人拥有的各种特权,然后在相关网站上,每次有人连接时,他都会被视为“无登录用户”,直到确定登录为止他是否是管理员; reading the PostgreSQL documentation I understood it's nothing like this, or perhaps I got it wrong. 在阅读PostgreSQL文档时,我知道这根本不是这样,或者我弄错了。 I really have no clue what to do, any help would be appreciated. 我真的不知道该怎么办,任何帮助将不胜感激。
1 个解决方案
解决方案1
0 已采纳 2015-09-07 03:34:47
What you want to do is reasonable. 您想要做的是合理的。 Your webapp should log in with its connection pool as a user (say mywebapp ) that is marked NOINHERIT and has no rights except to SET ROLE to three other roles. 您的webapp应该以其连接池作为用户登录(例如mywebapp ),该用户被标记为NOINHERIT ,除了将SET ROLE为其他三个角色之外,没有其他权限。 Each of those roles describes one of the categories of users you mention above. 这些角色中的每一个都描述您上面提到的用户类别之一。 You'll also need to GRANT the rights to access any tables used to look up and authenticate users to the mywebapp user. 您还需要授予GRANT权限,以访问用于查找用户并对mywebapp用户进行身份验证的任何表。
When servicing a request, if it's acting on behalf of an anonymous user it does SET ROLE anonymous_web_user; 为请求提供服务时,如果它代表匿名用户执行操作,则它会执行SET ROLE anonymous_web_user; or whatever. 管他呢。
If it's acting as a named user, it does SET ROLE authenticated_user; 如果它充当命名用户,则执行SET ROLE authenticated_user; . 。 You'd GRANT the right to read the table you use for authenticating users to the mywebapp role so it can authenticate them in whatever way your app does so. 你会GRANT阅读使用验证用户身份的表格右侧mywebapp作用,因此它可以在任何方式您的应用功能,从而验证他们的身份。
If it's acting as an admin, it does SET ROLE admin; 如果它是管理员,则执行SET ROLE admin; . 。 Or, if there aren't many admins and they need different rights, you can make them PostgreSQL users, and SET ROLE the_admin_user_name; 或者,如果没有太多管理员,并且他们需要不同的权限,则可以使他们成为PostgreSQL用户,并SET ROLE the_admin_user_name; . 。 Again, your app would pre-authenticate them, and SET ROLE if it was satisfied with the user's authentication. 同样,您的应用将对它们进行预身份验证,如果对用户的身份验证满意,则SET ROLE 。
When a connection is returned to the pool it is vital that the pool run the query DISCARD ALL; 当连接返回到池时,池运行查询DISCARD ALL;是至关重要的DISCARD ALL; to clear the connection's role setting. 清除连接的角色设置。
So, for example, you might: 因此,例如,您可能:
CREATE ROLE mywebapp WITH LOGIN NOINHERIT;
CREATE ROLE anonymous_web_user;
CREATE ROLE authenticated_user;
CREATE ROLE admin_user;
-- 'mywebapp' can become anyone, but by default doesn't
-- get the rights of any of them since it's marked NOINHERIT
GRANT admin_user TO mywebapp;
GRANT anonymous_web_user TO mywebapp;
GRANT authenticated_user TO mywebapp;
-- All admins are authenticated users, since authenticated_user
-- is INHERITable
GRANT authenticated_user TO admin_user;
-- All authenticated users have the rights of anon users too
GRANT anonymous_web_user TO authenticated_user;
-- The app must be able to look up users
GRANT SELECT ON some_users_table TO mywebapp;
-- but only admins can change them
GRANT ALL ON some_users_table TO admin_user;
...
See Role membership . 请参阅角色成员资格 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.