[英]Granting via role in Postgres
I'd like to ask Postgres experts about a confusing sentence which I found in the documentation.我想向 Postgres 专家询问我在文档中发现的一个令人困惑的句子。 In particular, I refer to the GRANT command, where the documentation states:
特别是,我参考了 GRANT 命令,其中文档指出:
If the role executing GRANT holds the required privileges indirectly via more than one role membership path, it is unspecified which containing role will be recorded as having done the grant.
如果执行 GRANT 的角色通过多个角色成员路径间接持有所需的权限,则未指定哪个包含角色将被记录为已完成授予。 In such cases it is best practice to use SET ROLE to become the specific role you want to do the GRANT as.
在这种情况下,最佳实践是使用 SET ROLE 成为您想要执行 GRANT 的特定角色。
If I understand correctly, this is related to role inheritance.如果我理解正确,这与角色 inheritance 有关。 In particular, you might have a role C which inherits a permission from both role A and role B. In this case, if a user has role C and grants the permission, then Postgres might non-deterministically stipulate that the permission was granted by either A or B. To avoid this ambiguity, the user can issue SET ROLE A or SET ROLE B to force a lesser role and clarify how the granting should occur.
特别是,您可能有一个角色 C,它继承了角色 A 和角色 B 的权限。在这种情况下,如果用户具有角色 C 并授予权限,那么 Postgres 可能不确定地规定权限是由任何一方授予的A 或 B。为了避免这种歧义,用户可以发出 SET ROLE A 或 SET ROLE B 来强制一个较小的角色,并阐明应该如何进行授权。
Some questions about this and a more general one:关于这个的一些问题和一个更普遍的问题:
Thanks in advance.提前致谢。
Yes, in my opinion, you are right:是的,在我看来,你是对的:
You understand it correctly.你理解正确。
It is no matters if the role that grants a permission has innerited the privilege or not.授予权限的角色是否继承了权限无关紧要。 For each permission that you have postgress registers the role that granted the privilege.
对于您拥有的每个权限,postgress 都会注册授予该权限的角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.