[openGauss 学废系列]-熟悉openGauss体系结构-权限
一、学习目标
今天是本次实训的第五节课,学习目标的一个重要环节仍然是对openGauss体系结构的理解,对于体系结构的理解,其中一个特别重要的知识点就是对权限的理解。
针对openGauss的权限,我也查询了openGauss的相关资料,整理如下:
1.1 openGauss权限层级
openGauss数据库权限是分层级的,这里我引用openGauss对于权限分层的一副图来描述openGauss权限层级,如下所示。
其实,openGauss的这个权限层级和当前一些主流数据库的权限层级相同,Oracle从12C开始推出的PDB也符合这一权限层级。
在这个权限层级下,在一个实例下可以创建多个数据库,在每个数据库下又可以创建多个schema,每个schema下可以创建多个表、函数、存储过程及索引等,而且不同的schema下可以创建相同名称的表。每个表又可以分为行和列两个维度。
1.2 openGauss权限分类
openGauss数据库中,可以分为两类权限,其分别是系统权限和对象权限,每个权限的具体含义如下:
1.2.1 系统权限
系统权限是指系统规定用户可使用数据库的权限,如登陆数据库、创建数据库、创建数据库及角色等。系统权限也被称为用户属性,特定属性的用户会获得指定属性所对应权限,系统权限是无法通过角色被继承的,可以在创建用户或修改用户属性是使用create user/role或alter user/role方式给指定用户创建或修改用户的属性。
根据openGuass官网资料,openGauss对一些系统权限的支持及相应含义如下表所示:
| 系统权限 | 权限说明 |
|---|---|
| SYSADMIN | 允许用户创建数据库、表空间、用户、角色、查看、删除审计日志、查看其它用户的数据 |
| MONADMIN | 允许用户对系统模式dbe_perf及该模式下的监控视图或函数进行查看和权限管理 |
| OPRADMIN | 允许用户使用Roach工具执行数据库备份和恢复 |
| POLADMIN | 允许用户创建资源标签、动态数据脱敏策略和统一审计策略 |
| AUDITADMIN | 允许用户查看及删除审计日志 |
| CREATEDB | 允许用户创建数据库 |
| USEFT | 允许用户创建外表 |
| CREATEROLE | 允许用户创建用户或角色 |
| INHERIT | 允许用户继承所在组的角色权限 |
| LOGIN | 允许用户登录数据库 |
| REPLICATION | 允许用户执行流复制相关操作 |
1.2.2 对象权限
对象权限是指在数据库、模式、表、视图、函数等数据库对象上执行特殊动作的权限,不同的对象类型与不同的权限相关联,如数据库的连接权限、表的查看、更新及插入、函数的执行、撤销已授予的操作权限等。
如日常对表空间的create、alter、drop权限,对数据库的create、drop、connect等权限、对schema的create、alter、drop等权限,对表的create、delete、update、comment、select等权限。
二、测试环境准备
2.1 删除已有数据库
root@modb:~# su - omm
omm@modb:~$ gsql
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=# drop DATABASE IF EXISTS musicdb;
NOTICE: database "musicdb" does not exist, skipping
DROP DATABASE
omm=# drop DATABASE IF EXISTS musicdb1;
NOTICE: database "musicdb1" does not exist, skipping
DROP DATABASE
omm=# drop DATABASE IF EXISTS musicdb2;
NOTICE: database "musicdb2" does not exist, skipping
DROP DATABASE
omm=# drop DATABASE IF EXISTS musicdb3;
NOTICE: database "musicdb3" does not exist, skipping
DROP DATABASE
omm=# drop tablespace IF EXISTS music_tbs;
NOTICE: Tablespace "music_tbs" does not exist, skipping.
DROP TABLESPACE
2.2 创建数据库及表空间
omm=# CREATE TABLESPACE music_tbs RELATIVE LOCATION 'tablespace/test_ts1';
CREATE TABLESPACE
omm=# CREATE DATABASE musicdb1 WITH TABLESPACE = music_tbs;
ERROR: invalid byte sequence for encoding "UTF8": 0xe3 0x43 0x52
omm=# CREATE DATABASE musicdb1 WITH TABLESPACE = music_tbs;
CREATE DATABASE
omm=# CREATE DATABASE musicdb2 WITH TABLESPACE = music_tbs;
CREATE DATABASE
omm=# CREATE DATABASE musicdb3 WITH TABLESPACE = music_tbs;
CREATE DATABASE
-- 当用鼠标从其它环境粘贴复制到crt上执行时,有时会遇到 ERROR: invalid byte sequence for encoding "UTF8": 0xe3 0x43 0x52报错,这方面的报错信息,详见我曾写的一个帖子:https://www.modb.pro/db/568409,里面有该报错的原因及分析。
-- 另外创建表空间时,无法指定表空间所对应的目录全路径,比如:
presdb=# \db
List of tablespaces
Name | Owner | Location
------------+---------+--------------------------------
pg_default | omm |
pg_global | omm |
tbs1 | preuser | /opt/gaussdb/install/data/tbs1
tbs2 | preuser | /opt/gaussdb/install/data/tbs2
(4 rows)
presdb=# CREATE TABLESPACE music_tbs RELATIVE LOCATION '/opt/gaussdb/install/data/music_tbs';
ERROR: relative location can only be formed of 'a~z', 'A~Z', '0~9', '-', '_' and two level directory at most
presdb=# CREATE TABLESPACE music_tbs RELATIVE LOCATION 'data/music_tbs';
CREATE TABLESPACE
presdb=# \db
List of tablespaces
Name | Owner | Location
------------+---------+--------------------------------
music_tbs | omm | data/music_tbs
pg_default | omm |
pg_global | omm |
tbs1 | preuser | /opt/gaussdb/install/data/tbs1
tbs2 | preuser | /opt/gaussdb/install/data/tbs2
(5 rows)
2.3 创建用户并赋权
omm=# CREATE USER user1 IDENTIFIED BY 'kunpeng@1234';
NOTICE: The encrypted password contains MD5 ciphertext, which is not secure.
CREATE ROLE
omm=# ALTER USER user1 SYSADMIN;
2.4 切换数据库并创建表
omm=# \c musicdb1 user1
Password for user user1:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "musicdb1" as user "user1".
musicdb1=> create table t11(col1 char(20));
ERROR: permission denied for schema public
DETAIL: N/A
musicdb1=> \q
omm@modb:~$ gsql -r
gsql ((openGauss 3.0.0 build 02c14696) compiled at 2022-04-01 18:12:00 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
omm=# ALTER USER user1 SYSADMIN;
ALTER ROLE
omm=#
omm=# \c musicdb1 user1
Password for user user1:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "musicdb1" as user "user1".
musicdb1=> create table t11(col1 char(20));
CREATE TABLE
musicdb1=> insert into t11 values('Hello openGauss! 11');
INSERT 0 1
musicdb1=> select * from t11;
musicdb1=> col1
----------------------
Hello openGauss! 11
(1 row)
musicdb1=>
musicdb1=> \c musicdb2 user1
Password for user user1:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "musicdb2" as user "user1".
musicdb2=> create table t21(col1 char(20));
musicdb2=> CREATE TABLE
musicdb2=> insert into t21 values('Hello openGauss! 22');
musicdb2=> INSERT 0 1
musicdb2=> select * from t21;
musicdb2=> col1
----------------------
Hello openGauss! 22
(1 row)
musicdb2=> \c musicdb3 user1
Password for user user1:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "musicdb3" as user "user1".
musicdb3=> create table t31(col1 char(20));
CREATE TABLE
musicdb3=> insert into t31 values('Hello openGauss! 33');
INSERT 0 1
musicdb3=> select * from t31;
col1
----------------------
Hello openGauss! 33
(1 row)
三、课后作业
3.1 创建数据库和用户并赋权
3.1.1 创建数据库musicdb10
-- 创建表空间
presdb=# CREATE TABLESPACE musicdbtbs RELATIVE LOCATION 'data/musicdbtbs';
CREATE TABLESPACE
-- 创建数据库
presdb=# CREATE DATABASE musicdb10 WITH TABLESPACE = musicdbtbs;
CREATE DATABASE
3.1.2 创建用户user10
presdb=# CREATE USER user10 IDENTIFIED BY 'kunpeng@1234';
CREATE ROLE
3.1.3 为用户赋予系统权限
presdb=# ALTER USER user10 SYSADMIN;
ALTER ROLE
3.2 user10访问postgres库并创建表
presdb=# \c postgres user10
Password for user user10:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "postgres" as user "user10".
openGauss=> create table tb1(id int,name varchar(20));
ERROR: relation "tb1" already exists in schema "public"
DETAIL: creating new table with existing name in the same schema
openGauss=> create table tb10(id int,name varchar(20));
CREATE TABLE
openGauss=> insert into tb10 values (1,'shanglei');
INSERT 0 1
openGauss=> select * from tb10;
id | name
----+----------
1 | shanglei
(1 row)
3.3 user10访问omm库并创建表
omm=# \c omm user10
Password for user user10:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "omm" as user "user10".
omm=> create table tb10(id int,name varchar(20));
CREATE TABLE
omm=> insert into tb10 values (1,'shanglei');
INSERT 0 1
omm=> select * from tb10;
id | name
----+----------
1 | shanglei
(1 row)
3.4 user10访问musicdb10库并创建表
omm=> \c musicdb10 user10
Password for user user10:
Non-SSL connection (SSL connection is recommended when requiring high-security)
You are now connected to database "musicdb10" as user "user10".
musicdb10=> create table tb10(id int,name varchar(20));
CREATE TABLE
musicdb10=> insert into tb10 values (1,'shanglei');
INSERT 0 1
musicdb10=> select * from tb10;
id | name
----+----------
1 | shanglei
(1 row)
四、学习心得
通过本课程的学习,增强了对openGauss的系统权限和对象权限的理解。另外对于在创建表空间时,特别要注意表空间后LOCATION的写法,还有遇到问题该如何排查和处理。