PostgreSQL user role permissions

stay PostgreSQL in , All the content revolves around role Concept building .

stay macOS First installation on PostgreSQL when , The script Use your macOS The user name creates a role  , And granted the permission list .

PostgreSQL There are no users in , Only role .

By running... In the terminal psql postgres , You will use your macOS The user name automatically logs in to PostgreSQL, To access the created roles .

As far as I'm concerned , Created flaviocopes role , have access to \du Command to see it ：

notice ？ By default , I have the following Character attributes  ：

• Superuser

• Create role

• Create DB

• Replication

• Bypass RLS

And I am not a member of any other role ( We'll talk about it later )

Create a new character  (Creating a new role)

Use CREATE ROLE Command to create a new role ：

CREATE ROLE <role>;

for example ：

CREATE ROLE testing;

We have a Cannot login New roles for role properties . Our newly created users will not be able to log in .

You can enter \q command , And then you type in psql postgres -U testing Try , But you will see this error ：

To solve this problem , We must add... At creation time LOGIN Character attributes ：

CREATE ROLE <role> WITH LOGIN;

If we delete the role using the following method ：

DROP ROLE <role>;

And this time add WITH LOGIN ：

DROP ROLE testing;
CREATE ROLE testing WITH LOGIN;

We can see testing Roles can log in , Because this time we did not Cannot login role attribute ：

Try adding a command \q sign out , Then add psql postgres -U testing ：

Please note that ,  Tips From =# Change to => Because we don't have Superuser Character attributes .

Add password for role  (Adding a password to a role)

In the last CREATE ROLE In command , We created a role without a password . Of course , Have ( Security ) Passwords are very important . You can use PASSWORD Keyword add password ：

CREATE ROLE <role> WITH LOGIN PASSWORD '<password>';

Create user  (CREATE USER)

Use automatically added LOGIN Property to define a role ( Effectively create users who can log in ) It's using CREATE USER ：

CREATE USER <role> PASSWORD '<password>';

Add role attributes to the role  (Adding a role attribute to a role)

Available later ALTER ROLE Command to add a role attribute to a role .

Suppose we create one that does not LOGIN The role of attributes ：

CREATE ROLE <username> PASSWORD '<password>';

We can add it using the following methods ：

ALTER ROLE <role> WITH LOGIN;

Built in role attributes  (Built-in role attributes)

We've seen LOGIN Character attributes , To allow the role to log in .

however , What other built-in character properties can we use ？

• LOGIN / NOLOGIN： allow ( Or not allowed ) Log in to PostgreSQL

• SUPERUSER / NOSUPERUSER： allow ( Or not allowed ) Superuser rights . The database superuser will bypass the exception LOGIN ( Must be granted separately ) Other permission checks .

• CREATEDB / NOCREATEDB： allow ( Or not allowed ) The ability to create new databases

• CREATEROLE / NOCREATEROLE： allow ( Or not allowed ) Create a new character

• CREATEUSER / NOCREATEUSER： allow ( Or not allowed ) Create a new user

• INHERIT / NOINHERIT： allow ( Or not allowed ) Make privileges inheritable

• REPLICATION / NOREPLICATION： grant ( Or not granted ) Copy permission ( Advanced topics that we will not cover )

Group roles  (Group roles)

stay PostgreSQL in , No user groups .

contrary , You can create roles with specific permissions , Then grant these roles to other roles .

If the role has INHERIT attribute , Then the roles will inherit the permissions granted to their roles .

Create group roles  (Create a group role)

To create a group role , Please type the

CREATE ROLE <groupname>;

The syntax is the same as creating roles .

After creating the group role , You can use GRANT Add roles to group roles ：

GRANT <groupname> TO <role>

for example , We can create one flavio User roles , One “ Employee ” Group roles , And assign the user to the group role ：

CREATE USER flavio PASSWORD 'superSecret123$';
CREATE ROLE employee;
GRANT employee TO flavio;

You can delete a role from a group role using the following methods ：

REVOKE <groupname> FROM <username>

example ：

REVOKE employee FROM flavio;

Group role properties  (Group role attributes)

By default , Add roles to group roles Can't Make the role inherit the properties of the group role ( jurisdiction ).

You need to use INHERIT Property to create a group role .

Suppose you create an employee group role , And assigned CREATEDB attribute ：

CREATE ROLE employee WITH CREATEDB INHERIT;

Now use INHERIT Create a new character ：

CREATE ROLE flavio;
GRANT employee TO flavio;

Translated from : https://flaviocopes.com/postgres-user-permissions/