登录数据库创建角色与数据库(示例):
sudo -u postgres psql
CREATE ROLE app_readonly WITH LOGIN PASSWORD ‘ro_strong_pwd’;
CREATE ROLE app_rw WITH LOGIN PASSWORD ‘rw_strong_pwd’;
CREATE DATABASE appdb OWNER app_rw;
GRANT CONNECT ON DATABASE appdb TO app_readonly, app_rw;
\c appdb
– 只读:对 public 模式常用对象的只读权限
GRANT USAGE ON SCHEMA public TO app_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO app_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO app_readonly;
– 读写:在只读基础上授予写入与 DDL
GRANT INSERT, UPDATE, DELETE, TRUNCATE ON ALL TABLES IN SCHEMA public TO app_rw;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE, DELETE, TRUNCATE ON TABLES TO app_rw;
GRANT USAGE, CREATE ON SCHEMA public TO app_rw;
– 按需授予序列、函数、类型等权限
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO app_readonly, app_rw;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO app_readonly, app_rw;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO app_rw;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO app_rw;
– 运维/管理员角色(按需)
CREATE ROLE admin WITH CREATEDB CREATEROLE LOGIN PASSWORD ‘admin_pwd’;
GRANT ALL PRIVILEGES ON DATABASE appdb TO admin;
\q
