如何找出在redshift中授予一个组的权限

时间:2014-03-20 04:04:19

标签: amazon-redshift

团队,我正在使用amazon redshift(8.0.2版本) 我创建了一个组并获得了2以下的权限,并向该组添加了一个用户。 如果我检查' pg_group',我将能够看到该组成员的用户名。 但我应该能够看到授予该组的许可是什么。

例如。

redshift=# create group group1;
CREATE GROUP

redshift=# grant select on public.table_mar19_test2 to group group1;
GRANT

redshift=# alter group group1 add user user001;
ALTER GROUP

redshift=# select * from pg_group

    groname    | grosysid |  grolist
---------------+----------+-----------
 group1        |      101 | {148}
 (1 rows)

现在,我们是否有任何SQL查询来查找给予该组的选择授权? 来自多个数据库的多个授权被一个组打磨。所以,我应该能够看到哪个授权来自集群中的哪个数据库。

请指导我。

2 个答案:

答案 0 :(得分:6)

由于授权是每个对象,因此您需要查询所有对象的权限。在这里,您可以看到列出权限的relacl和为授予这些权限而生成的grant语句:

select relacl , 
'grant ' || substring(
            case when charindex('r',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',select ' else '' end 
          ||case when charindex('w',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',update ' else '' end 
          ||case when charindex('a',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',insert ' else '' end 
          ||case when charindex('d',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',delete ' else '' end 
          ||case when charindex('R',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',rule ' else '' end 
          ||case when charindex('x',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',references ' else '' end 
          ||case when charindex('t',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',trigger ' else '' end 
          ||case when charindex('X',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',execute ' else '' end 
          ||case when charindex('U',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',usage ' else '' end 
          ||case when charindex('C',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',create ' else '' end 
          ||case when charindex('T',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)) > 0 then ',temporary ' else '' end 
       , 2,10000)
|| ' on '||namespace||'.'||item ||' to "'||pu.groname||'";' as grantsql
from 
(SELECT 
 use.usename as subject, 
 nsp.nspname as namespace, 
 c.relname as item, 
 c.relkind as type, 
 use2.usename as owner, 
 c.relacl 
FROM 
pg_user use 
 cross join pg_class c 
 left join pg_namespace nsp on (c.relnamespace = nsp.oid) 
 left join pg_user use2 on (c.relowner = use2.usesysid)
WHERE 
 c.relowner = use.usesysid  
 and  nsp.nspname   NOT IN ('pg_catalog', 'pg_toast', 'information_schema')
ORDER BY 
 subject,   namespace,   item 
) join pg_group pu on array_to_string(relacl, '|') like '%'||pu.groname||'%' 
where relacl is not null
  and pu.groname='group1'
order by 2

答案 1 :(得分:5)

以下视图创建了所有用户和组权限的简化视图

CREATE OR REPLACE VIEW dict.dba_tab_privs 
AS 
 SELECT derived_table1.schemaname, 
        derived_table1.objectname, 
        derived_table1.usename username,  
        'USER' usertype,
        derived_table1.select_flag, 
        derived_table1.insert_flag, 
        derived_table1.update_flag, 
        derived_table1.delete_flag, 
        derived_table1.reference_flag
   FROM ( SELECT objs.schemaname, objs.objectname, usrs.usename, 
                CASE
                    WHEN has_table_privilege(usrs.usename, objs.fullobj::text, 'select'::text) THEN 1
                    ELSE 0
                END AS select_flag, 
                CASE
                    WHEN has_table_privilege(usrs.usename, objs.fullobj::text, 'insert'::text) THEN 1
                    ELSE 0
                END AS insert_flag, 
                CASE
                    WHEN has_table_privilege(usrs.usename, objs.fullobj::text, 'update'::text) THEN 1
                    ELSE 0
                END AS update_flag, 
                CASE
                    WHEN has_table_privilege(usrs.usename, objs.fullobj::text, 'delete'::text) THEN 1
                    ELSE 0
                END AS delete_flag, 
                CASE
                    WHEN has_table_privilege(usrs.usename, objs.fullobj::text, 'references'::text) THEN 1
                    ELSE 0
                END AS reference_flag
           FROM ( SELECT pg_tables.schemaname, 't'::character varying AS obj_type, pg_tables.tablename AS objectname, (pg_tables.schemaname::text + '.'::text + pg_tables.tablename::text)::character varying AS fullobj
                   FROM pg_tables
                  UNION 
                 SELECT pg_views.schemaname, 'v'::character varying AS obj_type, pg_views.viewname AS objectname, (pg_views.schemaname::text + '.'::text + pg_views.viewname::text)::character varying AS fullobj
                   FROM pg_views) objs, 
                   ( 
                      SELECT pg_user.usename 
                      FROM pg_user
                      ) usrs
          ORDER BY objs.fullobj) derived_table1
  WHERE (derived_table1.select_flag + derived_table1.insert_flag + derived_table1.update_flag + derived_table1.delete_flag + derived_table1.reference_flag) > 0
  and schemaname not in ('information_schema','pg_catalog')
union all
select schemname ,
       objectname ,
       username ,
       usertype ,
       CASE WHEN CHARINDEX('r', char_perms ) > 0 THEN 1 else 0 end select_flag,
       CASE WHEN CHARINDEX('a', char_perms ) > 0 THEN 1 else 0 end insert_flag,
       CASE WHEN CHARINDEX('w', char_perms ) > 0 THEN 1 else 0 end update_flag,
       CASE WHEN CHARINDEX('d', char_perms ) > 0 THEN 1 else 0 end delete_flag,
       CASE WHEN CHARINDEX('x', char_perms ) > 0 THEN 1 else 0 end references_flag/*,
       CASE WHEN CHARINDEX('R', char_perms ) > 0 THEN 1 else 0 end rule_flag,
       CASE WHEN CHARINDEX('t', char_perms ) > 0 THEN 1 else 0 end trigger_flag,
       CASE WHEN CHARINDEX('X', char_perms ) > 0 THEN 1 else 0 end execute_flag,
       CASE WHEN CHARINDEX('U', char_perms ) > 0 THEN 1 else 0 end usage_flag,
       CASE WHEN CHARINDEX('C', char_perms ) > 0 THEN 1 else 0 end create_flag,
       CASE WHEN CHARINDEX('T', char_perms ) > 0 THEN 1 else 0 end temporary_flag*/
from
(
    select namespace schemname,
           item objectname,
           groname username,
           'GROUP' usertype,
           SPLIT_PART( SPLIT_PART( ARRAY_TO_STRING( RELACL, '|' ), pu.groname, 2 ) , '/', 1 ) char_perms
    from
    (
    SELECT      use.usename AS subject
                        ,nsp.nspname AS namespace
                        ,cls.relname AS item
                        ,cls.relkind AS type
                        ,use2.usename AS owner
                        ,cls.relacl
            FROM        pg_user     use 
            CROSS JOIN  pg_class    cls
            LEFT JOIN   pg_namespace nsp 
            ON          cls.relnamespace = nsp.oid 
            LEFT JOIN   pg_user      use2 
            ON          cls.relowner = use2.usesysid
            WHERE       cls.relowner = use.usesysid
            AND         nsp.nspname NOT IN ('pg_catalog', 'pg_toast', 'information_schema')
            ORDER BY     subject
                        ,namespace
                        ,item ) 
    JOIN    pg_group pu ON array_to_string(relacl, '|') LIKE '%'|| pu.groname ||'%' 
)