1) 启动数据库服务,使用超级用户 postgres 创建应用用户 appuser,赋权createdb、login,appuser 的密码设置为 1qaz@WSX,并体现到.pgpass 文件中, 以便 appuser 免密登录,appuser 用户的密码在 2022 年 05 月 01 日之前是有效的。
2) 创建属主为appuser 的表空间并命名为appuser,指向/appuser(若没有此目录请自行创建并管理权限);
3) 创建appdb 数据库,owner 是appuser(要求appdb 数据库要在exam 表空间内),并要求实现:
a.回收 appdb 中的 public schema 上的 create object 权限。
b. 以 appuser 用户在 appdb 数据库中创建名为 appuser 的 schema
c. 以 appuser 用户在 appdb 数据库中创建 app 表(id int),app 表的 schema是 appuser
其他的非超级用户不能 connect 到 appdb 数据库中
4) 自行建立 readonlyuser 用户,要求如下:
a. readonlyuser 能连接到 appdb 中
b. 密码设置为 1qaz@WSX,并体现到.pgpass 文件中,以便 readonlyuser 免密登录
c. readonlyuser 用户有对 appuser 用户下 appuser schema 下所有表(包括将来新建立的表)的只读权限;
[pg10@data01 ~]$ psql -d postgres
psql (10.14)
Type "help" for help.
postgres=# create user appuser with createdb login valid until '2022-05-01' password '1qaz@WSX';
CREATE ROLE
postgres=# \q
[pg10@data01 ~]$ su - root
Password:
Last login: Mon Jan 4 22:02:58 CST 2021 from gateway on pts/1
[root@data01 ~]# mkdir /appuser
[root@data01 ~]# chown pg10.pg10 /appuser
[root@data01 ~]# su - pg10
Last login: Mon Jan 4 22:03:26 CST 2021 on pts/1
[pg10@data01 ~]$ vim .pgpass
[pg10@data01 ~]$ cat .pgpass br/>data01:5666:postgres:postgres:1qaz@WSX
data01:5666:postgres:appuser:1qaz@WSX
[pg10@data01 ~]$ psql -d postgres -U postgres
psql (10.14)
Type "help" for help.
postgres=# create tablespace appuser owner appuser location '/appuser';
CREATE TABLESPACE
postgres=# create database appdb with owner appuser tablespace appuser;
CREATE DATABASE
postgres=# \c appdb appuser
You are now connected to database "appdb" as user "appuser".
appdb=> exit
[pg10@data01 ~]$ psql -d postgres -U postgres
psql (10.14)
Type "help" for help.
postgres=# \c appdb postgres
You are now connected to database "appdb" as user "postgres".
appdb=# revoke create on schema public from public;
REVOKE
appdb=# \c appdb appuser
You are now connected to database "appdb" as user "appuser".
appdb=> create schema appuser;
CREATE SCHEMA
appdb=> create table appuser.app(id int);
CREATE TABLE
appdb=> revoke connect on database appdb from public;
REVOKE
appdb=>
appdb=> \c appdb postgres
You are now connected to database "appdb" as user "postgres".
appdb=# create user readonlyuser with password '1qaz@WSX';
CREATE ROLE
appdb=# grant connect on database appdb to readonlyuser;
GRANT
appdb=# \c appdb appuser
You are now connected to database "appdb" as user "appuser".
appdb=> grant usage on schema appuser to readonlyuser;
GRANT
appdb=> grant select on all tables in schema appuser to readonlyuser;
GRANT
appdb=> alter default privileges grant select on tables to readonlyuser;
ALTER DEFAULT PRIVILEGES
来源:oschina
链接:https://my.oschina.net/u/4288740/blog/4881484