diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2022-04-06 13:24:33 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2022-04-06 13:24:33 -0400 |
| commit | a0ffa885e478f5eeacc4e250e35ce25a4740c487 (patch) | |
| tree | 7ce236305d5eb50f34bfccaf9a662cf3f0b77adf /doc/src | |
| parent | 2ef6f11b0c77ec323c688ddfd98ffabddb72c11d (diff) | |
Allow granting SET and ALTER SYSTEM privileges on GUC parameters.
This patch allows "PGC_SUSET" parameters to be set by non-superusers
if they have been explicitly granted the privilege to do so.
The privilege to perform ALTER SYSTEM SET/RESET on a specific parameter
can also be granted.
Such privileges are cluster-wide, not per database. They are tracked
in a new shared catalog, pg_parameter_acl.
Granting and revoking these new privileges works as one would expect.
One caveat is that PGC_USERSET GUCs are unaffected by the SET privilege
--- one could wish that those were handled by a revocable grant to
PUBLIC, but they are not, because we couldn't make it robust enough
for GUCs defined by extensions.
Mark Dilger, reviewed at various times by Andrew Dunstan, Robert Haas,
Joshua Brindle, and myself
Discussion: https://postgr.es/m/3D691E20-C1D5-4B80-8BA5-6BEB63AF3029@enterprisedb.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/catalogs.sgml | 77 | ||||
| -rw-r--r-- | doc/src/sgml/config.sgml | 150 | ||||
| -rw-r--r-- | doc/src/sgml/ddl.sgml | 44 | ||||
| -rw-r--r-- | doc/src/sgml/func.sgml | 24 | ||||
| -rw-r--r-- | doc/src/sgml/ref/alter_system.sgml | 3 | ||||
| -rw-r--r-- | doc/src/sgml/ref/drop_owned.sgml | 4 | ||||
| -rw-r--r-- | doc/src/sgml/ref/grant.sgml | 17 | ||||
| -rw-r--r-- | doc/src/sgml/ref/pg_dumpall.sgml | 3 | ||||
| -rw-r--r-- | doc/src/sgml/ref/revoke.sgml | 7 | ||||
| -rw-r--r-- | doc/src/sgml/ref/set.sgml | 6 |
10 files changed, 269 insertions, 66 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 7f4f79d1b55..298de74af43 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -221,6 +221,11 @@ </row> <row> + <entry><link linkend="catalog-pg-parameter-acl"><structname>pg_parameter_acl</structname></link></entry> + <entry>configuration parameters for which privileges have been granted</entry> + </row> + + <row> <entry><link linkend="catalog-pg-partitioned-table"><structname>pg_partitioned_table</structname></link></entry> <entry>information about partition key of tables</entry> </row> @@ -5450,6 +5455,74 @@ SCRAM-SHA-256$<replaceable><iteration count></replaceable>:<replaceable>&l </sect1> + <sect1 id="catalog-pg-parameter-acl"> + <title><structname>pg_parameter_acl</structname></title> + + <indexterm zone="catalog-pg-parameter-acl"> + <primary>pg_parameter_acl</primary> + </indexterm> + + <para> + The catalog <structname>pg_parameter_acl</structname> records configuration + parameters for which privileges have been granted to one or more roles. + No entry is made for parameters that have default privileges. + </para> + + <para> + Unlike most system catalogs, <structname>pg_parameter_acl</structname> + is shared across all databases of a cluster: there is only one + copy of <structname>pg_parameter_acl</structname> per cluster, not + one per database. + </para> + + <table> + <title><structname>pg_parameter_acl</structname> Columns</title> + <tgroup cols="1"> + <thead> + <row> + <entry role="catalog_table_entry"><para role="column_definition"> + Column Type + </para> + <para> + Description + </para></entry> + </row> + </thead> + + <tbody> + <row> + <entry role="catalog_table_entry"><para role="column_definition"> + <structfield>oid</structfield> <type>oid</type> + </para> + <para> + Row identifier + </para></entry> + </row> + + <row> + <entry role="catalog_table_entry"><para role="column_definition"> + <structfield>parname</structfield> <type>text</type> + </para> + <para> + The name of a configuration parameter for which privileges are granted + </para></entry> + </row> + + <row> + <entry role="catalog_table_entry"><para role="column_definition"> + <structfield>paracl</structfield> <type>aclitem[]</type> + </para> + <para> + Access privileges; see <xref linkend="ddl-priv"/> for details + </para></entry> + </row> + + </tbody> + </tgroup> + </table> + </sect1> + + <sect1 id="catalog-pg-partitioned-table"> <title><structname>pg_partitioned_table</structname></title> @@ -12747,7 +12820,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx <filename>postgresql.conf</filename> without restarting the server. They can also be set for a particular session in the connection request packet (for example, via <application>libpq</application>'s <literal>PGOPTIONS</literal> - environment variable), but only if the connecting user is a superuser. + environment variable), but only if the connecting user is a superuser + or has been granted the appropriate <literal>SET</literal> privilege. However, these settings never change in a session after it is started. If you change them in <filename>postgresql.conf</filename>, send a <systemitem>SIGHUP</systemitem> signal to the postmaster to cause it to @@ -12781,6 +12855,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx <para> These settings can be set from <filename>postgresql.conf</filename>, or within a session via the <command>SET</command> command; but only superusers + and users with the appropriate <literal>SET</literal> privilege can change them via <command>SET</command>. Changes in <filename>postgresql.conf</filename> will affect existing sessions only if no session-local value has been established with <command>SET</command>. diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 43e4ade83e0..ea312224bf2 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -274,6 +274,9 @@ shared_buffers = 128MB The <link linkend="sql-set"><command>SET</command></link> command allows modification of the current value of those parameters that can be set locally to a session; it has no effect on other sessions. + Many parameters can be set this way by any user, but some can + only be set by superusers and users who have been + granted <literal>SET</literal> privilege on that parameter. The corresponding SQL function is <function>set_config(setting_name, new_value, is_local)</function> (see <xref linkend="functions-admin-set"/>). @@ -1976,7 +1979,8 @@ include_dir 'conf.d' The default setting is two megabytes (<literal>2MB</literal>), which is conservatively small and unlikely to risk crashes. However, it might be too small to allow execution of complex functions. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -2089,7 +2093,8 @@ include_dir 'conf.d' this limit will be canceled. If this value is specified without units, it is taken as kilobytes. <literal>-1</literal> (the default) means no limit. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> This setting constrains the total space used at any instant by all @@ -3166,7 +3171,8 @@ include_dir 'conf.d' <literal>zstd</literal> (if <productname>PostgreSQL</productname> was compiled with <option>--with-zstd</option>). The default value is <literal>off</literal>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -3341,7 +3347,8 @@ include_dir 'conf.d' performed if <varname>fsync</varname> is disabled. If this value is specified without units, it is taken as microseconds. The default <varname>commit_delay</varname> is zero (no delay). - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> In <productname>PostgreSQL</productname> releases prior to 9.3, @@ -6462,7 +6469,8 @@ local0.* /var/log/postgresql to the log. The default is <literal>WARNING</literal>. Note that <literal>LOG</literal> has a different rank here than in <xref linkend="guc-client-min-messages"/>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -6492,7 +6500,8 @@ local0.* /var/log/postgresql causing errors, log messages, fatal errors, or panics will be logged. To effectively turn off logging of failing statements, set this parameter to <literal>PANIC</literal>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -6514,7 +6523,9 @@ local0.* /var/log/postgresql If this value is specified without units, it is taken as milliseconds. Setting this to zero prints all statement durations. <literal>-1</literal> (the default) disables logging statement - durations. Only superusers can change this setting. + durations. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -6566,7 +6577,9 @@ local0.* /var/log/postgresql If this value is specified without units, it is taken as milliseconds. Setting this to zero samples all statement durations. <literal>-1</literal> (the default) disables sampling statement - durations. Only superusers can change this setting. + durations. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -6603,7 +6616,8 @@ local0.* /var/log/postgresql the same as setting <varname>log_min_duration_sample</varname> to <literal>-1</literal>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -6627,7 +6641,8 @@ local0.* /var/log/postgresql The default is <literal>0</literal>, meaning not to log statements from any additional transactions. Setting this to <literal>1</literal> logs all statements of all transactions. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <note> <para> @@ -6892,7 +6907,8 @@ local0.* /var/log/postgresql Causes each attempted connection to the server to be logged, as well as successful completion of both client authentication (if necessary) and authorization. - Only superusers can change this parameter at session start, + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this parameter at session start, and it cannot be changed at all within a session. The default is <literal>off</literal>. </para> @@ -6919,7 +6935,8 @@ local0.* /var/log/postgresql Causes session terminations to be logged. The log output provides information similar to <varname>log_connections</varname>, plus the duration of the session. - Only superusers can change this parameter at session start, + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this parameter at session start, and it cannot be changed at all within a session. The default is <literal>off</literal>. </para> @@ -6937,7 +6954,8 @@ local0.* /var/log/postgresql <para> Causes the duration of every completed statement to be logged. The default is <literal>off</literal>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -6978,7 +6996,8 @@ local0.* /var/log/postgresql <literal>VERBOSE</literal> output includes the <symbol>SQLSTATE</symbol> error code (see also <xref linkend="errcodes-appendix"/>) and the source code file name, function name, and line number that generated the error. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7233,7 +7252,8 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' longer than <xref linkend="guc-deadlock-timeout"/> to acquire a lock. This is useful in determining if lock waits are causing poor performance. The default is <literal>off</literal>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7274,7 +7294,8 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' <literal>-1</literal> (the default) allows bind parameters to be logged in full. If this value is specified without units, it is taken as bytes. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -7341,8 +7362,9 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' </para> <para> - The default is <literal>none</literal>. Only superusers can change this - setting. + The default is <literal>none</literal>. