stackoom
  简体   繁体   中英

Role creation on postgres

 原文  2015-09-05 09:08:16       postgresql/ phpmyadmin/ roles

Question

I'm developing a small database for a library but I'm completely ignorant when it comes to roles and privileges. I've spent quite some time googling but I still don't truly get the mechanisms. My aim is to create 3 basic roles:

  • User with no login (not really an user, just someone who wants to see the books the library has in store, but he can't do any action besides just watching)
  • User with login (He can preorder books and do other actions)
  • Admin (He can add new books, authors, genres and can give the admin privileges to other users)

At first I thought I could create these 3 roles specifying the various privileges each one has and then, on the related website, every time someone would connect he would have been considered an "User with no login" until the login which would've determinated whether he is an Admin or not; reading the PostgreSQL documentation I understood it's nothing like this, or perhaps I got it wrong. I really have no clue what to do, any help would be appreciated.

1 answers

solution1
 0 ACCPTED  2015-09-07 03:34:47

What you want to do is reasonable. Your webapp should log in with its connection pool as a user (say mywebapp ) that is marked NOINHERIT and has no rights except to SET ROLE to three other roles. Each of those roles describes one of the categories of users you mention above. You'll also need to GRANT the rights to access any tables used to look up and authenticate users to the mywebapp user.

When servicing a request, if it's acting on behalf of an anonymous user it does SET ROLE anonymous_web_user; or whatever.

If it's acting as a named user, it does SET ROLE authenticated_user; . You'd GRANT the right to read the table you use for authenticating users to the mywebapp role so it can authenticate them in whatever way your app does so.

If it's acting as an admin, it does SET ROLE admin; . Or, if there aren't many admins and they need different rights, you can make them PostgreSQL users, and SET ROLE the_admin_user_name; . Again, your app would pre-authenticate them, and SET ROLE if it was satisfied with the user's authentication.

When a connection is returned to the pool it is vital that the pool run the query DISCARD ALL; to clear the connection's role setting.

So, for example, you might: 

CREATE ROLE mywebapp WITH LOGIN NOINHERIT;
CREATE ROLE anonymous_web_user;
CREATE ROLE authenticated_user;
CREATE ROLE admin_user;

-- 'mywebapp' can become anyone, but by default doesn't
-- get the rights of any of them since it's marked NOINHERIT
GRANT admin_user TO mywebapp;
GRANT anonymous_web_user TO mywebapp;
GRANT authenticated_user TO mywebapp;

-- All admins are authenticated users, since authenticated_user
-- is INHERITable
GRANT authenticated_user TO admin_user;

-- All authenticated users have the rights of anon users too
GRANT anonymous_web_user TO authenticated_user;

-- The app must be able to look up users
GRANT SELECT ON some_users_table TO mywebapp;
-- but only admins can change them
GRANT ALL ON some_users_table TO admin_user;

...

See Role membership .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Logged in as postgres but getting the error createuser: creation of new role failed: ERROR: must be superuser to create superusers Postgres does not create role Granting via role in Postgres Error on deleting postgres role dropping a postgres role Creating new Role in Postgres postgres trigger creation Force Postgres index creation Postgres index creation time PassportJS and user creation with postgres
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM