如何为尚未定义的函数授予 EXECUTE 权限
How to grant EXECUTE permissions for yet to be defined functions
我正在 运行ning 一个 SQL 脚本,它首先创建一个用户,然后定义一些函数。如何在定义函数后不授予权限的情况下授予EXECUTE尚未定义的函数权限?还有我以后定义的函数?
我试过像这样更改默认权限,但没有成功:
alter default privileges for user admin in schema myschema
GRANT execute ON functions TO admin;
在 运行 像这样运行脚本后给予授权,但我不想每次定义新函数时都 运行 它:
grant execute on all functions in schema myschema to admin;
您无需执行任何操作。 继续阅读。
一旦您执行了 ALTER DEFAULT PRIVILEGES,您建议的手动 GRANT 就不再需要了。定义的权限是自动授予的,就像您希望的那样 - 对于定义的创建角色,定义的接收角色,在定义的模式中。
您的语句中确实有两次 admin,这是没有意义的,因为创建者是函数的初始所有者,并且引用了 the manual:
Default privileges always include all privileges for the owner
你可能想在现代 Postgres(版本 11 或更高版本)中使用 ROUTINE 而不是 FUNCTION。 The manual on GRANT:
The FUNCTION syntax works for plain functions, aggregate functions,
and window functions, but not for procedures; use PROCEDURE for
those. Alternatively, use ROUTINE to refer to a function, aggregate
function, window function, or procedure regardless of its precise
type.
然而(有点令人困惑)ALTER DEFAULT PRIVILEGES 上的手册是这样说的:
For this command, functions include aggregates and procedures. The
words FUNCTIONS and ROUTINES are equivalent in this command.
(ROUTINES is preferred going forward as the standard term for
functions and procedures taken together. In earlier PostgreSQL
releases, only the word FUNCTIONS was allowed. It is not possible to
set default privileges for functions and procedures separately.)
无论如何,ROUTINES 通常是现代 Postgres 的正确选择。 运行 创建后的这个 creating_role:
ALTER DEFAULT PRIVILEGES FOR ROLE creating_role IN SCHEMA myschema
GRANT EXECUTE ON ROUTINES TO receiving_role;
然后,receiving_role有权执行那些功能。 除了,在标准设置中,PUBLIC无论如何都有权执行。每个角色都自动成为 PUBLIC 的成员。 The manual:
For other types of objects, the default privileges granted to PUBLIC are as follows: [...] EXECUTE privilege for functions and procedures;
所以你什么都不用做。
您是否知道 EXECUTE 的基本特权不会提供任何其他特权?特别是,表等以执行角色的权限访问。您可能正在寻找 SECURITY DEFINER functions。相关:
- PHP script with PostgreSQL commands returning NULL for JSon data
我正在 运行ning 一个 SQL 脚本,它首先创建一个用户,然后定义一些函数。如何在定义函数后不授予权限的情况下授予EXECUTE尚未定义的函数权限?还有我以后定义的函数?
我试过像这样更改默认权限,但没有成功:
alter default privileges for user admin in schema myschema
GRANT execute ON functions TO admin;
在 运行 像这样运行脚本后给予授权,但我不想每次定义新函数时都 运行 它:
grant execute on all functions in schema myschema to admin;
您无需执行任何操作。 继续阅读。
一旦您执行了 ALTER DEFAULT PRIVILEGES,您建议的手动 GRANT 就不再需要了。定义的权限是自动授予的,就像您希望的那样 - 对于定义的创建角色,定义的接收角色,在定义的模式中。
您的语句中确实有两次 admin,这是没有意义的,因为创建者是函数的初始所有者,并且引用了 the manual:
Default privileges always include all privileges for the owner
你可能想在现代 Postgres(版本 11 或更高版本)中使用 ROUTINE 而不是 FUNCTION。 The manual on GRANT:
The
FUNCTIONsyntax works for plain functions, aggregate functions, and window functions, but not for procedures; usePROCEDUREfor those. Alternatively, useROUTINEto refer to a function, aggregate function, window function, or procedure regardless of its precise type.
然而(有点令人困惑)ALTER DEFAULT PRIVILEGES 上的手册是这样说的:
For this command, functions include aggregates and procedures. The words
FUNCTIONSandROUTINESare equivalent in this command. (ROUTINESis preferred going forward as the standard term for functions and procedures taken together. In earlier PostgreSQL releases, only the wordFUNCTIONSwas allowed. It is not possible to set default privileges for functions and procedures separately.)
无论如何,ROUTINES 通常是现代 Postgres 的正确选择。 运行 创建后的这个 creating_role:
ALTER DEFAULT PRIVILEGES FOR ROLE creating_role IN SCHEMA myschema
GRANT EXECUTE ON ROUTINES TO receiving_role;
然后,receiving_role有权执行那些功能。 除了,在标准设置中,PUBLIC无论如何都有权执行。每个角色都自动成为 PUBLIC 的成员。 The manual:
For other types of objects, the default privileges granted to
PUBLICare as follows: [...]EXECUTEprivilege for functions and procedures;
所以你什么都不用做。
您是否知道 EXECUTE 的基本特权不会提供任何其他特权?特别是,表等以执行角色的权限访问。您可能正在寻找 SECURITY DEFINER functions。相关:
- PHP script with PostgreSQL commands returning NULL for JSon data