Ubuntu 上 pgAdmin 权限分配技巧
一 核心原则与准备
sudo apt update && sudo apt install pgadmin4,浏览器访问 http://127.0.0.1:5050 登录 pgAdmin,连接到目标 PostgreSQL(主机 localhost、端口 5432、默认管理员 postgres)。二 推荐的权限分配流程
GRANT USAGE ON SCHEMA public TO dev_group;)。CREATE ROLE dev_group WITH NOLOGIN;CREATE USER dev_user WITH LOGIN PASSWORD 'SecurePass123'; GRANT dev_group TO dev_user;GRANT CONNECT ON DATABASE mydb TO dev_user;GRANT USAGE ON SCHEMA public TO dev_user;GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO dev_group;ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT ON TABLES TO dev_group;GRANT SELECT (id, name) ON TABLE t TO dev_user;GRANT USAGE, SELECT ON SEQUENCE seq1 TO dev_user;GRANT EXECUTE ON FUNCTION f() TO dev_user;SELECT 1;、SELECT * FROM employees LIMIT 1;,确认权限生效。三 常见场景与最小权限模板
| 场景 | 最小授权要点 | 示例 SQL |
|---|---|---|
| 只读用户 | CONNECT、USAGE、对现有与未来表的 SELECT | GRANT CONNECT ON DATABASE mydb TO r_user; GRANT USAGE ON SCHEMA public TO r_user; GRANT SELECT ON ALL TABLES IN SCHEMA public TO r_user; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO r_user; |
| 读写用户 | 在只读基础上增加 INSERT/UPDATE/DELETE | GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO rw_user; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE, DELETE ON TABLES TO rw_user; |
| 仅访问部分表 | 仅对指定表授予权限 | GRANT SELECT, INSERT ON TABLE t1, t2 TO part_user; |
| 应用连接账号 | 禁止登录数据库控制台,仅用于连接池/应用 | CREATE ROLE app_conn WITH LOGIN PASSWORD 'AppPass!' NOINHERIT; GRANT CONNECT ON DATABASE mydb TO app_conn;(按需再授予 USAGE 与对象权限) |
| 运维/DBA | 临时提升权限或分权管理 | CREATE ROLE ops WITH LOGIN PASSWORD 'OpsPass!'; GRANT pg_read_all_data, pg_write_all_data TO ops;(谨慎授予,遵循最小权限) |
四 安全与排错要点
local all all peerhost all all 127.0.0.1/32 md5host all all ::1/128 md5pg_ctl reload。REVOKE SELECT ON TABLE t FROM u;ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM u;\dp 或 \z 查看对象权限;\du 查看角色;\l 查看数据库。