grant.sgml

postgresql8.3.4源码,开源数据库

<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.67.2.1 2008/05/28 00:45:47 tgl Exp $
PostgreSQL documentation
-->

<refentry id="SQL-GRANT">
 <refmeta>
  <refentrytitle id="sql-grant-title">GRANT</refentrytitle>
  <refmiscinfo>SQL - Language Statements</refmiscinfo>
 </refmeta>

 <refnamediv>
  <refname>GRANT</refname>
  <refpurpose>define access privileges</refpurpose>
 </refnamediv>

 <indexterm zone="sql-grant">
  <primary>GRANT</primary>
 </indexterm>

 <refsynopsisdiv>
<synopsis>
GRANT { { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }
    [,...] | ALL [ PRIVILEGES ] }
    ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
    TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { { USAGE | SELECT | UPDATE }
    [,...] | ALL [ PRIVILEGES ] }
    ON SEQUENCE <replaceable class="PARAMETER">sequencename</replaceable> [, ...]
    TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
    ON DATABASE <replaceable>dbname</replaceable> [, ...]
    TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }
    ON FUNCTION <replaceable>funcname</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">argname</replaceable> ] <replaceable class="parameter">argtype</replaceable> [, ...] ] ) [, ...]
    TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
    ON LANGUAGE <replaceable>langname</replaceable> [, ...]
    TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
    ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
    TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { CREATE | ALL [ PRIVILEGES ] }
    ON TABLESPACE <replaceable>tablespacename</> [, ...]
    TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT <replaceable class="PARAMETER">role</replaceable> [, ...] TO <replaceable class="PARAMETER">rolename</replaceable> [, ...] [ WITH ADMIN OPTION ]
</synopsis>
 </refsynopsisdiv>

 <refsect1 id="sql-grant-description">
  <title>Description</title>

  <para>
   The <command>GRANT</command> command has two basic variants: one
   that grants privileges on a database object (table, view, sequence,
   database, function, procedural language, schema, or tablespace),
   and one that grants membership in a role.  These variants are
   similar in many ways, but they are different enough to be described
   separately.
  </para>

  <para>
   As of <productname>PostgreSQL</productname> 8.1, the concepts of users and
   groups have been unified into a single kind of entity called a role.
   It is therefore no longer necessary to use the keyword <literal>GROUP</>
   to identify whether a grantee is a user or a group.  <literal>GROUP</>
   is still allowed in the command, but it is a noise word.
  </para>

 <refsect2 id="sql-grant-description-objects">
  <title>GRANT on Database Objects</title>

  <para>
   This variant of the <command>GRANT</command> command gives specific
   privileges on a database object to
   one or more roles.  These privileges are added
   to those already granted, if any.
  </para>

  <para>
   The key word <literal>PUBLIC</literal> indicates that the
   privileges are to be granted to all roles, including those that might
   be created later.  <literal>PUBLIC</literal> can be thought of as an
   implicitly defined group that always includes all roles.
   Any particular role will have the sum
   of privileges granted directly to it, privileges granted to any role it
   is presently a member of, and privileges granted to
   <literal>PUBLIC</literal>.
  </para>

  <para>
   If <literal>WITH GRANT OPTION</literal> is specified, the recipient
   of the privilege can in turn grant it to others.  Without a grant
   option, the recipient cannot do that.  Grant options cannot be granted
   to <literal>PUBLIC</literal>.
  </para>

  <para>
   There is no need to grant privileges to the owner of an object
   (usually the user that created it),
   as the owner has all privileges by default.  (The owner could,
   however, choose to revoke some of his own privileges for safety.)
   The right to drop an object, or to alter its definition in any way is
   not described by a grantable privilege; it is inherent in the owner,
   and cannot be granted or revoked.  The owner implicitly has all grant
   options for the object, too.
  </para>

