表的所有者x是 user dave。
只有SELECT被授予cloudsqlsuperuser,但用户anton能够更新表中的数据x。怎么可能?
=> \du
List of roles
Role name | Attributes | Member of
---------------------------+------------------------------------------------------------+---------------------------------------
anton | Create role, Create DB | {cloudsqlsuperuser}
cloudsqladmin | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
cloudsqlagent | Create role, Create DB | {cloudsqlsuperuser}
cloudsqliamserviceaccount | Cannot login | {}
cloudsqliamuser | Cannot login | {}
cloudsqlimportexport | Create role, Create DB | {cloudsqlsuperuser}
cloudsqlreplica | Replication | {pg_monitor}
cloudsqlsuperuser | Create role, Create DB | {pg_monitor,pg_signal_backend}
dave | Create role, Create DB | {cloudsqlsuperuser,postgres}
=> \dt
List of relations
Schema | Name | Type | Owner
--------+--------------------------+-------+-----------
public | x | table | dave
=> \z x
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+-------------------------------+-------------------+----------
public | x | table | dave=arwdDxt/dave +| |
| | | =arwdDxt/dave +| |
| | | cloudsqlsuperuser=r/dave +| |
(1 row)
我能够以anton用户身份进行更新。不应该禁止吗?
=> update x set ...
UPDATE 1
=arwdDxt/dave意味着所有特权都被授予伪角色PUBLIC,它anton显然是一个成员。该文件指出随后,您必须撤销该
PUBLICUPDATE权限以防止anton更新表。