查询redshift中特定表的权限（组和用户）

Posted 2023-03-30

【中文标题】查询redshift中特定表的权限（组和用户）

【英文标题】：Query permissions for a specific table in redshift (Groups and Users)

【发布时间】：2019-02-12 20:23:18

【问题描述】：

我正在尝试查找一个查询，该查询可让我获取 Redshift 中特定表的当前权限，适用于组和用户。我知道如何进行实际授权，但我需要花费大量时间来查找要查询的正确表以获取现有权限。

其他信息：

这将在以级联删除和重新创建表的编程操作期间使用，以确保我们从删除之前重新应用相同的权限。如果有一个选项可以在没有 conn.execute() 查询的情况下在 Python 中执行此操作，我也对此持开放态度。

编辑：

我之前确实找到了以下查询，我尝试了一个简短的版本来查看是否可以获取组：

SELECT * 
FROM 
(
SELECT 
    schemaname
    ,objectname
    ,usename
        ,groname
    ,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'select') AND HAS_TABLE_PRIVILEGE(grp.groname, fullobj, 'select') AND has_schema_privilege(usrs.usename, schemaname, 'usage')  AS sel
FROM
    (
    SELECT schemaname, 't' AS obj_type, tablename AS objectname, schemaname + '.' + tablename AS fullobj FROM pg_tables
    UNION
    SELECT schemaname, 'v' AS obj_type, viewname AS objectname, schemaname + '.' + viewname AS fullobj FROM pg_views
    ) AS objs
    ,(SELECT * FROM pg_user) AS usrs
        ,(SELECT * FROM pg_group) AS grp
ORDER BY fullobj
)
WHERE sel = true
and objectname = 'table_name'

这给了我一个错误，说它找不到作为组名的用户名。

【参考方案1】：

您可以将以下查询与objectname 过滤器一起使用来找出特定表的权限

SELECT * 
FROM 
(
SELECT 
    schemaname
    ,objectname
    ,usename
    ,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'select') AND has_schema_privilege(usrs.usename, schemaname, 'usage')  AS sel
    ,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'insert') AND has_schema_privilege(usrs.usename, schemaname, 'usage')  AS ins
    ,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'update') AND has_schema_privilege(usrs.usename, schemaname, 'usage')  AS upd
    ,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'delete') AND has_schema_privilege(usrs.usename, schemaname, 'usage')  AS del
    ,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'references') AND has_schema_privilege(usrs.usename, schemaname, 'usage')  AS ref
FROM
    (
    SELECT schemaname, 't' AS obj_type, tablename AS objectname, schemaname + '.' + tablename AS fullobj FROM pg_tables
    UNION
    SELECT schemaname, 'v' AS obj_type, viewname AS objectname, schemaname + '.' + viewname AS fullobj FROM pg_views
    ) AS objs
    ,(SELECT * FROM pg_user) AS usrs
ORDER BY fullobj
)
WHERE (sel = true or ins = true or upd = true or del = true or ref = true)
and objectname = 'my_table'

【讨论】：

我的问题没有指定，现在我需要更新它，但我正在寻找组权限以及用户权限

【参考方案2】：

我终于找到了一些我可以为小组挑选出来的东西，然后把一些东西拼凑在一起：

SELECT
    namespace, item, type, groname 
FROM
    (
    SELECT
        use.usename AS subject,
        nsp.nspname AS NAMESPACE,
        cls.relname AS item,
        cls.relkind AS TYPE,
        use2.usename AS OWNER,
        cls.relacl 
    FROM
        pg_user use
        CROSS JOIN pg_class cls
        LEFT JOIN pg_namespace nsp ON cls.relnamespace = nsp.oid
        LEFT JOIN pg_user use2 ON cls.relowner = use2.usesysid 
    WHERE
        cls.relowner = use.usesysid 
        AND nsp.nspname NOT IN ( 'pg_catalog', 'pg_toast', 'information_schema' ) 
        AND nsp.nspname IN ( 'schema' ) 
        AND relacl IS NOT NULL 
    ORDER BY
        subject,
        NAMESPACE,
        item 
    )
    JOIN pg_group pu ON array_to_string( relacl, '|' ) LIKE'%' || pu.groname || '%'

拆开How to query user group privileges in postgresql?

【讨论】：

我会为用户使用 mdem7 的答案。