PostgreSQL 创建受限用户并限制数据访问
要实现创建一个只能访问特定表且只能看到特定组织数据(org_id=123)的用户,同时禁止访问hs_disce表,可以按照以下步骤操作:
1. 创建新用户
CREATE USER restricted_user WITH PASSWORD 'secure_password';
2. 授予基本连接权限
GRANT CONNECT ON DATABASE your_database TO restricted_user;
3. 授予特定表的访问权限
GRANT USAGE ON SCHEMA public TO restricted_user;GRANT SELECT ON hs_report_task TO restricted_user;
GRANT SELECT ON hs_recipel TO restricted_user;
GRANT SELECT ON hs_recipel_item TO restricted_user;
4. 设置行级安全策略(RLS)
首先确保表已启用行级安全:
ALTER TABLE hs_report_task ENABLE ROW LEVEL SECURITY;
ALTER TABLE hs_recipel ENABLE ROW LEVEL SECURITY;
ALTER TABLE hs_recipel_item ENABLE ROW LEVEL SECURITY;
然后为每张表创建策略:
-- 对hs_report_task表的策略
CREATE POLICY org_restriction_policy_report_task ON hs_report_taskFOR SELECTTO restricted_userUSING (org_id = 123);-- 对hs_recipel表的策略
CREATE POLICY org_restriction_policy_recipel ON hs_recipelFOR SELECTTO restricted_userUSING (org_id = 123);-- 对hs_recipel_item表的策略
CREATE POLICY org_restriction_policy_recipel_item ON hs_recipel_itemFOR SELECTTO restricted_userUSING (org_id = 123);
5. 确保用户无法访问hs_disce表
REVOKE ALL PRIVILEGES ON hs_disce FROM restricted_user;
6. 可选:创建视图简化访问
如果需要,可以为该用户创建视图:
CREATE VIEW restricted_user_hs_report_task AS
SELECT * FROM hs_report_task WHERE org_id = 123;GRANT SELECT ON restricted_user_hs_report_task TO restricted_user;
-- 对其他表重复类似操作
验证设置
- 使用新用户登录:
psql -U restricted_user -d your_database
- 尝试查询数据:
SELECT * FROM hs_report_task; -- 应该只看到org_id=123的数据
SELECT * FROM hs_disce; -- 应该被拒绝
这样设置后,restricted_user用户将只能看到三张指定表中org_id=123的数据,而无法访问hs_disce表或其他不符合条件的数据。