角色权限及客户端认证管理
GP数据库逻辑结构
在GP中,Database(数据库)、Schema(模式)以及Role(角色)三者之间的关系如下所示:
- 一个数据库下可以有多个模式,一个模式只属于一个数据库。模式在GP中也被称为Namespace,不同数据库之间的模式没有关系,可以重名;
- 语言在使用之前必须创建,一个语言只属于一个数据库;
- 表、视图、索引、序列、函数必须属于一个模式;
- 一个文件空间可以有多个表空间,一个表空间只属于一个文件空间,文件空间和角色之间没有关系;
- 表空间和表时一对多的关系,一个模式下的表可以分布在多个表空间下;
- 除了文件空间之外,其他的权限管理都是通过角色来实现,在这些层次结构中,用户必须对上一层有访问权限才能够访问该层的内容;
什么是角色(role)
- Role的组成:由用户(User)和组(Group)组成;
- 跟OS的role没有关系;
- User通过Master节点登录和认证的;
- Role是定义在GPDB系统级别的;
- 初始化SUPERUSERROLE:gpadmin。
角色与权限安全的最佳实践
- 保护系统gpadmin的用户;
- 为每个登录的User分配不同的角色;
- 使用组来管理权限从而实现管理组;
- 控制具备SUPERUSER属性的User数量。
创建Role
创建用户User Role
使用CREATE ROLE创建一个User Role,语法如下所示:
template1-# ]\h create role
Command: CREATE ROLE
Description: define a new database role
Syntax:
CREATE ROLE name [[WITH] option [ ... ]]
where option can be:
SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEEXTTABLE | NOCREATEEXTTABLE
[ ( attribute='value'[, ...] ) ]
where attributes and values are:
type='readable'|'writable'
protocol='gpfdist'|'http'|'gphdfs'
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| CONNECTION LIMIT connlimit
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
| VALID UNTIL 'timestamp'
| IN ROLE rolename [, ...]
| ROLE rolename [, ...]
| ADMIN rolename [, ...]
| RESOURCE QUEUE queue_name
例如: # CREATE ROLE mavshuangWITH LOGIN;
template1=# CREATE ROLE mavshuang WITH LOGIN; NOTICE: resource queue required -- using default resource queue "pg_default" CREATE ROLE
ALTER ROLE属性
使用ALTER ROLE修改角色的属性,语法如下所示:
template1-# \h alter role
Command: ALTER ROLE
Description: change a database role
Syntax:
ALTER ROLE name RENAME TO newname
ALTER ROLE name SET config_parameter {TO | =} {value | DEFAULT}
ALTER ROLE name RESET config_parameter
ALTER ROLE name RESOURCE QUEUE {queue_name | NONE}
ALTER ROLE name [ [WITH] option [ ... ] ]
where option can be:
SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEEXTTABLE | NOCREATEEXTTABLE
[ ( attribute='value'[, ...] ) ]
where attributes and values are:
type='readable'|'writable'
protocol='gpfdist'|'http'|'gphdfs'
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| CONNECTION LIMIT connlimit
| [ENCRYPTED | UNENCRYPTED] PASSWORD 'password'
| VALID UNTIL 'timestamp'
创建组Group Role
使用CREATE ROLE创建一个GroupRole:
=#CREATE ROLE admin CREATEROLE CREATEDB;
template1=# \du
List of roles
Role name | Attributes | Member of
-----------+--------------------------------------+-----------
admin | Create role, Create DB, Cannot login |
gpadmin | Superuser, Create role, Create DB |
mavshuang | |
添加或删除Member(UserRole)
使用GRANT关键字授权,使用REVOKE关键字取消授权;
template1=# \h GRANT
Command: GRANT
Description: define access privileges
Syntax:
GRANT { { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }
[,...] | ALL [ PRIVILEGES ] }
ON [ TABLE ] tablename [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { { USAGE | SELECT | UPDATE }
[,...] | ALL [ PRIVILEGES ] }
ON SEQUENCE sequencename [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
ON DATABASE dbname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { EXECUTE | ALL [ PRIVILEGES ] }
ON FUNCTION funcname ( [ [ argmode ] [ argname ] argtype [, ...] ] ) [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE langname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
ON SCHEMA schemaname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespacename [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT role [, ...] TO username [, ...] [ WITH ADMIN OPTION ]
GRANT { SELECT | INSERT | ALL [PRIVILEGES] }
..ON PROTOCOL protocolname
..TO username
template1=# \h REVOKE
Command: REVOKE
Description: remove access privileges
Syntax:
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }
[,...] | ALL [ PRIVILEGES ] }
ON [ TABLE ] tablename [, ...]
FROM { username | GROUP groupname | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { USAGE | SELECT | UPDATE }
[,...] | ALL [ PRIVILEGES ] }
ON SEQUENCE sequencename [, ...]
FROM { username | GROUP groupname | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
ON DATABASE dbname [, ...]
FROM { username | GROUP groupname | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ EXECUTE | ALL [ PRIVILEGES ] }
ON FUNCTION funcname ( [ [ argmode ] [ argname ] argtype [, ...] ] ) [, ...]
FROM { username | GROUP groupname | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE langname [, ...]
FROM { username | GROUP groupname | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
ON SCHEMA schemaname [, ...]
FROM { username | GROUP groupname | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespacename [, ...]
FROM { username | GROUP groupname | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ ADMIN OPTION FOR ]
role [, ...] FROM username [, ...]
