我在获得权限时遇到了一些问题。
我有一个角色,一般应该允许随处选择SELECT,这个角色有很多成员。不应该允许其中一个从某个表中选择。
我认为通过将角色成员资格授予一般读者角色并从受限制的表中撤销SELECT,这是可能的。
似乎父角色的权限适用,而不是特定权限。有没有办法解决这个问题,而不必维护更受限制的角色的权限,或者我是否以错误的方式在PostgreSQL中应用角色概念?
这是一个示例脚本:
-- as superuser
CREATE DATABASE permission_test;
\c permission_test
CREATE ROLE r_general_select;
CREATE ROLE r_restricted_select IN ROLE r_general_select;
-- set the default permissions
ALTER DEFAULT PRIVILEGES IN SCHEMA "public" GRANT SELECT ON TABLES TO "r_general_select";
CREATE TABLE "open"(
id SERIAL,
payload TEXT
);
insert into "open"(payload) values ('test');
-- covered by default privileges
GRANT SELECT ON "open" TO PUBLIC;
-- Tests
-- this is good
SET ROLE r_general_select;
SELECT * FROM "open";
RESET ROLE;
-- this is good
SET ROLE r_restricted_select;
SELECT * FROM "open";
RESET ROLE;
CREATE TABLE "restricted" (
id SERIAL,
payload TEXT
);
insert into "restricted"(payload) values ('test');
-- the role and it's members should be able to read
GRANT SELECT ON "restricted" TO r_general_select;
-- except for this one!
REVOKE SELECT ON "restricted" FROM r_restricted_select;
-- Tests
-- this is good
SET ROLE r_general_select;
SELECT * FROM restricted;
RESET ROLE;
-- this should barf with a permission violation
SET ROLE r_restricted_select;
SELECT * FROM restricted;
RESET ROLE;
--- CLEANUP
DROP OWNED BY "r_restricted_select" CASCADE;
DROP ROLE r_restricted_select ;
DROP OWNED BY "r_general_select" CASCADE;
DROP ROLE r_general_select ;
答案 0 :(得分:3)
在PostgreSQL中,角色权限纯粹是附加的。在这样的模型中,没有办法从继承角色中撤销对继承角色授予的权限。
要解决此问题,您需要更改权限方法,并将其基于始终一起发生的权限。我通常通过一起查看功能依赖性和操作依赖性来做到这一点。