学习目标
掌握openGauss的用户和角色管理。
课程学习
使用create user创建的用户与使用create role创建的用户的区别在于,前者可以直接连接登录数据库,而使用create role创建的用户不能直接登录到数据库。必须添加LOGIN权限后,才能登录到数据库管理系统。
删除用户,首先需要将用户拥有的数据库对象转移或者删除。
1.环境准备
创建一个名叫test_tbs的表空间和一个名叫testdb的数据库:
gsql -r
CREATE TABLESPACE test_tbs RELATIVE LOCATION 'tablespace/test_tbs1';
CREATE DATABASE testdb WITH TABLESPACE = test_tbs;
root@modb:~# su - omm
omm@modb:~$
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=#
omm=# CREATE TABLESPACE test_tbs RELATIVE LOCATION 'tablespace/test_tbs1';
CREATE TABLESPACE
omm=#
omm=# CREATE DATABASE testdb WITH TABLESPACE = test_tbs;
CREATE DATABASE2.使用create user创建用户
使用create user创建的用户,具有登录权限。
--创建一个名叫user1的数据库用户,其密码为kunpeng@1234,并将数据库testdb所有的权限都授予用户user1:
CREATE USER user1 IDENTIFIED BY 'kunpeng@1234';
GRANT ALL ON DATABASE testdb TO user1;
--执行下面的gsql元命令,查看系统目前有哪些数据库:
\l
--执行下面的gsql元命令,查看系统目前有哪些用户:
\du
\q
--用刚刚创建的数据库用户user1登录到数据库testdb
gsql -d testdb -U user1 -W kunpeng@1234 -r
\q
omm=# CREATE USER user1 IDENTIFIED BY 'kunpeng@1234';
NOTICE: The encrypted password contains MD5 ciphertext, which is not secure.
CREATE ROLE
omm=#
omm=# GRANT ALL ON DATABASE testdb TO user1;
GRANT
omm=#
omm=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+-------+----------+---------+-------+-------------------
omm | omm | UTF8 | C | C |
postgres | omm | UTF8 | C | C |
template0 | omm | UTF8 | C | C | =c/omm +
| | | | | omm=CTc/omm
template1 | omm | UTF8 | C | C | =c/omm +
| | | | | omm=CTc/omm
testdb | omm | UTF8 | C | C | =Tc/omm +
| | | | | omm=CTc/omm +
| | | | | user1=CTc/omm +
| | | | | user1=APm/omm
(5 rows)
omm=# \du
List of roles
Role name | Attributes
| Member of
-----------+------------------------------------------------------------------------------------------------------------
------+-----------
gaussdb | Sysadmin
| {}
omm | Sysadmin, Create role, Create DB, Replication, Administer audit, Monitoradmin, Operatoradmin, Policyadmin,
UseFT | {}
user1 |
| {}
omm=# \q
omm@modb:~$
omm@modb:~$ gsql -d testdb -U user1 -W kunpeng@2134 -r
gsql: FATAL: Invalid username/password,login denied.
omm@modb:~$
omm@modb:~$ gsql -d testdb -U user1 -W kunpeng@1234 -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
testdb=> \q
omm@modb:~$ 3.使用create role创建用户
使用create role命令创建的用户user2,没有登录权限。
--创建一个新的名叫user2的角色,并将数据库testdb所有的权限都授予用户user2:
用户user2对数据库testdb具有的权限和用户user1一模一样。
gsql -r
CREATE ROLE user2 IDENTIFIED BY 'kunpeng@1234';
GRANT ALL ON DATABASE testdb TO user2;
--查看当前openGauss数据库集群由哪些用户:
\du
\q
--使用用户user2尝试登录到数据库testdb:
gsql -d testdb -U user2 -W kunpeng@1234 -r
gsql: FATAL: role "user2" is not permitted to login
原因:
由于数据库用户user2是使用create role语句创建的,目前还不被允许登录到openGauss数据库管理系统。
omm=#
omm=# CREATE ROLE user2 IDENTIFIED BY 'kunpeng@1234';
NOTICE: The encrypted password contains MD5 ciphertext, which is not secure.
