当前位置:网站首页>Greenplum role-based fine-grained permission control

Greenplum role-based fine-grained permission control

2022-06-24 16:17:00 act carefully

explain

The problems and solutions described in this paper are also applicable to Tencent cloud Cloud data warehouse PostgreSQL(CDWPG).

background

  • Greenplum Use role (role) Manage database access .
  • Greenplum The authentication system stores the roles and the permissions to access the database objects in the database , And use SQL Statements or command-line tools to manage them .
  • stay greenplum By default, users newly created in cannot directly connect to the database , therefore , Want to use greenplum, Understanding rights management is essential .

One 、Greenplum Role

Greenplum It's through roles To manage data access control , It contains 2 A concept :Users and Groups, One role It can be a database user or group, Or both .

Role Objects that can own databases ( for example :tables), And can open access to database objects to other role. One Role Or a member of another role , Son role Can inherit the father role Authority .

1. The role is right Greenplum Object's operation permission list

object type

Privilege

surface 、 View 、 Sequence

SELECT

INSERT

UPDATE

DELETE

RULE

ALL

External table

SELECT

RULE

ALL

database

CONNECT

CREATE

TEMPORARY | TEMP

ALL

function

EXECUTE

Process language

USAGE

programme

CREATE

USAGE

ALL

2. Special properties of roles

Character attributes

describe

SUPERUSER | NOSUPERUSER

Decide whether the role is a superuser . To create a new super user , The user itself must be a superuser .NOSUPERUSER Is the default value .

CREATEDB | NOCREATEDB

Decide whether the role is allowed to create databases .NOCREATEDB Is the default value .

CREATEROLE | NOCREATEROLE

Decide whether this role is allowed to create and manage other roles .NOCREATEROLE Is the default value .

INHERIT | NOINHERIT

Decide whether a role inherits privileges from its parent role . With a INHERIT Property can automatically use any database privileges granted to all its direct and indirect parent roles .INHERIT Is the default value .

LOGIN | NOLOGIN

Decide whether a role is allowed to log in . With a LOGIN The role of attribute can be considered as a user . Roles without this attribute are useful for managing database privileges ( Group ).NOLOGIN Is the default value .

CONNECTION LIMITconnlimit

If the character can log in , This specifies how many concurrent connections this role can establish .-1( Default ) There is no limit .

CREATEEXTTABLE | NOCREATEEXTTABLE

Decide whether a role is allowed to create external tables .NOCREATEEXTTABLE Is the default value . For a with CREATEEXTTABLE The role of attributes , The default external table type is readable, The default protocol is gpfdist. Pay attention to file or execute The external table of the protocol can only be created by the super user .

PASSWORD 'password'

Set the password of the role . If you do not plan to use password authentication, you can omit this option . If no password is specified , The password will be set to null and the user's password authentication will always fail . It can also be used selectively PASSWORD NULL Explicitly write an empty password .

ENCRYPTED | UNENCRYPTED

Controls whether the new password is in pg_authid Stored as a hash string in the system directory . If neither ENCRYPTED There is no designation UNENCRYPTED, Default behavior by password_encryption Configuration parameter decision , This parameter defaults to on.

If provided password The string is already hashed , It will be stored as is , Regardless of what is specified ENCRYPTED still UNENCRYPTED. For additional information on protecting the login password, see Greenplum Protect password in database .

VALID UNTIL 'timestamp'

Set a date and time , After that, the password for this role is no longer valid . If omitted , The password will be permanently valid .

RESOURCE QUEUE queue_name

Assign roles to the mentioned resource queues for load management purposes . Then any statements issued by the role are subject to the restrictions of the resource queue . Be careful RESOURCE QUEUE Properties are not inherited , Must be at each user level (LOGIN) Set it on the role .

DENY {deny_interval | deny_point}

Restrict access during an interval , Specify in days or days and times . For more information, see time-based certification .

Description of the special attributes of the role

1)role Of superuser And createuser Attributes cannot have both ;

2) Yes superuser Attribute users can actually create libraries and create users , And nocreateuser nocreatedb Yes superuser Attributes have no constraints ;

3)create role Create user ,alter role Modify user properties . Delete user drop role, Similarly, deleting a database is drop database;

4) Users who own resources cannot be drop, Prompt error . But resources can be superuser drop fall ;

5) Modify user attributes with alter role.

postgres=# \du+
                                                                   List of roles
  Role name   |                                                Attributes                                                | Member of | Description 
--------------+----------------------------------------------------------------------------------------------------------+-----------+-------------
 cdwadmin     | Create role, Create DB, Ext gpfdist Table                                                                | {}        | 
 gpadmincloud | Superuser, Create role, Create DB, Ext gpfdist Table, Wri Ext gpfdist Table, Ext http Table, Replication | {}        | 
 gpmon        | Superuser, Create DB                                                                                     | {}        |

Here you can see ,cdwadmin Users have created roles 、 Permission to create database . Permission large enough , But it is not superuser, Completely enough to use .

Two 、Greenplum Permission operation instance

1. Role specific attributes

Create user , Observe character attributes :

postgres=# CREATE USER gp_dy WITH PASSWORD 'gp_dy';
NOTICE:  resource queue required -- using default resource queue "pg_default"
CREATE ROLE
postgres=# \du+
                                                                   List of roles
  Role name   |                                                Attributes                                                | Member of | Description 
--------------+----------------------------------------------------------------------------------------------------------+-----------+-------------
 cdwadmin     | Create role, Create DB, Ext gpfdist Table                                                                | {}        | 
 gp_dy        |                                                                                                          | {}        | 
 gpadmincloud | Superuser, Create role, Create DB, Ext gpfdist Table, Wri Ext gpfdist Table, Ext http Table, Replication | {}        | 
 gpmon        | Superuser, Create DB                                                                                     | {}        |

Here you create a normal user , You can see that ordinary users do not have any attributes by default .

2. Database permissions

Create database :

postgres=# CREATE DATABASE dy_demo;
CREATE DATABASE

First switch to normal users , Test the default permissions of ordinary users on the database :

[[email protected] ~]$ PGPASSWORD=gp_dy psql -d postgres -h 10.0.25.4 -U gp_dy
psql (9.4.24)
Type "help" for help.

postgres=> \c dy_demo
You are now connected to database "dy_demo" as user "gp_dy".
dy_demo=> CREATE SCHEMA test_schema;
ERROR:  permission denied for database dy_demo

You can see , Ordinary users do not create the database by default schema The powers of the .

Now let's switch back to the administrator user , The CREATE Permissions are given to the user :

[[email protected] ~]$ psql -d postgres
psql (9.4.24)
Type "help" for help.

postgres=# GRANT CREATE ON DATABASE dy_demo TO gp_dy;
GRANT

Switch ordinary users , Try again to create schema:

[[email protected] ~]$ PGPASSWORD=gp_dy psql -d postgres -h 10.0.25.4 -U gp_dy
psql (9.4.24)
Type "help" for help.

postgres=> \c dy_demo
You are now connected to database "dy_demo" as user "gp_dy".
dy_demo=> CREATE SCHEMA dy;
CREATE SCHEMA

Create success .

3. Schema Authority

Use the administrator role to create a new schema:

[[email protected] ~]$ psql -d postgres
psql (9.4.24)
Type "help" for help.

postgres=# \c dy_demo
You are now connected to database "dy_demo" as user "gpadmincloud".
dy_demo=# CREATE SCHEMA super_dy;
CREATE SCHEMA
dy_demo=# \dn
      List of schemas
    Name    |    Owner     
------------+--------------
 dy         | gp_dy
 gp_toolkit | gpadmincloud
 public     | gpadmincloud
 super_dy   | gpadmincloud
(4 rows)

You can see , The newly created schema super_dy Of owner Is the administrator role .

Now let's switch to normal users , In the schema Next, try to create a table :

[[email protected] ~]$ PGPASSWORD=gp_dy psql -d postgres -h 10.0.25.4 -U gp_dy
psql (9.4.24)
Type "help" for help.

postgres=> \c dy_demo
You are now connected to database "dy_demo" as user "gp_dy".
dy_demo=> SET search_path TO super_dy;
SET  
dy_demo=> CREATE TABLE dy_test(id int, name varchar) DISTRIBUTED BY (id);
ERROR:  no schema has been selected to create in

Error report in execution , Default can not be in other people's schema Create table in .

We switch to the administrator , Will be schema The relevant permissions of are given to ordinary users gp_dy:

[[email protected] ~]$ psql -d postgres
psql (9.4.24)
Type "help" for help.

postgres=# \c dy_demo
You are now connected to database "dy_demo" as user "gpadmincloud".
dy_demo=# GRANT USAGE,CREATE ON SCHEMA super_dy to gp_dy;
GRANT

It should be noted that ,USAGE Authority is essential , Otherwise, you cannot view any tables , You can't query the data in the table .

Let's switch gp_dy user , Try to create a table again :

[[email protected] ~]$ PGPASSWORD=gp_dy psql -d postgres -h 10.0.25.4 -U gp_dy
psql (9.4.24)
Type "help" for help.

postgres=> \c dy_demo
You are now connected to database "dy_demo" as user "gp_dy".
dy_demo=> SET search_path TO super_dy;
SET
dy_demo=> CREATE TABLE dy_test(id int, name varchar) DISTRIBUTED BY (id);
CREATE TABLE

4. Permission to add, delete, modify and query tables

Create a new table using the administrator role :

[[email protected] ~]$ psql -d postgres
psql (9.4.24)
Type "help" for help.

postgres=# \c dy_demo
You are now connected to database "dy_demo" as user "gpadmincloud".
dy_demo=# SET search_path TO super_dy;
SET
dy_demo=# CREATE TABLE super_test(id int, name varchar) DISTRIBUTED BY (id);
CREATE TABLE
dy_demo=# \dt
                   List of relations
  Schema  |    Name    | Type  |    Owner     | Storage 
----------+------------+-------+--------------+---------
 super_dy | dy_test    | table | gp_dy        | heap
 super_dy | super_test | table | gpadmincloud | heap
(2 rows)

You can see , The newly created table super_test Of owner Is the administrator role .

Now let's switch to normal users , Try inserting... Into the table :

[[email protected] ~]$ PGPASSWORD=gp_dy psql -d postgres -h 10.0.25.4 -U gp_dy
psql (9.4.24)
Type "help" for help.

postgres=> \c dy_demo
You are now connected to database "dy_demo" as user "gp_dy".
dy_demo=> SET search_path TO super_dy;
SET
dy_demo=> INSERT INTO super_test VALUES (1, 'dy');
ERROR:  permission denied for relation super_test

Error report in execution , By default, you cannot manipulate other people's tables .

We switch to the administrator , Give the relevant permissions of this table to ordinary users gp_dy:

[[email protected] ~]$ psql -d postgres
psql (9.4.24)
Type "help" for help.

postgres=# \c dy_demo
You are now connected to database "dy_demo" as user "gpadmincloud".
dy_demo=# SET search_path TO super_dy;
SET
dy_demo=# GRANT SELECT,UPDATE,DELETE,INSERT ON super_test TO gp_dy;
GRANT

Let's switch gp_dy user , Try the operation table again :

[[email protected] ~]$ PGPASSWORD=gp_dy psql -d postgres -h 10.0.25.4 -U gp_dy
psql (9.4.24)
Type "help" for help.

