Postgresql多租户实践--使用多个Schema篇

postgres=# create database testdb;
CREATE DATABASE
postgres=# create role fiona login encrypted password 'abc123';
CREATE ROLE
postgres=# create role sally login encrypted password 'abc123';
CREATE ROLE


postgres=# \c testdb;
You are now connected to database "testdb" as user "postgres".


testdb=# create schema finance;
CREATE SCHEMA
testdb=# create schema sales;
CREATE SCHEMA

testdb=# ALTER ROLE fiona SET search_path = 'finance';
ALTER ROLE
testdb=# ALTER ROLE sally SET search_path = 'sales';
ALTER ROLE


[postgres@bighouse3 ~/11/data]$ psql -h bighouse3 -p 15432
psql (11.8)
Type "help" for help.


postgres=# \c testdb
You are now connected to database "testdb" as user "postgres".
testdb=# REVOKE ALL ON SCHEMA finance FROM public;
REVOKE
testdb=# GRANT USAGE ON SCHEMA finance TO fiona;
GRANT
testdb=# GRANT ALL ON SCHEMA finance TO fiona;
GRANT
testdb=# REVOKE ALL ON SCHEMA sales FROM public;
REVOKE
testdb=# GRANT USAGE ON SCHEMA sales TO sally;
GRANT
testdb=# GRANT ALL ON SCHEMA sales TO sally;
GRANT

[postgres@bighouse3 ~/11/data]$ psql -h bighouse3 -p 15432 -U fiona testdb
Password for user fiona: 
psql (11.8)
Type "help" for help.


testdb=> create table t_fiona (id int primary key);
CREATE TABLE
testdb=> \d
         List of relations
 Schema  |  Name   | Type  | Owner 
---------+---------+-------+-------
 finance | t_fiona | table | fiona
(1 row)


testdb=> \q


[postgres@bighouse3 ~/11/data]$ psql -h bighouse3 -p 15432 -U sally testdb
Password for user sally: 
psql (11.8)
Type "help" for help.
testdb=> create table t_sally (id int primary key);
CREATE TABLE
testdb=> \d
        List of relations
 Schema |  Name   | Type  | Owner 
--------+---------+-------+-------
 sales  | t_sally | table | sally
(1 row)


testdb=> select * from t_fiona;
ERROR:  relation "t_fiona" does not exist  -->>>>由于search_path的设置,sally无法查看fiona创建的对象
LINE 1: select * from t_fiona;
                      ^
testdb=> select * from finance.t_fiona;
ERROR:  permission denied for schema finance  -->>>>sally无法访问finance下的对象
LINE 1: select * from finance.t_fiona;
                      ^
[postgres@bighouse3 ~/11/data]$ psql -h bighouse3 -p 15432 -U fiona testdb
Password for user fiona: 
psql (11.8)
testdb=> select * from sales.t_sally;
ERROR:  permission denied for schema sales   ---->>>同理fiona也无法查看到sally创建的对象
LINE 1: select * from sales.t_sally;
                      ^

[postgres@bighouse3 ~/11/data]$ psql -h bighouse3 -p 15432 -U sally testdb
Password for user sally: 
psql (11.8)
Type "help" for help.


testdb=> select * from pg_tables where schemaname in ('finance','sales');
 schemaname | tablename | tableowner | tablespace | hasindexes | hasrules | hastriggers | rowsecurity 
------------+-----------+------------+------------+------------+----------+-------------+-------------
 finance    | t_fiona   | fiona      |            | t          | f        | f           | f
 sales      | t_sally   | sally      |            | t          | f        | f           | f
(2 rows)

[postgres@bighouse3 ~/11/data]$ psql -h bighouse3 -p 15432 testdb
testdb=# revoke all on pg_tables from public;
REVOKE


[postgres@bighouse3 ~/11/data]$ psql -h bighouse3 -p 15432 -U sally testdb
testdb=> select * from pg_tables where schemaname in ('finance','sales');
ERROR:  permission denied for view pg_tables
testdb=> \d
        List of relations
 Schema |  Name   | Type  | Owner 
--------+---------+-------+-------
 sales  | t_sally | table | sally
(1 row)


-->>>>>类似的数据字典还包括
REVOKE ALL ON pg_user FROM public;
REVOKE ALL ON pg_roles FROM public;
REVOKE ALL ON pg_group FROM public;
REVOKE ALL ON pg_authid FROM public;
REVOKE ALL ON pg_auth_members FROM public;
REVOKE ALL ON pg_database FROM public;
REVOKE ALL ON pg_tablespace FROM public;
REVOKE ALL ON pg_settings FROM public;


-->>>>查看对哪些表有权限可能通过下面2个视图
可以通过information_schema.role_table_grants或information_schema.table_privileges查看。