跨所有 PostgreSQL 对象的审核权限
Posted
技术标签:
【中文标题】跨所有 PostgreSQL 对象的审核权限【英文标题】:Audit privileges across all PostgreSQL objects 【发布时间】:2017-09-25 09:52:37 【问题描述】:我想审核我的 PostgreSQL 数据库中的权限。如何跨所有数据库对象生成角色及其权限授予表?
对于表我可以查询information_schema.role_table_grants。我也可以对其他数据库对象进行类似的查询,但我担心我可能会错过一个对象类型,如果有更简单的解决方案,我不想重新发明***。
【问题讨论】:
【参考方案1】:不发明***我会从psql -E开始:
t=# \z
********* QUERY **********
SELECT n.nspname as "Schema",
c.relname as "Name",
CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'S' THEN 'sequence' WHEN 'f' THEN 'foreign table' END as "Type",
pg_catalog.array_to_string(c.relacl, E'\n') AS "Access privileges",
pg_catalog.array_to_string(ARRAY(
SELECT attname || E':\n ' || pg_catalog.array_to_string(attacl, E'\n ')
FROM pg_catalog.pg_attribute a
WHERE attrelid = c.oid AND NOT attisdropped AND attacl IS NOT NULL
), E'\n') AS "Column privileges",
pg_catalog.array_to_string(ARRAY(
SELECT polname
|| CASE WHEN polcmd != '*' THEN
E' (' || polcmd || E'):'
ELSE E':'
END
|| CASE WHEN polqual IS NOT NULL THEN
E'\n (u): ' || pg_catalog.pg_get_expr(polqual, polrelid)
ELSE E''
END
|| CASE WHEN polwithcheck IS NOT NULL THEN
E'\n (c): ' || pg_catalog.pg_get_expr(polwithcheck, polrelid)
ELSE E''
END || CASE WHEN polroles <> '0' THEN
E'\n to: ' || pg_catalog.array_to_string(
ARRAY(
SELECT rolname
FROM pg_catalog.pg_roles
WHERE oid = ANY (polroles)
ORDER BY 1
), E', ')
ELSE E''
END
FROM pg_catalog.pg_policy pol
WHERE polrelid = c.oid), E'\n')
AS "Policies"
FROM pg_catalog.pg_class c
LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f')
AND n.nspname !~ '^pg_' AND pg_catalog.pg_table_is_visible(c.oid)
ORDER BY 1, 2;
**************************
【讨论】:
哇,不错!这是一个好的开始,尽管还有许多其他对象类型可供研究。以上是关于跨所有 PostgreSQL 对象的审核权限的主要内容,如果未能解决你的问题,请参考以下文章
PostgreSQL:将所有权限授予 PostgreSQL 数据库上的用户