CREATE POLICY user_policy ON users
- USING (user = current_user);
+ USING (user_name = current_user);
CREATE POLICY user_policy ON users
USING (true)
- WITH CHECK (user = current_user);
+ WITH CHECK (user_name = current_user);
-- Simple passwd-file based example
CREATE TABLE passwd (
- username text UNIQUE NOT NULL,
+ user_name text UNIQUE NOT NULL,
pwhash text,
uid int PRIMARY KEY,
gid int NOT NULL,
-- Normal users can update their own records, but
-- limit which shells a normal user is allowed to set
CREATE POLICY user_mod ON passwd FOR UPDATE
- USING (current_user = username)
+ USING (current_user = user_name)
WITH CHECK (
- current_user = username AND
+ current_user = user_name AND
shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh')
);
GRANT SELECT, INSERT, UPDATE, DELETE ON passwd TO admin;
-- Users only get select access on public columns
GRANT SELECT
- (username, uid, gid, real_name, home_phone, extra_info, home_dir, shell)
+ (user_name, uid, gid, real_name, home_phone, extra_info, home_dir, shell)
ON passwd TO public;
-- Allow users to update certain columns
GRANT UPDATE
postgres=> set role admin;
SET
postgres=> table passwd;
- username | pwhash | uid | gid | real_name | home_phone | extra_info | home_dir | shell
-----------+--------+-----+-----+-----------+--------------+------------+-------------+-----------
- admin | xxx | 0 | 0 | Admin | 111-222-3333 | | /root | /bin/dash
- bob | xxx | 1 | 1 | Bob | 123-456-7890 | | /home/bob | /bin/zsh
- alice | xxx | 2 | 1 | Alice | 098-765-4321 | | /home/alice | /bin/zsh
+ user_name | pwhash | uid | gid | real_name | home_phone | extra_info | home_dir | shell
+-----------+--------+-----+-----+-----------+--------------+------------+-------------+-----------
+ admin | xxx | 0 | 0 | Admin | 111-222-3333 | | /root | /bin/dash
+ bob | xxx | 1 | 1 | Bob | 123-456-7890 | | /home/bob | /bin/zsh
+ alice | xxx | 2 | 1 | Alice | 098-765-4321 | | /home/alice | /bin/zsh
(3 rows)
-- Test what Alice is able to do
SET
postgres=> table passwd;
ERROR: permission denied for relation passwd
-postgres=> select username,real_name,home_phone,extra_info,home_dir,shell from passwd;
- username | real_name | home_phone | extra_info | home_dir | shell
-----------+-----------+--------------+------------+-------------+-----------
- admin | Admin | 111-222-3333 | | /root | /bin/dash
- bob | Bob | 123-456-7890 | | /home/bob | /bin/zsh
- alice | Alice | 098-765-4321 | | /home/alice | /bin/zsh
+postgres=> select user_name,real_name,home_phone,extra_info,home_dir,shell from passwd;
+ user_name | real_name | home_phone | extra_info | home_dir | shell
+-----------+-----------+--------------+------------+-------------+-----------
+ admin | Admin | 111-222-3333 | | /root | /bin/dash
+ bob | Bob | 123-456-7890 | | /home/bob | /bin/zsh
+ alice | Alice | 098-765-4321 | | /home/alice | /bin/zsh
(3 rows)
-postgres=> update passwd set username = 'joe';
+postgres=> update passwd set user_name = 'joe';
ERROR: permission denied for relation passwd
-- Alice is allowed to change her own real_name, but no others
postgres=> update passwd set real_name = 'Alice Doe';
UPDATE 1
-postgres=> update passwd set real_name = 'John Doe' where username = 'admin';
+postgres=> update passwd set real_name = 'John Doe' where user_name = 'admin';
UPDATE 0
postgres=> update passwd set shell = '/bin/xx';
ERROR: new row violates WITH CHECK OPTION for "passwd"
postgres=> delete from passwd;
ERROR: permission denied for relation passwd
-postgres=> insert into passwd (username) values ('xxx');
+postgres=> insert into passwd (user_name) values ('xxx');
ERROR: permission denied for relation passwd
-- Alice can change her own password; RLS silently prevents updating other rows
postgres=> update passwd set pwhash = 'abc';
(since this is one of the ways to restrict the activities of your
users to well-defined namespaces). The syntax for that is:
-CREATE SCHEMA schemaname AUTHORIZATION username;
+CREATE SCHEMA schema_name AUTHORIZATION user_name;
You can even omit the schema name, in which case the schema name
will be the same as the user name. See
implements only the basic schema support specified in the
standard. Therefore, many users consider qualified names to
really consist of
- username.tablename.
+ user_name.table_name.
This is how
PostgreSQL will effectively
behave if you create a per-user schema for every user.
ts_filter(vector tsvector, weights "char"[])
tsvector
- Select only elements with given weights from vector
+ select only elements with given weights from vector
ts_filter('fat:2,4 cat:3b rat:5A'::tsvector, '{a,b}')
'cat':3B 'rat':5A
the second string a most similar word not a most similar substring. The
range of the result is zero (indicating that the two strings are
completely dissimilar) to one (indicating that the first string is
- identical to one of the word of the second string).
+ identical to one of the words of the second string).
|
projects / postgresql.git / commitdiff