关键字:
安全;系统 ANY 权限;;人大金仓;KingbaseES
概述
系统 ANY 权限是 KingbaseES 的一种管理特权,通过授予用户 ANY 权限,允许用户操作所有的某种类型的数据库对象的某种操作,不包括系统对象。
ANY 权限包含了四种数据库对象和八种操作类型。
数据库对象包括:TABLE,VIEW,SEQUENCE,PROCEDURE。
操作类型包括:CREATE,ALTER,DROP,INSERT,UPDATE,DELETE,DROP,EXECUTE。
ANY 权限还为每种权限设置了 ADMIN 选项,标志是否为当前权限的 ADMIN 用户,如果是 ADMIN 用户,那么允许当前用户授权 ANY 权限给其他用户。
特性实际操作
修改 kingbase.conf 文件中 shared_preload_libraries 参数后重启数据库。
shared_preload_libraries = 'sysprivilege'
如何赋予和收回 ANY 权限用例。以表举例:.
CREATE USER SYS WITH SUPERUSER;
CREATE USER U1;
CREATE USER U2;
CREATE SCHEMA S1;
CREATE TABLE TEST(ID INT);
CREATE TABLE S1.ST(ID INT);
-- ALL SHOULD BE ERROR, BECAUSE NO ANY PRIVILEGE
SET SESSION AUTHORIZATION U1;
CREATE TABLE S1.UT(ID INT);
ERROR: permission denied for schema s1
LINE 1: CREATE TABLE S1.UT(ID INT);
^
SELECT * FROM S1.ST;
ERROR: permission denied for schema s1
LINE 1: SELECT * FROM S1.ST;
^
INSERT INTO S1.ST VALUES(1);
ERROR: permission denied for schema s1
LINE 1: INSERT INTO S1.ST VALUES(1);
^
DELETE FROM S1.ST WHERE ID = 1;
ERROR: permission denied for schema s1
LINE 1: DELETE FROM S1.ST WHERE ID = 1;
^
UPDATE S1.ST SET ID = 2 WHERE ID = 1;
ERROR: permission denied for schema s1
LINE 1: UPDATE S1.ST SET ID = 2 WHERE ID = 1;
^
ALTER TABLE S1.ST RENAME TO STT;
ERROR: permission denied for schema s1
ALTER TABLE S1.ST ADD COLUMN NAME VARCHAR(10);
ERROR: permission denied for schema s1
DROP TABLE S1.ST;
ERROR: permission denied for schema s1
-- GIVEN ALL TABLE SYSTEM ANY PRIVILEGE
SET SESSION AUTHORIZATION SYS;
GRANT CREATE ANY TABLE TO U1;
GRANT SELECT ANY TABLE TO U1;
GRANT ALTER ANY TABLE TO U1;
GRANT INSERT ANY TABLE TO U1;
GRANT DELETE ANY TABLE TO U1;
GRANT UPDATE ANY TABLE TO U1;
GRANT DROP ANY TABLE TO U1;
SELECT * FROM SYS_SYSPRIVILEGE;
grantee | privilege | admin_option
---------+-----------+--------------
16386 | 1 | f
16386 | 4 | f
16386 | 2 | f
16386 | 5 | f
16386 | 6 | f
16386 | 7 | f
16386 | 3 | f
(7 rows)
-- ALL SHOULD BE RIGHT, BECAUSE HAVE ANY PRIVILEGE
SET SESSION AUTHORIZATION U1;
CREATE TABLE S1.UT(ID INT);
SELECT * FROM S1.ST;
id
----
(0 rows)
INSERT INTO S1.ST VALUES(1);
DELETE FROM S1.ST WHERE ID = 1;
UPDATE S1.ST SET ID = 2 WHERE ID = 1;
ALTER TABLE S1.ST RENAME TO STT;
ALTER TABLE S1.STT ADD COLUMN NAME VARCHAR(10);
DROP TABLE S1.STT CASCADE;
NOTICE: drop cascades to view s1.sv
-- CLEAN
SET SESSION AUTHORIZATION SYS;
REVOKE CREATE ANY TABLE FROM U1;
REVOKE SELECT ANY TABLE FROM U1;
REVOKE ALTER ANY TABLE FROM U1;
REVOKE INSERT ANY TABLE FROM U1;
REVOKE DELETE ANY TABLE FROM U1;
REVOKE UPDATE ANY TABLE FROM U1;
REVOKE DROP ANY TABLE FROM U1;
SELECT * FROM SYS_SYSPRIVILEGE;
grantee | privilege | admin_option
---------+-----------+--------------
(0 rows)
DROP TABLE S1.UT;
使用经验及注意事项
无特殊事项,注意插件的加载并分清权限即可。
价值评价
通过此特性,可以方便的控制用户权限,方便管理员的管理。
参考资料
《KingbaseES 安全指南》