CREATE ROLE
omm=#
omm=# GRANT ALL ON DATABASE testdb TO user2;
GRANT
omm=#
omm=# \du
List of roles
Role name | Attributes
| Member of
-----------+------------------------------------------------------------------------------------------------------
------------+-----------
gaussdb | Sysadmin
| {}
omm | Sysadmin, Create role, Create DB, Replication, Administer audit, Monitoradmin, Operatoradmin, Policya
dmin, UseFT | {}
user1 |
| {}
user2 | Cannot login
| {}
omm=#
omm=# \q
omm@modb:~$
omm@modb:~$ gsql -d testdb -U user2 -W kunpeng@1234 -r
gsql: FATAL: role "user2" is not permitted to login4.授予用户user2登录权限后:
授予用户user2登录权限后,可以登录数据库
gsql -r
alter user user2 LOGIN;
\du
\q
--现在我们已经授予了user2用户登录数据库的权限,可以正常登录数据库testdb:
gsql -d testdb -U user2 -W kunpeng@1234 -r
\q
omm@modb:~$ gsql -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. omm=# omm=# alter user user2 LOGIN; ALTER ROLE omm=# omm=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------------------------------------------------------------ ------------+----------- gaussdb | Sysadmin | {} omm | Sysadmin, Create role, Create DB, Replication, Administer audit, Monitoradmin, Operatoradmin, Policya dmin, UseFT | {} user1 | | {} user2 | | {}omm=# omm=# \q omm@modb:~$ omm@modb:~$ gsql -d testdb -U user2 -W kunpeng@1234 -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. testdb=> \q- 5、删除用户和角色
删除用户,首先需要将用户拥有的数据库对象转移或者删除,回收权限。
-- 授予用户user2数据库超级用户的权限:
gsql -r
ALTER USER user2 SYSADMIN;
--使用用户user2登录到数据库testdb,创建表空间test_tbs1、数据库testdb、表test1和表test2:
\c testdb user2
CREATE TABLESPACE test_tbs1 RELATIVE LOCATION 'tablespace/test_tbs11';
CREATE DATABASE testdb WITH TABLESPACE = test_tbs1;
CREATE TABLE test1(col int);
CREATE TABLE test2(col int);
\q
--执行如下的命令,删除用户user2:
gsql -r
drop user user2;
ERROR: role "user2" cannot be dropped because some objects depend on it
DETAIL: owner of database testdb
owner of tablespace test_tbs1
privileges for database testdb
2 objects in database testdb
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=#
omm=# ALTER USER user2 SYSADMIN;
ALTER ROLE
omm=#
omm=# \c testdb user2
Password for user user2:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "testdb" as user "user2".
testdb=>
testdb=> CREATE TABLESPACE test_tbs1 RELATIVE LOCATION 'tablespace/test_tbs11';
CREATE TABLESPACE
testdb=>
testdb=> CREATE DATABASE testdb WITH TABLESPACE = test_tbs1;
ERROR: database "testdb" already exists
testdb=>
testdb=> CREATE TABLE test1(col int);
CREATE TABLE
testdb=>
testdb=> CREATE TABLE test2(col int);
CREATE TABLE
testdb=> ###可以看出不能删除用户user2的原因是:
1)用户user2拥有数据库testdb。
2)用户user2拥有表空间对象test_tbs1。
3)用户user2对数据库testdb具有权限。
4)用户user2在数据库testdb中有两个对象。
--要删除用户user2,必须先表空间对象和数据库对象的属主修改为其他的用户(如user1用户),或者干脆将其删除:
alter database testdb owner to user1;
alter tablespace test_tbs1 owner to user1;
--回收用户user2对testdb数据库的权限:
REVOKE ALL ON DATABASE testdb FROM user2;
--在testdb中属于用户user2的数据库对象的处理方法可以是:假如该对象还有用,可以将该对象转移给其他用户;假如该对象没有用,可以直接删除掉该对象
--假设表test1已经没有用了,我们可以删除表test1:
\c testdb user2
drop table test1;
--假设表test2还有用将表test2转移给用户user1:
REASSIGN OWNED BY user2 to user1;
\dt
\q
--执行删除用户的操作,可以删除user2用户
gsql -r
drop user user2;
\du
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=#
omm=# ALTER USER user2 SYSADMIN;
ALTER ROLE
omm=#
omm=# \c testdb user2
Password for user user2:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "testdb" as user "user2".
