在pg中我们可以指定用户只能以可读的方式访问某个database或者schema下的表,例如
bill=# grant select ON ALL tables in schema public to r2;
GRANT
这样我们便可以使用r2用户读取public模式下的所有表了:
bill=# \c - r2
You are now connected to database "bill" as user "r2".
bill=> select * from t1 limit 5;
id | info
----+----------------------------------
1 | acdb24254918c2a80ab5d739aab1eaea
2 | 02a20d22247faa65403d74558427559f
3 | 274fd9d8f276f5fe1537de18416666ec
4 | ce9e24065cede8f61f9445244f09fa14
5 | c4c8e0c7e77e2c59fc6b41da6c52f6f7
(5 rows)
但是这种方式会带来一个问题:如果我们在进行这个赋权之后又在该schema新建了表那么用户能够访问这些新建表吗?
bill=# create table t2 as select * from t1;
SELECT 10
bill=# \c - r2
You are now connected to database "bill" as user "r2".
bill=> select * from t2;
ERROR: permission denied for table t2
可以发现没办法访问,我们必须得再执行一次grant select ON ALL tables in schema public to r2;的命令,这样确实有些麻烦,那有没有什么一劳永逸的好办法呢?我们可以这样:
alter default privileges for user schema_owner in schema schema_name grant select on tables to user_name;
例如:
bill=# alter default privileges for user bill in schema public grant select on tables to r2;
ALTER DEFAULT PRIVILEGES
新建表:
bill=# create table t3 as select * from t1;
SELECT 10
切换用户查看:可以发现新建的表也可以正常读取。
bill=> select * from t3 limit 5;
id | info
----+----------------------------------
1 | acdb24254918c2a80ab5d739aab1eaea
2 | 02a20d22247faa65403d74558427559f
3 | 274fd9d8f276f5fe1537de18416666ec
4 | ce9e24065cede8f61f9445244f09fa14
5 | c4c8e0c7e77e2c59fc6b41da6c52f6f7
(5 rows)