我们授予第三方软件访问我们的postgresql数据库的权限。经过计费争议,我们现在已经切断了与该公司的联系,但不能删除用户。我们需要尽快删除此用户,但不知道如何删除。以下是我们在尝试这样做时看到的一些情况:
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> REVOKE ALL ON ALL TABLES IN SCHEMA PUBLIC FROM evil_user;
REVOKE
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> REVOKE ALL ON SCHEMA public FROM evil_user;
REVOKE
prod=> REVOKE ALL ON DATABASE prod FROM evil_user;
REVOKE
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM evil_user;
ALTER DEFAULT PRIVILEGES
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
我们得把这些人从我们的数据库里拿出来。由于一些原因,我们不能很容易地转移到新的Postgres实例。
发布于 2020-06-24 22:39:38
在没有supserusesr帐号的情况下使用REASSIGN
时,会有一些不直观的权限要求,例如在RDS和Cloud SQL上,但只要您的current_user有权限访问GRANT evil_user TO prod
就可以了。在另一篇文章中,我回答了同样的问题:https://stackoverflow.com/a/62557497/79079
https://stackoverflow.com/questions/44718654
复制相似问题