首页 > 代码库 > Greenplum中角色权限及客户端认证管理

Greenplum中角色权限及客户端认证管理

角色权限及客户端认证管理

GP数据库逻辑结构

技术分享

在GP中,Database(数据库)、Schema(模式)以及Role(角色)三者之间的关系如下所示:

  • 一个数据库下可以有多个模式,一个模式只属于一个数据库。模式在GP中也被称为Namespace,不同数据库之间的模式没有关系,可以重名;
  • 语言在使用之前必须创建,一个语言只属于一个数据库;
  • 表、视图、索引、序列、函数必须属于一个模式;
  •  一个文件空间可以有多个表空间,一个表空间只属于一个文件空间,文件空间和角色之间没有关系;
  • 表空间和表时一对多的关系,一个模式下的表可以分布在多个表空间下;
  • 除了文件空间之外,其他的权限管理都是通过角色来实现,在这些层次结构中,用户必须对上一层有访问权限才能够访问该层的内容;

 

什么是角色(role)

  •  Role的组成:由用户(User)和组(Group)组成;
  •   跟OS的role没有关系;
  •  User通过Master节点登录和认证的;
  •  Role是定义在GPDB系统级别的;
  •  初始化SUPERUSERROLE:gpadmin。

角色与权限安全的最佳实践

  •  保护系统gpadmin的用户;
  •  为每个登录的User分配不同的角色;
  • 使用组来管理权限从而实现管理组;
  •  控制具备SUPERUSER属性的User数量。

创建Role

创建用户User Role

         使用CREATE ROLE创建一个User Role,语法如下所示:

template1-# ]\h create role

Command:     CREATE ROLE

Description: define a new database role

Syntax:

CREATE ROLE name [[WITH] option [ ... ]]

where option can be:

      SUPERUSER | NOSUPERUSER

    | CREATEDB | NOCREATEDB

    | CREATEROLE | NOCREATEROLE

    | CREATEEXTTABLE | NOCREATEEXTTABLE

      [ ( attribute=value[, ...] ) ]

           where attributes and values are:

           type=readable|writable

           protocol=gpfdist|http|gphdfs

    | INHERIT | NOINHERIT

    | LOGIN | NOLOGIN

    | CONNECTION LIMIT connlimit

    | [ ENCRYPTED | UNENCRYPTED ] PASSWORD password

    | VALID UNTIL timestamp

    | IN ROLE rolename [, ...]

    | ROLE rolename [, ...]

    | ADMIN rolename [, ...]
    | RESOURCE QUEUE queue_name

 

例如: # CREATE ROLE mavshuangWITH LOGIN;

template1=# CREATE ROLE mavshuang WITH LOGIN;

NOTICE:  resource queue required -- using default resource queue "pg_default"

CREATE ROLE

 

ALTER ROLE属性

         使用ALTER ROLE修改角色的属性,语法如下所示:

template1-# \h alter role

Command:     ALTER ROLE

Description: change a database role

Syntax:

ALTER ROLE name RENAME TO newname

ALTER ROLE name SET config_parameter {TO | =} {value | DEFAULT}

ALTER ROLE name RESET config_parameter

ALTER ROLE name RESOURCE QUEUE {queue_name | NONE}

ALTER ROLE name [ [WITH] option [ ... ] ]

where option can be:

      SUPERUSER | NOSUPERUSER

    | CREATEDB | NOCREATEDB

    | CREATEROLE | NOCREATEROLE

    | CREATEEXTTABLE | NOCREATEEXTTABLE

      [ ( attribute=value[, ...] ) ]

           where attributes and values are:

           type=readable|writable

           protocol=gpfdist|http|gphdfs

| INHERIT | NOINHERIT

    | LOGIN | NOLOGIN

    | CONNECTION LIMIT connlimit

    | [ENCRYPTED | UNENCRYPTED] PASSWORD password

    | VALID UNTIL timestamp

 

创建组Group Role

         使用CREATE ROLE创建一个GroupRole:

         =#CREATE ROLE admin CREATEROLE CREATEDB;

template1=# \du

                        List of roles

 Role name |              Attributes              | Member of

-----------+--------------------------------------+-----------

 admin     | Create role, Create DB, Cannot login |

 gpadmin   | Superuser, Create role, Create DB    |

 mavshuang |                                      |

 

添加或删除Member(UserRole)

         使用GRANT关键字授权,使用REVOKE关键字取消授权;

template1=# \h GRANT

Command:     GRANT

Description: define access privileges

Syntax:

GRANT { { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }

    [,...] | ALL [ PRIVILEGES ] }

    ON [ TABLE ] tablename [, ...]

    TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 

GRANT { { USAGE | SELECT | UPDATE }

    [,...] | ALL [ PRIVILEGES ] }

    ON SEQUENCE sequencename [, ...]

    TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 

GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }

    ON DATABASE dbname [, ...]

    TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 

GRANT { EXECUTE | ALL [ PRIVILEGES ] }

    ON FUNCTION funcname ( [ [ argmode ] [ argname ] argtype [, ...] ] ) [, ...]

    TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 

GRANT { USAGE | ALL [ PRIVILEGES ] }

    ON LANGUAGE langname [, ...]

    TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 

GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }

    ON SCHEMA schemaname [, ...]

    TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 

GRANT { CREATE | ALL [ PRIVILEGES ] }

    ON TABLESPACE tablespacename [, ...]

    TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 

GRANT role [, ...] TO username [, ...] [ WITH ADMIN OPTION ]

 

GRANT { SELECT | INSERT | ALL [PRIVILEGES] }

..ON PROTOCOL protocolname

..TO username

 

 

template1=# \h REVOKE

Command:     REVOKE

Description: remove access privileges

Syntax:

REVOKE [ GRANT OPTION FOR ]

    { { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }

    [,...] | ALL [ PRIVILEGES ] }

    ON [ TABLE ] tablename [, ...]

    FROM { username | GROUP groupname | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ]

 

REVOKE [ GRANT OPTION FOR ]

    { { USAGE | SELECT | UPDATE }

    [,...] | ALL [ PRIVILEGES ] }

    ON SEQUENCE sequencename [, ...]

    FROM { username | GROUP groupname | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ]

 

REVOKE [ GRANT OPTION FOR ]

    { { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }

    ON DATABASE dbname [, ...]

    FROM { username | GROUP groupname | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ]

 

REVOKE [ GRANT OPTION FOR ]

    { EXECUTE | ALL [ PRIVILEGES ] }

    ON FUNCTION funcname ( [ [ argmode ] [ argname ] argtype [, ...] ] ) [, ...]

    FROM { username | GROUP groupname | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ]

 

REVOKE [ GRANT OPTION FOR ]

    { USAGE | ALL [ PRIVILEGES ] }

    ON LANGUAGE langname [, ...]

    FROM { username | GROUP groupname | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ]

 

REVOKE [ GRANT OPTION FOR ]

    { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }

    ON SCHEMA schemaname [, ...]

    FROM { username | GROUP groupname | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ]

 

REVOKE [ GRANT OPTION FOR ]

    { CREATE | ALL [ PRIVILEGES ] }

    ON TABLESPACE tablespacename [, ...]

    FROM { username | GROUP groupname | PUBLIC } [, ...]

    [ CASCADE | RESTRICT ]

 

REVOKE [ ADMIN OPTION FOR ]

    role [, ...] FROM username [, ...]

    [ CASCADE | RESTRICT ]
template1=# GRANT admin TO mavshuang;

GRANT ROLE

template1=# \du

                        List of roles

 Role name |              Attributes              | Member of

-----------+--------------------------------------+-----------

 admin     | Create role, Create DB, Cannot login |

 gpadmin   | Superuser, Create role, Create DB    |

 mavshuang |                                      | {admin}

 

template1=# REVOKE admin FROM mavshuang;

REVOKE ROLE

template1=# \du

                        List of roles

 Role name |              Attributes              | Member of

-----------+--------------------------------------+-----------

 admin     | Create role, Create DB, Cannot login |

 gpadmin   | Superuser, Create role, Create DB    |

 mavshuang |                                      |

 

赋予合适的权限给GROUP ROLE

         =#GRANT ALL ON TABLE mytable TO admin;

   =# GRANT ALL ON SCHEMA myschema TO admin;

=# GRANT ALL ONDATABASE mydb TO admin;

       

获取管理属性

testdw=# \h SET ROLE

Command:     SET ROLE

Description: set the current user identifier of the current session

Syntax:

