从继承角色撤销SELECT

Question

我有一个轻微的问题，获取权限以我想要的方式工作。

我有一个角色，通常应该允许到处选择SELECT，这里有一堆成员。其中一个不应该被允许从某个表中选择。

我认为这可以通过授予一般读者角色的角色成员资格并从限制表中撤销SELECT来实现。

似乎父角色的权限适用，而不是特定的权限。有没有办法解决这个问题，而不必维护更受限制的角色的权限，还是我以错误的方式在PostgreSQL中应用角色概念？

下面是一个示例脚本：

-- as superuser 
CREATE DATABASE permission_test; 

\c permission_test 

CREATE ROLE r_general_select; 
CREATE ROLE r_restricted_select IN ROLE r_general_select; 

-- set the default permissions 
ALTER DEFAULT PRIVILEGES IN SCHEMA "public" GRANT SELECT ON TABLES TO "r_general_select"; 

CREATE TABLE "open"(
    id SERIAL, 
    payload TEXT 
); 
insert into "open"(payload) values ('test'); 

-- covered by default privileges 
GRANT SELECT ON "open" TO PUBLIC; 

-- Tests 
-- this is good 
SET ROLE r_general_select; 
SELECT * FROM "open"; 
RESET ROLE; 

-- this is good 
SET ROLE r_restricted_select; 
SELECT * FROM "open"; 
RESET ROLE; 

CREATE TABLE "restricted" (
    id SERIAL, 
    payload TEXT 
); 
insert into "restricted"(payload) values ('test'); 

-- the role and it's members should be able to read 
GRANT SELECT ON "restricted" TO r_general_select; 
-- except for this one! 
REVOKE SELECT ON "restricted" FROM r_restricted_select; 

-- Tests 
-- this is good 
SET ROLE r_general_select; 
SELECT * FROM restricted; 
RESET ROLE; 

-- this should barf with a permission violation 
SET ROLE r_restricted_select; 
SELECT * FROM restricted; 
RESET ROLE; 

--- CLEANUP 
DROP OWNED BY "r_restricted_select" CASCADE; 
DROP ROLE r_restricted_select ; 
DROP OWNED BY "r_general_select" CASCADE; 
DROP ROLE r_general_select ; 

Answer 1

在PostgreSQL，角色权限是纯粹的添加剂。在这样的模型中，没有办法从后代中撤销，继承角色在继承的角色上授予的权限。

要解决此问题，您需要更改权限方法，并根据权限总是一起发生。我通常通过一起查看函数依赖关系和操作依赖关系来做到这一点。