[ CASCADE | RESTRICT ]
template1=# GRANT admin TO mavshuang;
GRANT ROLE
template1=# \du
List of roles
Role name | Attributes | Member of
-----------+--------------------------------------+-----------
admin | Create role, Create DB, Cannot login |
gpadmin | Superuser, Create role, Create DB |
mavshuang | | {admin}
template1=# REVOKE admin FROM mavshuang;
REVOKE ROLE
template1=# \du
List of roles
Role name | Attributes | Member of
-----------+--------------------------------------+-----------
admin | Create role, Create DB, Cannot login |
gpadmin | Superuser, Create role, Create DB |
mavshuang | |
赋予合适的权限给GROUP ROLE
=#GRANT ALL ON TABLE mytable TO admin;
=# GRANT ALL ON SCHEMA myschema TO admin;
=# GRANT ALL ONDATABASE mydb TO admin;
获取管理属性
testdw=# \h SET ROLE Command: SET ROLE Description: set the current user identifier of the current session Syntax: SET [ SESSION | LOCAL ] ROLE rolename SET [ SESSION | LOCAL ] ROLE NONE RESET ROLE
管理对象权限
|
对象类型 |
权限 |
|
Tables, Views, Sequences |
SELECT |
|
INSERT |
|
|
UPDATE |
|
|
DELETE |
|
|
RULE |
|
|
ALL |
|
|
External Tables |
SELECT |
|
RULE |
|
|
ALL |
|
|
Databases |
CONNECT |
|
CREATE |
|
|
TEMPORARY | TEMP |
ALL |
|
Functions |
EXECUTE |
|
Procedural Languages |
USAGE |
|
Schemas |
CREATE |
|
USAGE |
|
|
ALL |
每个对象的权限必须被独立的授权
使用GRANT SQL命令给指定的Role授权一个对象
=# GRANT INSERT ON mytable TO mavshuang
使用DROP OWNED和REASSIGN OWNED命令来取消Role的Owner权限
=# REASSIGNOWNED BY mavshuang TO tom;
=# DROP OWNED BYmavshuang;
testdw=# \d 通过\d命令行查看表相关信息包括模式,名称、类型、所有者以及存储方式
List of relations
Schema | Name | Type | Owner | Storage
--------+-------------+-------+---------+---------
public | tb1_test_01 | table | gpadmin | heap
(1 row)
模拟Row或者Column级别的权限控制:本身不支持Row和Column级别的访问控制,可以通过View方式模拟。
密码加密
GPDB4.2.1版本之前,密码默认使用MD5加密,MD5加密目前可以被破解但消耗成本太高。从4.2.1版本开始,开始使用SHA-256加密,美国国家安全局使用此方法加密。
基于时间的登录认证
访问限制可以控制到具体时间点。时间约束仅仅对于设置的Role有效。比如晚上8点到凌晨6点用于跑批处理程序;早8点到下午6点用于开发用户使用等;
需要的权限:只有SUPERUSER(比如gpadmin)或者具备CREATEROLE权限是必须的。
如何添加时间约束:在CREATE ROLE或者ALTER ROLE的时候使用DENY关键字来实现:
1、某天或者某个时间访问限制;
2、一个有开始时间和结束时间的访问控制
指明日期和时间:
|
英文表述 |
数字表述 |
|
DAY 'Sunday' |
DAY 0 |
|
DAY 'Monday' |
DAY 1 |
|
DAY 'Tuesday' |
DAY 2 |
|
DAY 'Wednesday' |
DAY 3 |
|
DAY 'Thursday' |
DAY 4 |
|
DAY 'Friday' |
DAY 5 |
|
DAY 'Saturday' |
DAY 6 |
TIME ‘14:00’ (24小时格式的时间)
TIME '02:00 PM' (12小时格式的时间)
TIME ‘02:00’ (24小时格式的时间) 等价于 TIME '02:00 AM'.
如何添加时间约束
指定时间间隔
通过BETWEEN和AND关键字连接两个日期/时间。
BETWEEN DAY 'Monday' AND DAY 'Tuesday'
BETWEEN DAY 'Monday' TIME '00:00' ANDDAY 'Monday' TIME '01:00'
BETWEEN DAY 'Monday' TIME '12:00 AM'AND DAY 'Tuesday' TIME '02:00 AM'
BETWEEN DAY 'Monday' TIME '00:00' ANDDAY 'Tuesday' TIME '02:00'
BETWEEN DAY 1 TIME '00:00' AND DAY 2TIME '02:00'
注意:日期间隔不能跨Saturday(周六)
Incorrect: DENY BETWEENDAY 'Saturday' AND DAY 'Sunday‘
testdw=# \! date 通过该命令查看当前日期 Mon Mar 23 21:58:25 CST 2015
删除时间约束
使用ALTER ROLE命令接DROP DENYFOR关键字
原则:有交集即移出
ALTER ROLE mavshuang DROP DENYFOR DAY ‘Monday’;
配置客户端认证
允许连接到GPDB,通过pg_hba.conf文件;该文件在Master和Segment节点上都存在;
包含每行一条记录的平面文件,格式:
Remote:host database role CIDR-address authentication-method Unix-domain:local database role authentication-method
默认Master主机pg_hba.conf文件
允许SUPERUSER的本地连接;但不允许远程连接。
来源:https://www.cnblogs.com/wq3435/p/6625422.html