  <para>
   Depending on the type of object, the initial default privileges might
   include granting some privileges to <literal>PUBLIC</literal>.
   The default is no public access for tables, schemas, and tablespaces;
   <literal>CONNECT</> privilege and <literal>TEMP</> table creation privilege
   for databases;
   <literal>EXECUTE</> privilege for functions; and
   <literal>USAGE</> privilege for languages.
   The object owner can of course revoke these privileges.  (For maximum
   security, issue the <command>REVOKE</> in the same transaction that
   creates the object; then there is no window in which another user
   can use the object.)
  </para>

  <para>
   The possible privileges are:

   <variablelist>
    <varlistentry>
     <term>SELECT</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-select" endterm="sql-select-title"> from
       any column of the specified table, view, or sequence.
       Also allows the use of
       <xref linkend="sql-copy" endterm="sql-copy-title"> TO.
       This privilege is also needed to reference existing column values in
       <xref linkend="sql-update" endterm="sql-update-title"> or
       <xref linkend="sql-delete" endterm="sql-delete-title">.
       For sequences, this privilege also allows the use of the
       <function>currval</function> function.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>INSERT</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-insert" endterm="sql-insert-title"> of a new
       row into the specified table.
       Also allows <xref linkend="sql-copy" endterm="sql-copy-title"> FROM.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>UPDATE</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-update" endterm="sql-update-title"> of any
       column of the specified table.
       (In practice, any nontrivial <command>UPDATE</> command will require
       <literal>SELECT</> privilege as well, since it must reference table
       columns to determine which rows to update, and/or to compute new
       values for columns.)
       <literal>SELECT ... FOR UPDATE</literal>
       and <literal>SELECT ... FOR SHARE</literal>
       also require this privilege, in addition to the
       <literal>SELECT</literal> privilege.  For sequences, this
       privilege allows the use of the <function>nextval</function> and
       <function>setval</function> functions.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>DELETE</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-delete" endterm="sql-delete-title"> of a row
       from the specified table.
       (In practice, any nontrivial <command>DELETE</> command will require
       <literal>SELECT</> privilege as well, since it must reference table
       columns to determine which rows to delete.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>REFERENCES</term>
     <listitem>
      <para>
       To create a foreign key constraint, it is
       necessary to have this privilege on both the referencing and
       referenced tables.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>TRIGGER</term>
     <listitem>
      <para>
       Allows the creation of a trigger on the specified table.  (See the
       <xref linkend="sql-createtrigger" endterm="sql-createtrigger-title"> statement.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>CREATE</term>
     <listitem>
      <para>
       For databases, allows new schemas to be created within the database.
      </para>
      <para>
       For schemas, allows new objects to be created within the schema.
       To rename an existing object, you must own the object <emphasis>and</>
       have this privilege for the containing schema.
      </para>
      <para>
       For tablespaces, allows tables, indexes, and temporary files to be
       created within the tablespace, and allows databases to be created that
       have the tablespace as their default tablespace.  (Note that revoking
       this privilege will not alter the placement of existing objects.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>CONNECT</term>
     <listitem>
      <para>
       Allows the user to connect to the specified database.  This
       privilege is checked at connection startup (in addition to checking
       any restrictions imposed by <filename>pg_hba.conf</>).
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>TEMPORARY</term>
     <term>TEMP</term>
     <listitem>
      <para>
       Allows temporary tables to be created while using the specified database.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>EXECUTE</term>
     <listitem>
      <para>
       Allows the use of the specified function and the use of any
       operators that are implemented on top of the function.  This is
       the only type of privilege that is applicable to functions.
       (This syntax works for aggregate functions, as well.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>USAGE</term>
     <listitem>
      <para>
       For procedural languages, allows the use of the specified language for
       the creation of functions in that language.  This is the only type
       of privilege that is applicable to procedural languages.
      </para>
      <para>
       For schemas, allows access to objects contained in the specified
       schema (assuming that the objects' own privilege requirements are
       also met).  Essentially this allows the grantee to <quote>look up</>
       objects within the schema.  Without this permission, it is still