postgres=> \c dy_demo
You are now connected to database "dy_demo" as user "gp_dy".
dy_demo=> SET search_path TO super_dy;
SET
dy_demo=> INSERT INTO super_test VALUES (1, 'dy');
INSERT 0 1
dy_demo=> SELECT * FROM super_test;
 id | name 
----+------
  1 | dy
(1 row)

dy_demo=> UPDATE super_test SET name='Daemonyue' WHERE name='dy';
UPDATE 1
dy_demo=> SELECT * FROM super_test;
 id |   name    
----+-----------
  1 | Daemonyue
(1 row)

dy_demo=> DELETE FROM super_test WHERE id=1;
DELETE 1
dy_demo=> SELECT * FROM super_test;
 id | name 
----+------
(0 rows)

There is no problem with adding, deleting, modifying, and querying .

5. Field permissions

Using administrator users , Limit ordinary users gp_dy Counter table super_test Field level permissions for , Make it accessible only to name Field :

[[email protected] ~]$ psql -d postgres
psql (9.4.24)
Type "help" for help.

postgres=# \c dy_demo
You are now connected to database "dy_demo" as user "gpadmincloud".
dy_demo=# SET search_path TO super_dy;
SET
dy_demo=# INSERT INTO super_test VALUES (2, 'dy');
INSERT 0 1
dy_demo=# SELECT * FROM super_test;
 id |   name    
----+-----------
  1 | Daemonyue
  2 | dy
(2 rows)

dy_demo=# REVOKE SELECT ON super_test FROM gp_dy;
REVOKE
dy_demo=# GRANT SELECT(name) ON super_test to gp_dy;
GRANT

Let's switch gp_dy user , Try querying the table :

[[email protected] ~]$ PGPASSWORD=gp_dy psql -d postgres -h 10.0.25.4 -U gp_dy
psql (9.4.24)
Type "help" for help.

postgres=> \c dy_demo
You are now connected to database "dy_demo" as user "gp_dy".
dy_demo=> SET search_path TO super_dy;
SET
dy_demo=> SELECT * FROM super_test;
ERROR:  permission denied for relation super_test
dy_demo=> SELECT name FROM super_test;
   name    
-----------
 Daemonyue
 dy
(2 rows)

You can see , for the first time SELECT * Error reporting is supported , because * Identify all columns , And users gp_dy Only right name Field has access .

3、 ... and 、 Authority parameters 

GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
 [, ...] | ALL [ PRIVILEGES ] }
 ON { [ TABLE ] table_name [, ...]
 | ALL TABLES IN SCHEMA schema_name [, ...] }
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
 [, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
 ON [ TABLE ] table_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { USAGE | SELECT | UPDATE }
 [, ...] | ALL [ PRIVILEGES ] }
 ON { SEQUENCE sequence_name [, ...]
 | ALL SEQUENCES IN SCHEMA schema_name [, ...] }
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
 ON DATABASE database_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
 ON DOMAIN domain_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
 ON FOREIGN DATA WRAPPER fdw_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
 ON FOREIGN SERVER server_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }
 ON { FUNCTION function_name ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) [, ...]
 | ALL FUNCTIONS IN SCHEMA schema_name [, ...] }
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
 ON LANGUAGE lang_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
 ON LARGE OBJECT loid [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
 ON SCHEMA schema_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { CREATE | ALL [ PRIVILEGES ] }
 ON TABLESPACE tablespace_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
 ON TYPE type_name [, ...]
 TO role_specification [, ...] [ WITH GRANT OPTION ]
where role_specification can be:
 [ GROUP ] role_name
 | PUBLIC
 | CURRENT_USER
 | SESSION_USER

GRANT role_name [, ...] TO role_name [, ...] [ WITH ADMIN OPTION ]
原网站

版权声明
本文为[act carefully]所创,转载请带上原文链接,感谢
https://yzsam.com/2021/04/20210429020234618t.html

边栏推荐

猜你喜欢

随机推荐