一个 预定义角色 是一个内置角色,提供对某些常用特权功能和信息的访问权限。无需将用户设为超级用户,即可将此类角色的成员资格授予单个用户。
预定义角色 在 PostgreSQL 9.6 中引入,尽管最初只有一个角色可用 (pg_signal_backend)。
可用性
| 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9.6 | |
|---|---|---|---|---|---|---|---|---|---|---|
| pg_checkpoint | ||||||||||
| pg_create_subscription | ||||||||||
| pg_database_owner | ||||||||||
| pg_execute_server_program | ||||||||||
| pg_maintain | ||||||||||
| pg_monitor | ||||||||||
| pg_read_all_data | ||||||||||
| pg_read_all_settings | ||||||||||
| pg_read_all_stats | ||||||||||
| pg_read_server_files | ||||||||||
| pg_signal_autovacuum_worker | ||||||||||
| pg_signal_backend | ||||||||||
| pg_stat_scan_tables | ||||||||||
| pg_use_reserved_connections | ||||||||||
| pg_write_all_data | ||||||||||
| pg_write_server_files |
pg_monitor
The pg_monitor 角色组合了以下默认角色
pg_read_all_settingspg_read_all_statspg_stat_scan_tables
并提供以下文件系统函数的执行权限
(但不包括 pg_ls_dir())。
另请参阅: src/backend/catalog/system_views.sql。
源代码
以下表示每个默认角色的 OID 的常量在编译时创建 (src/include/catalog/pg_authid.dat)
ROLE_PG_CHECKPOINTROLE_PG_CREATE_SUBSCRIPTIONROLE_PG_DATABASE_OWNERROLE_PG_EXECUTE_SERVER_PROGRAMROLE_PG_MAINTAINROLE_PG_MONITORROLE_PG_READ_ALL_DATAROLE_PG_READ_ALL_SETTINGSROLE_PG_READ_ALL_STATSROLE_PG_READ_SERVER_FILESROLE_PG_SIGNAL_AUTOVACUUM_WORKERROLE_PG_SIGNAL_BACKENDIDROLE_PG_STAT_SCAN_TABLESROLE_PG_USE_RESERVED_CONNECTIONSROLE_PG_WRITE_ALL_DATAROLE_PG_WRITE_SERVER_FILES
注意:在 PostgreSQL 13 及更早版本中,这些常量以“DEFAULT_ROLE_”为前缀。
重命名提案
在 PostgreSQL 13 开发周期中,有人提议将“default_role”重命名为“predefined role”,并且更改实际上已提交(提交 0e936a21),但随后在进一步讨论之前恢复(提交 c185a577)。此更改后来在 PostgreSQL 14 中完成(提交 c9c41c7a)。
更改历史记录
- PostgreSQL 18
pg_signal_autovacuum_worker角色已添加(提交 ccd38024)
- PostgreSQL 17
pg_maintain角色已添加(提交 ecb0fd33)
- PostgreSQL 16
- PostgreSQL 15
pg_checkpoint角色已添加(提交 4168a474 和 b9eb0ff0)pg_read_all_stats现在可以访问pg_backend_memory_contexts和pg_shmem_allocations(提交 77ea4f94)
- PostgreSQL 14
- PostgreSQL 11 - 添加以下默认角色(提交 0fdc8495)
pg_read_server_filespg_write_server_filespg_execute_server_program
- PostgreSQL 10 - 添加以下默认角色(提交 25fff407)
pg_read_all_settingspg_read_all_statspg_stat_scan_tablespg_monitor
- PostgreSQL 9.6
pg_signal_backend已添加(提交 7a542700)
请注意,pg_maintain 角色首先在 PostgreSQL 16 中添加(提交 60684dd8),但随后恢复(提交 151c22de)。
示例
postgres=> \du someuser
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
someuser | | {}
postgres=> SHOW data_directory;
ERROR: must be superuser or a member of pg_read_all_settings to examine "data_directory"
postgres=> \c - postgres
You are now connected to database "postgres" as user "postgres".
postgres=# GRANT pg_read_all_settings TO someuser;
GRANT ROLE
postgres=# \c - someuser
You are now connected to database "postgres" as user "someuser".
postgres=> \du someuser
List of roles
Role name | Attributes | Member of
-----------+------------+------------------------
someuser | | {pg_read_all_settings}
postgres=> SHOW data_directory;
data_directory
---------------------
/var/lib/pgsql/data
(1 row)
C 语言中的用法示例
#include "utils/acl.h"
#include "catalog/pg_authid.h"
...
if (is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS) == false)
{
elog(ERROR, "must be superuser or a member of the pg_read_all_stats role");
}
...
有用链接
- 系统角色 – 什么、为什么、如何? - 2023 年 3 月 Hubert Lubaczewski 的博文