bash
CREATE USER read_only WITH PASSWORD '密码'
-- 连接到xxx数据库
\c xxx
-- 授予对xxx数据库的只读权限
GRANT CONNECT ON DATABASE xxx TO read_only;
GRANT USAGE ON SCHEMA public TO read_only;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readonly_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO read_only;
ALTER DEFAULT PRIVILEGES FOR USER read_only GRANT SELECT, USAGE ON SEQUENCES TO read_only;
ALTER DEFAULT PRIVILEGES FOR USER read_only GRANT EXECUTE ON FUNCTIONS TO read_only;
-- 连接到xxxdata数据库
\c xxxdata
-- 授予对xxxdata数据库的只读权限
GRANT CONNECT ON DATABASE xxxdata TO read_only;
GRANT USAGE ON SCHEMA public TO read_only;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO read_only;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readonly_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO read_only;
ALTER DEFAULT PRIVILEGES FOR USER read_only GRANT SELECT, USAGE ON SEQUENCES TO read_only;
ALTER DEFAULT PRIVILEGES FOR USER read_only GRANT EXECUTE ON FUNCTIONS TO read_only;说明:GRANT CONNECT ON DATABASE xxx TO read_only; 这里是显式的指定连接哪个数据库,read_only 是用户名称
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only; public是默认的模式,如果不是,需要显式的指定哪个模式
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO read_only; 是让后续在此模式创建的对象仍然有查询权限
删除read_only 用户
首先,直接删除必定失败,如果目前这个模式下有表的情况下
bash
DROP user read_only报错提示如下:
bash
DROP user read_only
> ERROR: role "read_only" cannot be dropped because some objects depend on it
DETAIL: privileges for schema public
privileges for database test
privileges for table teachers
privileges for table courses
privileges for default privileges on new relations belonging to role postgres in schema public根据报错提示逐条解决依赖问题就可以彻底删除此用户了,SQL如下:
bash
REVOKE ALL PRIVILEGES on DATABASE test FROM read_only
REVOKE ALL PRIVILEGES on SCHEMA "public" FROM read_only
REVOKE ALL PRIVILEGES ON ALL tables IN SCHEMA "public" FROM read_only
ALTER DEFAULT PRIVILEGES in SCHEMA PUBLIC REVOKE SELECT ON tables FROM read_only删除用户其实主要就是根据日志来删除,哪留的有关联权限,删除掉就可以了,没什么好说的