我正在做一个自学项目。我当前的目标/障碍是创建具有托管迁移的 PostgreSQL 数据库设置,这些迁移对单独的迁移和应用程序用户具有最少的必需权限。到目前为止,我已经设法让迁移部分正常工作,但我的设置对于假定的应用程序用户来说过于严格。我想要实现的是应用程序用户可以使用表而不能更改模式。
我正在使用来自 Docker 和 Flyway 的 PostgreSQL 在 Spring Java 应用程序中进行迁移。
这是我的容器创建数据库初始化脚本:
为了运行这个,我在终端
docker compose up1CREATE DATABASE hot_update;
CREATE USER flyway_migration WITH PASSWORD 'flyway_secret';
CREATE USER spring_application WITH PASSWORD 'spring_secret';
\c hot_update
DROP SCHEMA public;
CREATE SCHEMA application_schema AUTHORIZATION spring_application;
ALTER ROLE spring_application SET search_path = application_schema;
GRANT USAGE, CREATE ON SCHEMA application_schema TO flyway_migration;
GRANT TEMPORARY ON DATABASE hot_update TO spring_application;
GRANT USAGE ON SCHEMA application_schema TO spring_application;
ALTER DEFAULT PRIVILEGES
IN SCHEMA application_schema
GRANT ALL PRIVILEGES ON TABLES TO spring_application;
然后是 flyway_user 应用的第一次迁移的内容。要运行它,我在终端上执行
mvn spring-boot:run2CREATE TABLE simple_entity
(
id UUID,
created_at TIMESTAMP,
text varchar(255)
);
它不起作用,起初我以为我在 spring 应用程序中弄乱了我的 r2dbc 驱动程序配置,但它甚至无法从
psql3wiktor@desktop-bep0pt7-1:~/code/postgres-hot-update> psql -U spring_application -h localhost -d hot_update
Password for user spring_application:
psql (15.2)
Type "help" for help.
hot_update=> SELECT * FROM simple_entity;
ERROR: permission denied for table simple_entity
供
psqlhot_update=> \dn
List of schemas
Name | Owner
--------------------+--------------------
application_schema | spring_application
(1 row)
hot_update=> \d+
List of relations
Schema | Name | Type | Owner | Persistence | Access method | Size | Description
--------------------+-----------------------+-------+------------------+-------------+---------------+---------+-------------
application_schema | flyway_schema_history | table | flyway_migration | permanent | heap | 16 kB |
application_schema | simple_entity | table | flyway_migration | permanent | heap | 0 bytes |
(2 rows)
hot_update=> \dp
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------------------+-----------------------+-------+-------------------+-------------------+----------
application_schema | flyway_schema_history | table | | |
application_schema | simple_entity | table | | |
(2 rows)
hot_update=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
----------+--------------------+-------+-------------------------------------
postgres | application_schema | table | spring_application=arwdDxt/postgres
(1 row)
如果有人想在本地尝试,这里是我在写这个问题时拥有 WIP 状态的分支的链接。
我已经将相同的问题交叉发布到 https://dba.stackexchange.com
我看到问题出在哪里了,当你分配默认权限时,它应该作为 flyway_migration 完成。
hot_update=# \c - flyway_migration
You are now connected to database "hot_update" as user "flyway_migration".
hot_update=>
hot_update=> ALTER DEFAULT PRIVILEGES
hot_update-> IN SCHEMA application_schema
hot_update-> GRANT ALL PRIVILEGES ON TABLES TO spring_application;
ALTER DEFAULT PRIVILEGES
hot_update=>
hot_update=> CREATE TABLE application_schema.simple_entity
hot_update-> (
hot_update(> id UUID,
hot_update(> created_at TIMESTAMP,
hot_update(> text varchar(255)
hot_update(> );
CREATE TABLE
如你所见:
hot_update=> \c - spring_application
You are now connected to database "hot_update" as user "spring_application".
hot_update=> select * from simple_entity ;
id | created_at | text
----+------------+------
(0 rows)
现在对于所有者,您有flyway_migration而不是postgres:
hot_update=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
------------------+--------------------+-------+---------------------------------------------
flyway_migration | application_schema | table | spring_application=arwdDxt/flyway_migration
(1 row)
或者您必须将表创建为 postgres CASE2:
hot_update=# drop table application_schema.simple_entity ;
DROP TABLE
hot_update=> \c - postgres
You are now connected to database "hot_update" as user "postgres".
hot_update=# ALTER DEFAULT PRIVILEGES IN SCHEMA application_schema GRANT ALL PRIVILEGES ON TABLES TO spring_application;
ALTER DEFAULT PRIVILEGES
hot_update=#
hot_update=# CREATE TABLE application_schema.simple_entity
hot_update-# (
hot_update(# id UUID,
hot_update(# created_at TIMESTAMP,
hot_update(# text varchar(255)
hot_update(# );
CREATE TABLE
hot_update=# \c - spring_application
You are now connected to database "hot_update" as user "spring_application".
hot_update=> select * from simple_entity ;
id | created_at | text
----+------------+------
(0 rows)
你有:
hot_update=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
------------------+--------------------+-------+---------------------------------------------
flyway_migration | application_schema | table | spring_application=arwdDxt/flyway_migration
postgres | application_schema | table | spring_application=arwdDxt/postgres