PostgreSQL 不会递归地撤销角色
PostgreSQL doesn't recursively revoke roles
我在 Windows 7 SP1 64 位上使用 PostgreSQL 9.4,在撤销角色时遇到问题。
假设我有三个用户:taylor、michelle 和超级用户 postgres。
作为 postgres,我将角色 'utente' 授予 taylor 并带有管理选项
--postgres@localhost:5432
GRANT utente TO taylor WITH ADMIN OPTION;
然后,作为泰勒,我将 utente 的角色授予米歇尔
--taylor@localhost:5432
GRANT utente TO michelle;
最后,作为 postgres,我撤销了 taylor 的 utente 角色
--postgres@localhost:5432
REVOKE utente FROM taylor
这个角色也应该被递归地从米歇尔那里撤销,因为她只从泰勒那里得到了这个角色。但事实并非如此,泰勒失去了这个角色,但米歇尔保留了它。我尝试 运行 带有 RESTRICT 选项的命令,这应该会阻止它被执行,但它不起作用,命令以完全相同的方式执行,taylor 失去了角色,而 michelle 保留了它。
谁能给我解释一下吗?
谢谢。
RESTRICT
选项由 PostgreSQL 隐式应用,因此您不必显式指定它。
根据 documentation:
A user can only revoke privileges that were granted directly by that user. If, for example, user A has granted a privilege with grant option to user B, and user B has in turned granted it to user C, then user A cannot revoke the privilege directly from C. Instead, user A could revoke the grant option from user B and use the CASCADE option so that the privilege is in turn revoked from user C.
所以:
REVOKE utente FROM taylor CASCADE;
但是正如您所指出的,这是行不通的。看起来这是一个错误或文档中的错误。
干净运行:
patrick@puny:~$ psql -d pfams
psql (9.4.4)
Type "help" for help.
pfams=# SET SESSION AUTHORIZATION postgres;
SET
pfams=# CREATE ROLE utente NOLOGIN;
CREATE ROLE
pfams=# CREATE ROLE taylor LOGIN;
CREATE ROLE
pfams=# CREATE ROLE michelle LOGIN;
CREATE ROLE
pfams=# GRANT utente TO taylor WITH ADMIN OPTION;
GRANT ROLE
pfams=# SET SESSION AUTHORIZATION taylor;
SET
pfams=> GRANT utente TO michelle;
GRANT ROLE
pfams=# SET SESSION AUTHORIZATION postgres;
SET
pfams=# REVOKE utente FROM taylor CASCADE;
REVOKE ROLE
pfams=# \du taylor
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
taylor | | {}
pfams=# \du michelle
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
michelle | | {utente}
也许可以向 PostgreSQL 错误邮件列表报告一些事情。
我在 Windows 7 SP1 64 位上使用 PostgreSQL 9.4,在撤销角色时遇到问题。 假设我有三个用户:taylor、michelle 和超级用户 postgres。 作为 postgres,我将角色 'utente' 授予 taylor 并带有管理选项
--postgres@localhost:5432
GRANT utente TO taylor WITH ADMIN OPTION;
然后,作为泰勒,我将 utente 的角色授予米歇尔
--taylor@localhost:5432
GRANT utente TO michelle;
最后,作为 postgres,我撤销了 taylor 的 utente 角色
--postgres@localhost:5432
REVOKE utente FROM taylor
这个角色也应该被递归地从米歇尔那里撤销,因为她只从泰勒那里得到了这个角色。但事实并非如此,泰勒失去了这个角色,但米歇尔保留了它。我尝试 运行 带有 RESTRICT 选项的命令,这应该会阻止它被执行,但它不起作用,命令以完全相同的方式执行,taylor 失去了角色,而 michelle 保留了它。 谁能给我解释一下吗?
谢谢。
RESTRICT
选项由 PostgreSQL 隐式应用,因此您不必显式指定它。
根据 documentation:
A user can only revoke privileges that were granted directly by that user. If, for example, user A has granted a privilege with grant option to user B, and user B has in turned granted it to user C, then user A cannot revoke the privilege directly from C. Instead, user A could revoke the grant option from user B and use the CASCADE option so that the privilege is in turn revoked from user C.
所以:
REVOKE utente FROM taylor CASCADE;
但是正如您所指出的,这是行不通的。看起来这是一个错误或文档中的错误。
干净运行:
patrick@puny:~$ psql -d pfams
psql (9.4.4)
Type "help" for help.
pfams=# SET SESSION AUTHORIZATION postgres;
SET
pfams=# CREATE ROLE utente NOLOGIN;
CREATE ROLE
pfams=# CREATE ROLE taylor LOGIN;
CREATE ROLE
pfams=# CREATE ROLE michelle LOGIN;
CREATE ROLE
pfams=# GRANT utente TO taylor WITH ADMIN OPTION;
GRANT ROLE
pfams=# SET SESSION AUTHORIZATION taylor;
SET
pfams=> GRANT utente TO michelle;
GRANT ROLE
pfams=# SET SESSION AUTHORIZATION postgres;
SET
pfams=# REVOKE utente FROM taylor CASCADE;
REVOKE ROLE
pfams=# \du taylor
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
taylor | | {}
pfams=# \du michelle
List of roles
Role name | Attributes | Member of
-----------+------------+-----------
michelle | | {utente}
也许可以向 PostgreSQL 错误邮件列表报告一些事情。