博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
postgres 行安全策略
阅读量:2342 次
发布时间:2019-05-10

本文共 2411 字,大约阅读时间需要 8 分钟。

Row Security Policies

In addition to the SQL-standard privilege system available through grant, tables can have row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. By default, tables do not have any policies, so that if a user has access privileges to a table according to the SQL privilege system, all rows within it are equally available for queries or updating.

Below is a larger example of how this feature can be used in production environments. The table passwd emulates a Unix password file:

-- Simple passwd-file based exampleCREATE TABLE passwd (  user_name             text UNIQUE NOT NULL,  pwhash                text,  uid                   int  PRIMARY KEY,  gid                   int  NOT NULL,  real_name             text NOT NULL,  home_phone            text,  extra_info            text,  home_dir              text NOT NULL,  shell                 text NOT NULL);CREATE ROLE admin;  -- AdministratorCREATE ROLE bob;    -- Normal userCREATE ROLE alice;  -- Normal user-- Populate the tableINSERT INTO passwd VALUES  ('admin','xxx',0,0,'Admin','111-222-3333',null,'/root','/bin/dash');INSERT INTO passwd VALUES  ('bob','xxx',1,1,'Bob','123-456-7890',null,'/home/bob','/bin/zsh');INSERT INTO passwd VALUES  ('alice','xxx',2,1,'Alice','098-765-4321',null,'/home/alice','/bin/zsh');-- Be sure to enable row level security on the tableALTER TABLE passwd ENABLE ROW LEVEL SECURITY;-- Create policies-- Administrator can see all rows and add any rowsCREATE POLICY admin_all ON passwd TO admin USING (true) WITH CHECK (true);-- Normal users can view all rowsCREATE POLICY all_view ON passwd FOR SELECT USING (true);-- Normal users can update their own records, but-- limit which shells a normal user is allowed to setCREATE POLICY user_mod ON passwd FOR UPDATE  USING (current_user = user_name)  WITH CHECK (    current_user = user_name AND    shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh')  );-- Allow admin all normal rightsGRANT SELECT, INSERT, UPDATE, DELETE ON passwd TO admin;-- Users only get select access on public columnsGRANT SELECT  (user_name, uid, gid, real_name, home_phone, extra_info, home_dir, shell)  ON passwd TO public;-- Allow users to update certain columnsGRANT UPDATE  (pwhash, real_name, home_phone, extra_info, shell)  ON passwd TO public;

转载地址:http://weyvb.baihongyu.com/

你可能感兴趣的文章
Node.js-2.模块
查看>>
IOSbug调试-01-错误-duplicate symbols for architecture
查看>>
PHP文字套红处理
查看>>
IOS大牛的博客整理
查看>>
IOS视图View 的frame与bounds的区别
查看>>
x-requested-with 请求头 区分ajax请求还是普通请求
查看>>
基于PHP的cURL快速入门
查看>>
IOS博客项目搭建-11-刷新数据UIRefreshControl
查看>>
PHP页面纯静态化与伪静态化
查看>>
分享网页到微信朋友圈,显示缩略图的方法
查看>>
PHP参数类型限制
查看>>
IOS博客项目搭建-12-刷新数据-显示最新的微博数提示
查看>>
Laravel5 Markdown 编辑器使用教程
查看>>
php文件上传与下载
查看>>
Python3学习教程
查看>>
Python3学习笔记01-第一个Python程序
查看>>
Laravel5开发学生管理系统
查看>>
Laravel5学生成绩管理系统-01-安装-建表-填充数据
查看>>
Mac OSX下使用apt-get命令
查看>>
Mac下安装PHP的mcrypt扩展的方法(自己总结的)
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-07-02 19:59:56   当前IP: 3.149.228.245   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我