testdb=>
testdb=> CREATE TABLESPACE test_tbs1 RELATIVE LOCATION 'tablespace/test_tbs11';
CREATE TABLESPACE
testdb=>
testdb=> CREATE DATABASE testdb WITH TABLESPACE = test_tbs1;
ERROR: database "testdb" already exists
testdb=>
testdb=> CREATE TABLE test1(col int);
CREATE TABLE
testdb=>
testdb=> CREATE TABLE test2(col int);
CREATE TABLE
testdb=>
testdb=> CREATE DATABASE testdb WITH TABLESPACE = test_tbs2;
ERROR: tablespace "test2" does not exist
testdb=>
testdb=>
testdb-> \q
omm@modb:~$
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=#
omm=# drop user user2;
ERROR: role "user2" cannot be dropped because some objects depend on it
DETAIL: owner of tablespace test_tbs1
privileges for database testdb
2 objects in database testdb
omm=#
omm=#
omm=# alter database testdb owner to user1;
ALTER DATABASE
omm=#
omm=# alter tablespace test_tbs1 owner to user1;
ALTER TABLESPACE
omm=#
omm=# REVOKE ALL ON DATABASE testdb FROM user2;
REVOKE
omm=#
omm=# \c testdb user2
Password for user user2:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "testdb" as user "user2".
testdb=>
testdb=> drop table test1;
DROP TABLE
testdb=>
testdb=>
testdb=> REASSIGN OWNED BY user2 to user1;
REASSIGN OWNED
testdb=>
testdb=> \dt
List of relations
Schema | Name | Type | Owner | Storage
--------+-------+-------+-------+----------------------------------
public | test2 | table | user1 | {orientation=row,compression=no}
(1 row)
testdb=>
testdb=> \q
omm@modb:~$
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=# drop user user2;
DROP ROLE
omm=#
omm=# \du
List of roles
Role name | Attributes
| Member of
-----------+------------------------------------------------------------------------------------------------------
------------+-----------
gaussdb | Sysadmin
| {}
omm | Sysadmin, Create role, Create DB, Replication, Administer audit, Monitoradmin, Operatoradmin, Policya
dmin, UseFT | {}
user1 |
| {}
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=#
omm=# ALTER USER user2 SYSADMIN;
ALTER ROLE
omm=#
omm=# \c testdb user2
Password for user user2:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "testdb" as user "user2".
testdb=>
testdb=> CREATE TABLESPACE test_tbs1 RELATIVE LOCATION 'tablespace/test_tbs11';
CREATE TABLESPACE
testdb=>
testdb=> CREATE DATABASE testdb WITH TABLESPACE = test_tbs1;
ERROR: database "testdb" already exists
testdb=>
testdb=> CREATE TABLE test1(col int);
CREATE TABLE
testdb=>
testdb=> CREATE TABLE test2(col int);
CREATE TABLE
testdb=>
testdb=> CREATE DATABASE testdb WITH TABLESPACE = test_tbs2;
ERROR: tablespace "test2" does not exist
testdb=>
testdb=>
testdb-> \q
omm@modb:~$
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=#
omm=# drop user user2;
ERROR: role "user2" cannot be dropped because some objects depend on it
DETAIL: owner of tablespace test_tbs1
privileges for database testdb
2 objects in database testdb
omm=#
omm=#
omm=# alter database testdb owner to user1;
ALTER DATABASE
omm=#
omm=# alter tablespace test_tbs1 owner to user1;
ALTER TABLESPACE
omm=#
omm=# REVOKE ALL ON DATABASE testdb FROM user2;
REVOKE
omm=#
omm=# \c testdb user2
Password for user user2:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "testdb" as user "user2".
