Drop a role with privileges

我是研究僧i 提交于 2019-12-14 03:59:39

问题


This looks like a very basic need, but I do not find any quick and suitable answer. I have a role in Postgres which has privileges to many other tables in various databases.

I need to drop this role. I have one postgres instance and then many databases on top of it.

SELECT DISTINCT 'REVOKE ALL ON TABLE ' || table_schema || '.' || table_name || ' FROM ' || r.param_role_name || ';'  
FROM information_schema.table_privileges CROSS JOIN (SELECT 'some_role_name'::text AS param_role_name) r
WHERE grantee ~* r.param_role_name;

I can do like above, by going to each and every database and find all revoke statements and then drop the role. Is there any way I can find all revoke statements at one place for all the databases.

Or something like I can alter owned by this role, can I alter all privileges with one statement?

Edit1: As most of the replies are targeted to reassign owned by and drop owned by, I want to be more specific. I can execute below commands on each database and drop the roles once all the dependencies are removed.

REASSIGN OWNED BY some_role_name TO postgres;
DROP OWNED BY some_role_name;

but there are many databases so I am looking for something forcefully flush all privileges and drop this role.


回答1:


I need to drop this role.

A single REASSIGN OWNED per database, followed by DROP OWNED should do it:

REASSIGN OWNED BY some_role_name TO postgres;
DROP OWNED BY some_role_name;

postgres being the default superuser, who is going to own any object the role used to own. Immediately after REASSIGN OWNED, there are no objects left that would be owned by the same user. It may seem unintuitive to run DROP OWNED. The wording of the command is misleading, since it also revokes all privileges and default privileges for the role in the same database. The manual:

DROP OWNED drops all the objects within the current database that are owned by one of the specified roles. Any privileges granted to the given roles on objects in the current database and on shared objects (databases, tablespaces) will also be revoked.

Bold emphasis mine.
You still have to execute it in every single database. The manual:

Because REASSIGN OWNED does not affect objects within other databases, it is usually necessary to execute this command in each database that contains objects owned by a role that is to be removed.

Before you can run (once!):

DROP role some_role_name;

Roles are stored in a cluster-wide system catalog, while ownership and privileges on objects are stored in database-specific system catalogs.

Detailed explanation in this related answer:

  • Find objects linked to a PostgreSQL role

And @klin mentioned a very useful manual page in his comment:

  • https://www.postgresql.org/docs/current/static/role-removal.html

Full automation

There is no single command to do it all. But you can let Postgres generate a complete psql script for you.

Dependencies for roles are stored in the system catalog pg_shdepend. A quote from there:

This information allows PostgreSQL to ensure that those objects are unreferenced before attempting to delete them.

Since we (potentially) need to connect to different databases, we need a combination of psql meta-commands (\c my_database) and SQL DDL commands as shown above. Create this function somewhere in your DB cluster once:

CREATE OR REPLACE FUNCTION f_generate_ddl_to_remove_role(dead_role_walking regrole)
  RETURNS text AS
$func$
SELECT concat_ws(
   E'\n'
 ,(SELECT string_agg(format(E'\\c %I\nREASSIGN OWNED BY %2$s TO postgres; DROP OWNED BY %2$s;'
                          , d.datname, dead_role_walking)
                   , E'\n')
   FROM  (
      SELECT DISTINCT dbid
      FROM   pg_shdepend
      WHERE  refobjid = dead_role_walking
      ) s
   JOIN   pg_database d ON d.oid = s.dbid)
 , format(E'DROP role %s;\n', dead_role_walking)
   )
$func$  LANGUAGE sql;

Call:

SELECT f_generate_ddl_to_remove_role('some_role_name');

Produces a string like:

\c my_db1
REASSIGN OWNED BY some_role_name TO postgres; DROP OWNED BY some_role_name;
\c my_db2
REASSIGN OWNED BY some_role_name TO postgres; DROP OWNED BY some_role_name;
DROP role some_role_name;

Or, if the role does not own anything and has no privileges, just:

DROP role some_role_name;

If you provide a non-existing role name, you get an error.

Copy the string (without enclosing single quotes) to a psql session opened with a superuser like postgres. Or concatenate a bash script with it. All done.

There are several related answers with more explanation for dynamic SQL:

  • https://stackoverflow.com/search?q=%5Bplpgsql%5D+%5Bdynamic-sql%5D+string_agg



回答2:


You cannot drop a role until there are dependent objects in any of the database.

You will have to reassign the objects owned by this user (some_role_name) to another user. Once it is done for all objects in all the databases, you can then delete the user.

REASSIGN OWNED BY some_role_name TO some_other_role_name;

If the dependent objects are not required, you can also go ahead using DROP OWNED BY, removing all the object that are owned by some_role_name.

DROP OWNED BY some_role_name;



来源:https://stackoverflow.com/questions/47997897/drop-a-role-with-privileges

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!