SET [ SESSION | LOCAL ] ROLE rolename

SET [ SESSION | LOCAL ] ROLE NONE

RESET ROLE

 

管理对象权限

对象类型

权限

Tables, Views, Sequences

SELECT

INSERT

UPDATE

DELETE

RULE

ALL

External Tables

SELECT

RULE

ALL

Databases

CONNECT

CREATE

TEMPORARY | TEMP

ALL

Functions

EXECUTE

Procedural Languages

USAGE

Schemas

CREATE

USAGE

ALL

每个对象的权限必须被独立的授权

使用GRANT SQL命令给指定的Role授权一个对象

   =# GRANT INSERT ON mytable TO mavshuang

使用DROP OWNED和REASSIGN OWNED命令来取消Role的Owner权限                                                             

=# REASSIGNOWNED BY mavshuang TO tom;                                                     

=# DROP OWNED BYmavshuang;

testdw=# \d   通过\d命令行查看表相关信息包括模式,名称、类型、所有者以及存储方式

                List of relations

 Schema |    Name     | Type  |  Owner  | Storage

--------+-------------+-------+---------+---------

 public | tb1_test_01 | table | gpadmin | heap

(1 row)

 

模拟Row或者Column级别的权限控制:本身不支持Row和Column级别的访问控制,可以通过View方式模拟。

密码加密

   GPDB4.2.1版本之前,密码默认使用MD5加密,MD5加密目前可以被破解但消耗成本太高。从4.2.1版本开始,开始使用SHA-256加密,美国国家安全局使用此方法加密。

基于时间的登录认证

访问限制可以控制到具体时间点。时间约束仅仅对于设置的Role有效。比如晚上8点到凌晨6点用于跑批处理程序;早8点到下午6点用于开发用户使用等;

需要的权限:只有SUPERUSER(比如gpadmin)或者具备CREATEROLE权限是必须的。

如何添加时间约束:在CREATE ROLE或者ALTER ROLE的时候使用DENY关键字来实现:
1、某天或者某个时间访问限制;
2、一个有开始时间和结束时间的访问控制

指明日期和时间:

英文表述

数字表述

DAY ‘Sunday‘

DAY 0

DAY ‘Monday‘

DAY 1

DAY ‘Tuesday‘

DAY 2

DAY ‘Wednesday‘

DAY 3

DAY ‘Thursday‘

DAY 4

DAY ‘Friday‘

DAY 5

DAY ‘Saturday‘

DAY 6

 

TIME ‘14:00’ (24小时格式的时间)

TIME ‘02:00 PM‘ (12小时格式的时间)

TIME ‘02:00’ (24小时格式的时间) 等价于 TIME ‘02:00 AM‘.

如何添加时间约束

指定时间间隔
通过BETWEEN和AND关键字连接两个日期/时间。

                  BETWEEN DAY ‘Monday‘ AND DAY ‘Tuesday‘

                  BETWEEN DAY ‘Monday‘ TIME ‘00:00‘ ANDDAY ‘Monday‘ TIME ‘01:00‘

                  BETWEEN DAY ‘Monday‘ TIME ‘12:00 AM‘AND DAY ‘Tuesday‘ TIME ‘02:00 AM‘

                  BETWEEN DAY ‘Monday‘ TIME ‘00:00‘ ANDDAY ‘Tuesday‘ TIME ‘02:00‘

                  BETWEEN DAY 1 TIME ‘00:00‘ AND DAY 2TIME ‘02:00‘

         注意:日期间隔不能跨Saturday(周六)
         Incorrect: DENY BETWEENDAY ‘Saturday‘ AND DAY ‘Sunday‘

testdw=# \! date   通过该命令查看当前日期

Mon Mar 23 21:58:25 CST 2015

 

   删除时间约束
        
使用ALTER ROLE命令接DROP DENYFOR关键字
         原则:有交集即移出
         ALTER ROLE mavshuang DROP DENYFOR DAY ‘Monday’;

配置客户端认证

允许连接到GPDB,通过pg_hba.conf文件;该文件在Master和Segment节点上都存在;

     包含每行一条记录的平面文件,格式:

Remote:host database role CIDR-address authentication-method

Unix-domain:local database role authentication-method

 

默认Master主机pg_hba.conf文件

       允许SUPERUSER的本地连接;但不允许远程连接。

 

Greenplum中角色权限及客户端认证管理