testdb=>
testdb=> drop table test1;
DROP TABLE
testdb=>
testdb=>
testdb=> REASSIGN OWNED BY user2 to user1;
REASSIGN OWNED
testdb=>
testdb=> \dt
List of relations
Schema | Name | Type | Owner | Storage
--------+-------+-------+-------+----------------------------------
public | test2 | table | user1 | {orientation=row,compression=no}
(1 row)
testdb=>
testdb=> \q
omm@modb:~$
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=# drop user user2;
DROP ROLE
omm=#
omm=# \du
List of roles
Role name | Attributes
| Member of
-----------+------------------------------------------------------------------------------------------------------
------------+-----------
gaussdb | Sysadmin
| {}
omm | Sysadmin, Create role, Create DB, Replication, Administer audit, Monitoradmin, Operatoradmin, Policya
dmin, UseFT | {}
user1 |
| {}
课程作业
1、创建test10_tbs的表空间,在这个表空间中创建数据库testdb10
2、使用create user创建用户user10,登录数据库testdb10,创建测试表t1和t2
3、使用create role创建角色role10,登录数据库testdb10
4、将表t1直接删除,将前面创建的表空间和数据库、表t2转给role10,删除用户user10
5、最后删除role10
课程作业
创建test10_tbs的表空间,在这个表空间中创建数据库testdb10
omm=# CREATE TABLESPACE test10_tbs RELATIVE LOCATION 'tablespace/test10_tbs1'; CREATE TABLESPACE omm=# CREATE DATABASE testdb10 WITH TABLESPACE = test10_tbs; CREATE DATABASE omm=#
使用create user创建用户user10,登录数据库testdb10,创建测试表t1和t2
omm=# CREATE USER user10 IDENTIFIED BY 'kunpeng@1234'; NOTICE: The encrypted password contains MD5 ciphertext, which is not secure. CREATE ROLE omm=# GRANT ALL ON DATABASE testdb10 TO user10; GRANT omm=# omm=# \q omm@modb:~$ gsql -d testdb10 -U user10 -W kunpeng@1234 -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. testdb10=> testdb10=> \q omm@modb:~$ gsql -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. omm=# ALTER USER user10 SYSADMIN; ALTER ROLE omm=# \q omm@modb:~$ gsql -d testdb10 -U user10 -W kunpeng@1234 -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. testdb10=> CREATE TABLE t1(col int); CREATE TABLE testdb10=> CREATE TABLE t2(col int); CREATE TABLE testdb10=>
使用create role创建角色role10,登录数据库testdb10
CREATE ROLE role10 IDENTIFIED BY 'kunpeng@1234'; GRANT ALL ON DATABASE testdb10 TO role10; alter user role10 LOGIN; gsql -d testdb10 -U role10 -W kunpeng@1234 -r omm=> \q omm@modb:~$ gsql -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. omm=> CREATE ROLE role10 IDENTIFIED BY 'kunpeng@1234'; NOTICE: The encrypted password contains MD5 ciphertext, which is not secure. CREATE ROLE omm=# GRANT ALL ON DATABASE testdb10 TO role10; GRANT omm=# gsql -d testdb10 -U role10 -W kunpeng@1234 -r omm-# \q omm@modb:~$ gsql -d testdb10 -U role10 -W kunpeng@1234 -r gsql: FATAL: role "role10" is not permitted to login omm@modb:~$ gsql -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. omm=# alter user role10 LOGIN; ALTER ROLE omm=# \q omm@modb:~$ gsql -d testdb10 -U role10 -W kunpeng@1234 -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. testdb10=>
将表t1直接删除,将前面创建的表空间和数据库、表t2转给role10,删除用户user10
drop table t1; REASSIGN OWNED BY user10 to role10; alter database testdb10 owner to role10; alter tablespace test10_tbs owner to role10; alter table t2 owner to role10; drop user user10; omm=# \q omm@modb:~$ gsql -d testdb10 -U user10 -W kunpeng@1234 -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. testdb10=> drop table t1; DROP TABLE testdb10=> testdb10=> \q omm@modb:~$ gsql -r gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr ) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. omm=# alter database testdb10 owner to role10; ALTER DATABASE omm=# alter tablespace test10_tbs owner to role10; ALTER TABLESPACE omm=# alter table t2 owner to role10; ALTER TABLE omm=# REASSIGN OWNED BY user10 to role10; REASSIGN OWNED omm=# omm=# drop user user10; DROP ROLE omm=#
最后删除role10
omm=# drop role role10; ERROR: role "role10" cannot be dropped because some objects depend on it DETAIL: owner of schema user10 owner of tablespace test10_tbs owner of database testdb10 omm=# omm=# REVOKE ALL ON tablespace test10_tbs FROM role10; REVOKE omm=# drop OWNED BY role10; DROP OWNED omm=# drop database testdb10; DROP DATABASE omm=# drop role role10; ERROR: role "role10" cannot be dropped because some objects depend on it DETAIL: owner of tablespace test10_tbs omm=# drop tablespace test10_tbs; DROP TABLESPACE omm=# drop role role10; DROP ROLE omm=#
课程学习体会
通过本次的实训操作,掌握数据库的使用create user创建的用户与使用create role创建的用户的区别,前者可以直接连接登录数据库,而使用create role创建的用户不能直接登录到数据库。必须添加LOGIN权限后,才能登录到数据库管理系统,而且删除用户,首先需要将用户拥有的数据库对象转移或者删除。
