我有一个数据库,里面有多个表、函数、序列和类型。
我想创建多个";管理员"-喜欢的用户:
- 他们可能都拥有管理该数据库中所有内容(现有项和新建项(的所有权限
- 他们都有相同的特权
- 它们可能会交叉管理实体(管理员
a创建的表应该可用于删除管理员b(
我试图创建这样的东西,但在类型上失败了:
"GRANT ALL PRIVILEGES ON DATABASE {dbname} TO {rw_user};"
"GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO {rw_user};"
"GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO {rw_user};"
"GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO {rw_user};"
"GRANT ALL PRIVILEGES ON ALL TYPES IN SCHEMA public TO {rw_user};" --not exists
"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO {rw_user};"
"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO {rw_user};"
"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON FUNCTIONS TO {rw_user};"
"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TYPES TO {rw_user};"
我能想到的唯一方法(如果你不想要共享数据库用户(是:
CREATE ROLE admins;
CREATE ROLE a LOGIN NOINHERIT IN ROLE admins;
CREATE ROLE b LOGIN NOINHERIT IN ROLE admins;
CREATE SCHEMA shared;
GRANT CREATE; USAGE ON SCHEMA shared TO admins;
那么a和b都不能在shared中创建对象,除非它们执行以下操作:
SET ROLE admins;
CREATE TABLE shared.newtab (...);
RESET ROLE;
这样的表然后由admins拥有,并且a和b都可以是ALTER或DROP
请注意,ALTER和DROP仅限于对象的所有者,您不能GRANT这些权限。