Postgresql 中文操作指南

22.1. Database Roles #

数据库角色在概念上与操作系统用户完全分离。在实践中维护对应关系可能很方便，但这并不是必需的。数据库角色在数据库群集安装（而非每个数据库）中是全局的。要创建角色，请使用 CREATE ROLE SQL 命令：

Database roles are conceptually completely separate from operating system users. In practice it might be convenient to maintain a correspondence, but this is not required. Database roles are global across a database cluster installation (and not per individual database). To create a role use the CREATE ROLE SQL command:

CREATE ROLE name;

name 遵循 SQL 标识符规则：要么没有任何特殊字符的空白，要么使用双引号。（在实践中，您通常需要向命令添加额外的选项，例如 LOGIN 。更多详细信息见下文。）要删除现有角色，请使用类似的 DROP ROLE 命令：

name follows the rules for SQL identifiers: either unadorned without special characters, or double-quoted. (In practice, you will usually want to add additional options, such as LOGIN, to the command. More details appear below.) To remove an existing role, use the analogous DROP ROLE command:

DROP ROLE name;

为方便起见， createuser 和 dropuser 程序作为这些 SQL 命令的包装器提供，可以从 shell 命令行调用：

For convenience, the programs createuser and dropuser are provided as wrappers around these SQL commands that can be called from the shell command line:

createuser name
dropuser name

若要确定现有角色的集合，请检查 pg_roles 系统目录，例如：

To determine the set of existing roles, examine the pg_roles system catalog, for example:

SELECT rolname FROM pg_roles;

或只查看那些能够进行登录的角色：

or to see just those capable of logging in:

SELECT rolname FROM pg_roles WHERE rolcanlogin;

psql 程序的 \du 元命令对于列出现有角色也很有用。

The psql program’s \du meta-command is also useful for listing the existing roles.

为了自举数据库系统，新初始化的系统中总会包含一个预定义的可登录角色。此角色始终是“超级用户”，它将与使用 initdb 初始化数据库群集的操作系统用户同名，除非另行指定了名称。此角色通常被命名为 postgres。若要创建更多角色，你首先必须以此初始角色身份进行连接。

In order to bootstrap the database system, a freshly initialized system always contains one predefined login-capable role. This role is always a “superuser”, and it will have the same name as the operating system user that initialized the database cluster with initdb unless a different name is specified. This role is often named postgres. In order to create more roles you first have to connect as this initial role.

与数据库服务器的每一次连接都是使用某个特定角色的名字进行的，并且此角色决定了该连接中发出的命令的初始访问权限。用于特定数据库连接的角色名称由在连接请求中以特定于应用程序的方式启动连接的客户端指定。例如，psql 程序使用 -U 命令行选项来指定要连接的角色。许多应用程序默认假定当前操作系统的用户名（包括 createuser 和 psql）。因此，在角色和操作系统用户之间维护命名对应关系通常很方便。

Every connection to the database server is made using the name of some particular role, and this role determines the initial access privileges for commands issued in that connection. The role name to use for a particular database connection is indicated by the client that is initiating the connection request in an application-specific fashion. For example, the psql program uses the -U command line option to indicate the role to connect as. Many applications assume the name of the current operating system user by default (including createuser and psql). Therefore it is often convenient to maintain a naming correspondence between roles and operating system users.

给定的客户端连接作为其连接的数据库角色集由客户端身份验证设置决定，如 Chapter 21 中所述。（因此，客户端并不限于连接作为其操作系统用户匹配的角色，就像一个人的登录名不必与其真实姓名匹配。）由于角色标识决定连接客户端可用的权限集，因此在设置多用户环境时仔细配置权限非常重要。

The set of database roles a given client connection can connect as is determined by the client authentication setup, as explained in Chapter 21. (Thus, a client is not limited to connect as the role matching its operating system user, just as a person’s login name need not match his or her real name.) Since the role identity determines the set of privileges available to a connected client, it is important to carefully configure privileges when setting up a multiuser environment.