22. 22
ロールとロール間の関係例
-- ロールの作成
CREATE ROLE dbowner CREATEDB LOGIN;
CREATE ROLE user_a LOGIN;
CREATE ROLE user_a_w LOGIN;
CREATE ROLE user_a_t LOGIN;
CREATE ROLE user_b LOGIN;
CREATE ROLE user_b_w LOGIN;
CREATE ROLE user_c LOGIN;
CREATE ROLE monitor LOGIN;
-- ロール間の関係
GRANT user_a TO user_a_w;
GRANT user_b TO user_b_w;
GRANT user_a TO user_c;
GRANT user_b TO user_c;
GRANT pg_monitor TO monitor;
23. 23
GRANT によるロール継承の
設定を確認するには?
WITH RECURSIVE t AS (
SELECT oid as roleid, 0 as level, oid::text as sortkey
FROM pg_roles
WHERE rolname IN (SELECT rolname FROM pg_roles)
UNION ALL
SELECT member as roleid, t.level + 1 , ((sortkey || '.' || pam.member)::text) AS sortkey
FROM pg_auth_members pam JOIN t ON (pam.roleid= t.roleid)
) SELECT (repeat(' ', level) || pr.rolname) as rolename
FROM t JOIN pg_roles pr ON (t.roleid = pr.oid)
ORDER BY sortkey ;
$ psql -U postgres postgres -f roles.sql
rolename
---------------------------
postgres
monitor_user
dbowner
user_a
user_a_w
user_c
user_a_w
user_b
user_b_w
user_c
29. 29
ロールと DB オブジェクト
-- ロールの作成
CREATE ROLE dbowner CREATEDB LOGIN;
CREATE ROLE user_a LOGIN;
CREATE ROLE user_a_w LOGIN;
CREATE ROLE user_a_t LOGIN;
CREATE ROLE user_b LOGIN;
CREATE ROLE user_b_w LOGIN;
CREATE ROLE user_c LOGIN;
CREATE ROLE monitor LOGIN;
-- ロール間の関係
GRANT user_a TO user_a_w;
GRANT user_b TO user_b_w;
GRANT user_a TO user_c;
GRANT user_b TO user_c;
GRANT pg_monitor TO monitor;
-- テーブル作成
CREATE TABLE table_a (id int, data text);
CREATE TABLE table_b (id int, data text);
-- GRANT TABLES
GRANT SELECT ON table_a TO user_a;
GRANT INSERT, UPDATE, DELETE ON table_a TO user_a_w;
REVOKE SELECT ON table_a FROM user_a_t;
GRANT TRUNCATE ON table_a TO user_a_t;
GRANT SELECT ON table_b TO user_b;
GRANT INSERT, UPDATE, DELETE ON table_a TO user_a_w;
32. 32
ロールと DB オブジェクト
-- ロールの作成
CREATE ROLE dbowner CREATEDB LOGIN;
CREATE ROLE user_a LOGIN;
CREATE ROLE user_a_w LOGIN;
CREATE ROLE user_a_t LOGIN;
CREATE ROLE user_b LOGIN;
CREATE ROLE user_b_w LOGIN;
CREATE ROLE user_c LOGIN;
CREATE ROLE monitor LOGIN;
-- ロール間の関係
GRANT user_a TO user_a_w;
GRANT user_b TO user_b_w;
GRANT user_a TO user_c;
GRANT user_b TO user_c;
GRANT pg_monitor TO monitor;
-- テーブル作成
CREATE TABLE table_a (id int, data text);
CREATE TABLE table_b (id int, data text);
-- GRANT TABLES
GRANT SELECT ON table_a TO user_a;
GRANT INSERT, UPDATE, DELETE ON table_a TO user_a_w;
REVOKE SELECT ON table_a FROM user_a_t;
GRANT TRUNCATE ON table_a TO user_a_t;
GRANT SELECT ON table_b TO user_b;
GRANT INSERT, UPDATE, DELETE ON table_a TO user_a_w;
33. 33
アクセス権限照会関数の例
o /dev/null
SELECT rolname, relname, crud
FROM (SELECT r.oid, r.rolname, c.relname,
((CASE WHEN has_table_privilege(r.oid, c.oid, 'INSERT') THEN 'C' ELSE ' ' END) ||
(CASE WHEN has_table_privilege(r.oid, c.oid, 'SELECT') THEN 'R' ELSE ' ' END) ||
(CASE WHEN has_table_privilege(r.oid, c.oid, 'UPDATE') THEN 'U' ELSE ' ' END) ||
(CASE WHEN has_table_privilege(r.oid, c.oid, 'DELETE') THEN 'D' ELSE ' ' END) ||
(CASE WHEN has_table_privilege(r.oid, c.oid, 'TRUNCATE') THEN 'T' ELSE ' ' END)) AS crud
FROM pg_roles r, pg_class c
WHERE c.relkind = 'r'
AND r.rolcanlogin = true
AND relnamespace IN
(SELECT oid
FROM pg_namespace
WHERE nspname NOT IN ('pg_catalog','information_schema','pg_toast'))
) t
ORDER BY rolname, relname;
o
crosstabview rolname relname
$ psql priv -U postgres -f priv.sql
rolname | table_a | table_b
----------+---------+---------
monitor | |
postgres | CRUDT | CRUDT
user_a | R |
user_a_t | T |
user_a_w | CRUD |
user_b | | R
user_b_w | | R
user_c | R | R
(9 rows)