我一直在试图从AWS PostgreSQL实例中删除组角色,但我陷入了困境。我已经成功删除了组中的所有依赖项,除了6以外,我不知道这些依赖项可能是什么。我会解释我试图用来找到这些缺失的特权,我真的很感谢有关我下一步可以看到的方向。这些步骤中的每一个都关于所有的实例内的数据库和模式来执行:PostgreSQL - 查找组的所有权限
我用下面的代码来从组撤销所有特权
REVOKE ALL ON DATABASE {dbname} FROM GROUP "Application_Access"; REVOKE ALL ON SCHEMA public FROM GROUP "Application_Access"; REVOKE ALL ON ALL TABLES IN SCHEMA public FROM GROUP "Application_Access"; REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public FROM GROUP "Application_Access"; REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM GROUP "Application_Access";
我用PSQL命令列出所有的对象和他们的特权,这是我发现
- \ Z =没有上市Application_Access
- \杜和\ DG = Application_Access - 无继承,无法登录,会员{}
- \ d =由OurAdmin拥有的所有关系
- \ DB =由rdsadmin拥有的所有表空间(AWS管理)
- \ dtisv =无
- \ DDP =此命令是显示Application_Access Results of \ddp Command
我明白\ DDP显示了未来的数据库添加默认权限的人。我试图运行ALTER PRIVILEGES命令。它迫使我让自己成为Application_Access的成员(错误:必须是角色的成员,为什么?!?)才能运行该命令。这将我的所有权限重新分配给了Application_Access,我又回到了原来的位置。
ALTER DEFAULT PRIVILEGES ON ROLE "Application_Access" REVOKE ALL ON DATABASE {dbname} FROM "Application_Access"; ALTER DEFAULT PRIVILEGES ON ROLE "Application_Access" REVOKE ALL ON ALL SCHEMAS FROM "Application_Access"; ALTER DEFAULT PRIVILEGES ON ROLE "Application_Access" REVOKE ALL ON TABLES FROM "Application_Access"; ALTER DEFAULT PRIVILEGES ON ROLE "Application_Access" REVOKE ALL ON FUNCTIONS FROM "Application_Access"; ALTER DEFAULT PRIVILEGES ON ROLE "Application_Access" REVOKE ALL ON SEQUENCES FROM "Application_Access";
- 我重新所有我前面的步骤,但是,现在,当我上运行的所有数据库\ DDP,还增加了前3行中,您所附加的图片中看到。
我有一个脚本,我发现并更改了它以显示每个数据库上的所有权限。我可以通过它来简化搜索。它没有将Application_Access显示为与任何对象关联。
SELECT relacl , SUBSTRING( CASE WHEN strpos('r', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', SELECT' ELSE '' END || CASE WHEN strpos('w', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', UPDATE' ELSE '' END || CASE WHEN strpos('a', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', INSERT' ELSE '' END || CASE WHEN strpos('d', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', DELETE' ELSE '' END || CASE WHEN strpos('R', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', RULE' ELSE '' END || CASE WHEN strpos('x', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', REFERENCES' ELSE '' END || CASE WHEN strpos('t', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', TRIGGER' ELSE '' END || CASE WHEN strpos('X', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', EXECUTE' ELSE '' END || CASE WHEN strpos('U', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', USAGE' ELSE '' END || CASE WHEN strpos('C', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', CREATE' ELSE '' END || CASE WHEN strpos('T', SPLIT_PART(SPLIT_PART(ARRAY_TO_STRING(RELACL, '|'), pu.groname, 2) , '/', 1)) > 0 THEN ', TEMPORARY' ELSE '' END , 3,10000) || namespace ||'.'|| item ||' TO '|| pu.groname ||' ;' AS grantsql FROM (SELECT use.usename AS subject ,nsp.nspname AS namespace ,cls.relname AS item ,cls.relkind AS type ,use2.usename AS owner ,cls.relacl FROM pg_user use CROSS JOIN pg_class cls LEFT JOIN pg_namespace nsp ON cls.relnamespace = nsp.oid LEFT JOIN pg_user use2 ON cls.relowner = use2.usesysid WHERE cls.relowner = use.usesysid AND nsp.nspname NOT IN ('pg_catalog', 'pg_toast', 'information_schema') ORDER BY subject ,namespace ,item) as x JOIN pg_group pu ON array_to_string(relacl, '|') LIKE '%'|| pu.groname ||'%' WHERE relacl IS NOT NULL AND relacl::text LIKE '%Application%' ORDER BY 2
***根据您在上面看到的一切,还有什么人能想到的,我离开了,或者没做正确/完全?我如何解决默认权限 - ALTER PRIVILEGES REVOKE ALL都不起作用。感谢您的帮助。