REVOKE CONNECT ON DATABASE dbname FROM SUPERUSERS;
REVOKE CONNECT ON DATABASE dbname FROM USERS;
解题思路:
假设数据库名称为 scott,我们测试一下以上选项:
1 2 3 4 5 6 7 8 9
-- 现在创建了一个普通用户 user01,可以正常连接数据库 scott scott=# createuser user01 with password 'kingbase'; CREATE ROLE scott=# \c scott user01 Password foruser user01:
You are now connected to database "scott" as userName "user01". scott=> \conninfo You are connected to database "scott" asuser "user01" on host "localhost" (address "::1") at port "54321".
接着尝试一个个收回权限。
1、选项 1 执行后,普通用户无法正常连接
1 2 3 4 5 6 7 8 9 10 11 12
test=# REVOKECONNECTON DATABASE scott FROM PUBLIC; REVOKE test=# \c scott user01 Password foruser user01:
FATAL: permission denied for database "scott" DETAIL: User does not have CONNECT privilege. Previous connection kept
-- 恢复权限 test=# grantCONNECTON DATABASE scott to public; GRANT
REVOKE [ GRANT OPTION FOR ] { { SELECT|INSERT|UPDATE|DELETE|TRUNCATE|REFERENCES|TRIGGER } [, ...] |ALL [ PRIVILEGES ] } ON { [ TABLE ] table_name [, ...] |ALL TABLES IN SCHEMA schema_name [, ...] } FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { { SELECT|INSERT|UPDATE|REFERENCES } ( column_name [, ...] ) [, ...] |ALL [ PRIVILEGES ] ( column_name [, ...] ) } ON [ TABLE ] table_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { { USAGE |SELECT|UPDATE } [, ...] |ALL [ PRIVILEGES ] } ON { SEQUENCE sequence_name [, ...] |ALL SEQUENCES IN SCHEMA schema_name [, ...] } FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { { CREATE|CONNECT| TEMPORARY | TEMP } [, ...] |ALL [ PRIVILEGES ] } ON DATABASE database_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { USAGE |ALL [ PRIVILEGES ] } ON DOMAIN domain_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { USAGE |ALL [ PRIVILEGES ] } ONFOREIGN DATA WRAPPER fdw_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { USAGE |ALL [ PRIVILEGES ] } ONFOREIGN SERVER server_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { EXECUTE|ALL [ PRIVILEGES ] } ON { { FUNCTION|PROCEDURE| ROUTINE } function_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...] |ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] } FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { USAGE |ALL [ PRIVILEGES ] } ONLANGUAGE lang_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { { SELECT|UPDATE } [, ...] |ALL [ PRIVILEGES ] } ONLARGE OBJECT loid [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { { CREATE| USAGE } [, ...] |ALL [ PRIVILEGES ] } ON SCHEMA schema_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { CREATE|ALL [ PRIVILEGES ] } ON TABLESPACE tablespace_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ] { USAGE |ALL [ PRIVILEGES ] } ON TYPE type_name [, ...] FROM { [ GROUP ] role_name | PUBLIC } [, ...] [ CASCADE | RESTRICT ]
REVOKE [ ADMIN OPTION FOR ] role_name [, ...] FROM role_name [, ...] [ CASCADE | RESTRICT ]
可以发现,Kingbase 数据库 revoke 命令是针对角色的,而 ALL USERS、SUPERUSERS 和 USERS 并非数据库角色,所以自然也就无法执行:
1 2 3 4 5 6 7 8
test=# \du List of roles Role name | Attributes |Memberof -----------+------------------------------------------------------------+----------- kcluster | Cannot login | {} sao |No inheritance | {} sso |No inheritance | {} system| Superuser, Create role, Create DB, Replication, Bypass RLS | {}
当然,SUPERUSER 为系统权限,可以通过创建用户时赋予或者手动赋予用户:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
-- 对已创建用户赋予 test=# alteruser user01 with superuser; ALTER ROLE test=# \du user01 List of roles Role name | Attributes |Memberof -----------+------------+----------- user01 | Superuser | {}
-- 创建用户赋予 test=# createuser user02 with superuser password 'kingbase'; CREATE ROLE test=# \du user02 List of roles Role name | Attributes |Memberof -----------+------------+----------- user02 | Superuser | {}