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <note> @@ -7371,7 +7393,8 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' Causes each replication command to be logged in the server log. See <xref linkend="protocol-replication"/> for more information about replication command. The default value is <literal>off</literal>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7394,7 +7417,8 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' the specified amount of data. If this value is specified without units, it is taken as kilobytes. The default setting is -1, which disables such logging. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7784,7 +7808,8 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; This setting defaults to <literal>on</literal> on most platforms, but it defaults to <literal>off</literal> on Windows due to that platform's larger overhead for updating the process title. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7823,7 +7848,8 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; visible to all users, only to superusers and the user owning the session being reported on, so it should not represent a security risk. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7857,7 +7883,8 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; Enables collection of statistics on database activity. This parameter is on by default, because the autovacuum daemon needs the collected information. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7882,9 +7909,10 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; is used, in the output of <xref linkend="sql-vacuum"/> when the <literal>VERBOSE</literal> option is used, by autovacuum for auto-vacuums and auto-analyzes, when <xref - linkend="guc-log-autovacuum-min-duration"/> is set and by - <xref linkend="pgstatstatements"/>. Only superusers can - change this setting. + linkend="guc-log-autovacuum-min-duration"/> is set and by + <xref linkend="pgstatstatements"/>. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7904,8 +7932,9 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; measure the overhead of timing on your system. I/O timing information is displayed in <link linkend="monitoring-pg-stat-wal-view"> - <structname>pg_stat_wal</structname></link>. Only superusers can - change this setting. + <structname>pg_stat_wal</structname></link>. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -7922,7 +7951,9 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; <literal>pl</literal> to track only procedural-language functions, <literal>all</literal> to also track SQL and C language functions. The default is <literal>none</literal>, which disables function - statistics tracking. Only superusers can change this setting. + statistics tracking. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <note> @@ -8028,7 +8059,9 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; statement statistics, while the others report per-module statistics. <varname>log_statement_stats</varname> cannot be enabled together with any of the per-module options. All of these options are disabled by - default. Only superusers can change these settings. + default. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change these settings. </para> </listitem> </varlistentry> @@ -8814,10 +8847,13 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; <listitem> <para> Controls firing of replication-related triggers and rules for the - current session. Setting this variable requires - superuser privilege and results in discarding any previously cached - query plans. Possible values are <literal>origin</literal> (the default), + current session. + Possible values are <literal>origin</literal> (the default), <literal>replica</literal> and <literal>local</literal>. + Setting this parameter results in discarding any previously cached + query plans. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -9432,10 +9468,8 @@ SET XML OPTION { DOCUMENT | CONTENT }; </para> <para> - Only superusers can change this setting, because it affects the - messages sent to the server log as well as to the client, and - an improper value might obscure the readability of the server - logs. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -9630,7 +9664,8 @@ SET XML OPTION { DOCUMENT | CONTENT }; The parameter value only takes effect at the start of the connection. Subsequent changes have no effect. If a specified library is not found, the connection attempt will fail. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -9780,7 +9815,8 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' </para> <para> - This parameter can be changed at run time by superusers, but a + This parameter can be changed at run time by superusers and users + with the appropriate <literal>SET</literal> privilege, but a setting done that way will only persist until the end of the client connection, so this method should be reserved for development purposes. The recommended way to set this parameter @@ -9844,8 +9880,9 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' practice. On a heavily loaded server you might want to raise it. Ideally the setting should exceed your typical transaction time, so as to improve the odds that a lock will be released before - the waiter decides to check for deadlock. Only superusers can change - this setting. + the waiter decides to check for deadlock. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> @@ -10064,7 +10101,8 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' and writable by all users. Setting this variable to <literal>on</literal> disables the new privilege checks, for compatibility with prior releases. The default is <literal>off</literal>. - Only superusers can change this setting. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> <para> Setting this variable does not disable all security checks related to @@ -10717,7 +10755,9 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' is intended to allow testing replication scenarios where primary and standby servers are running on the same machine. Such directories are likely to confuse backup tools that expect to find only symbolic - links in that location. Only superusers can change this setting. + links in that location. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -10734,7 +10774,9 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' certain other risky actions on system tables. This is otherwise not allowed even for superusers. Ill-advised use of this setting can cause irretrievable data loss or seriously corrupt the database - system. Only superusers can change this setting. + system. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -10760,7 +10802,8 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' </para> <para> - This parameter can only be set by superusers. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -11145,8 +11188,9 @@ LOG: CleanUpLock: deleting: lock(0xb7acd844) id(24688,24696,0,0,0,1) the supported resource managers are <literal>heap</literal>, <literal>heap2</literal>, <literal>btree</literal>, <literal>hash</literal>, <literal>gin</literal>, <literal>gist</literal>, <literal>sequence</literal>, - <literal>spgist</literal>, <literal>brin</literal>, and <literal>generic</literal>. Only - superusers can change this setting. + <literal>spgist</literal>, <literal>brin</literal>, and <literal>generic</literal>. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -11187,7 +11231,9 @@ LOG: CleanUpLock: deleting: lock(0xb7acd844) id(24688,24696,0,0,0,1) you to get past the error and retrieve undamaged tuples that might still be present in the table if the block header is still sane. If the header is corrupt an error will be reported even if this option is enabled. The - default setting is <literal>off</literal>, and it can only be changed by a superuser. + default setting is <literal>off</literal>. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -11213,8 +11259,9 @@ LOG: CleanUpLock: deleting: lock(0xb7acd844) id(24688,24696,0,0,0,1) data from the damaged pages of a table. Zeroed-out pages are not forced to disk so it is recommended to recreate the table or the index before turning this parameter off again. The - default setting is <literal>off</literal>, and it can only be changed - by a superuser. + default setting is <literal>off</literal>. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> @@ -11272,7 +11319,8 @@ LOG: CleanUpLock: deleting: lock(0xb7acd844) id(24688,24696,0,0,0,1) file system, inside <xref linkend="guc-data-directory"/>. This is only useful for working on the internals of the JIT implementation. The default setting is <literal>off</literal>. - This parameter can only be changed by a superuser. + Only superusers and users with the appropriate <literal>SET</literal> + privilege can change this setting. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index 166b7a352df..492a9602476 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -1691,7 +1691,8 @@ ALTER TABLE products RENAME TO items; <literal>INSERT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>, <literal>TRUNCATE</literal>, <literal>REFERENCES</literal>, <literal>TRIGGER</literal>, <literal>CREATE</literal>, <literal>CONNECT</literal>, <literal>TEMPORARY</literal>, - <literal>EXECUTE</literal>, and <literal>USAGE</literal>. + <literal>EXECUTE</literal>, <literal>USAGE</literal>, <literal>SET</literal> + and <literal>ALTER SYSTEM</literal>. The privileges applicable to a particular object vary depending on the object's type (table, function, etc). More detail about the meanings of these privileges appears below. @@ -1959,6 +1960,28 @@ REVOKE ALL ON accounts FROM PUBLIC; </para> </listitem> </varlistentry> + + <varlistentry> + <term><literal>SET</literal></term> + <listitem> + <para> + Allows a server configuration parameter to be set to a new value + within the current session. (While this privilege can be granted + on any parameter, it is meaningless except for parameters that would + normally require superuser privilege to set.) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>ALTER SYSTEM</literal></term> + <listitem> + <para> + Allows a server configuration parameter to be configured to a new + value using the <xref linkend="sql-altersystem"/> command. + </para> + </listitem> + </varlistentry> </variablelist> The privileges required by other commands are listed on the @@ -1976,7 +1999,8 @@ REVOKE ALL ON accounts FROM PUBLIC; foreign servers, large objects, schemas, - or tablespaces. + tablespaces, + or configuration parameters. For other types of objects, the default privileges granted to <literal>PUBLIC</literal> are as follows: <literal>CONNECT</literal> and <literal>TEMPORARY</literal> (create @@ -2097,6 +2121,16 @@ REVOKE ALL ON accounts FROM PUBLIC; <literal>TYPE</literal> </entry> </row> + <row> + <entry><literal>SET</literal></entry> + <entry><literal>s</literal></entry> + <entry><literal>PARAMETER</literal></entry> + </row> + <row> + <entry><literal>ALTER SYSTEM</literal></entry> + <entry><literal>A</literal></entry> + <entry><literal>PARAMETER</literal></entry> + </row> </tbody> </tgroup> </table> @@ -2168,6 +2202,12 @@ REVOKE ALL ON accounts FROM PUBLIC; <entry><literal>\dl+</literal></entry> </row> <row> + <entry><literal>PARAMETER</literal></entry> + <entry><literal>sA</literal></entry> + <entry>none</entry> + <entry>none</entry> + </row> + <row> <entry><literal>SCHEMA</literal></entry> <entry><literal>UC</literal></entry> <entry>none</entry> diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 4001cb2bda5..bd772eeba1c 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -22856,6 +22856,25 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute'); <row> <entry role="func_table_entry"><para role="func_signature"> <indexterm> + <primary>has_parameter_privilege</primary> + </indexterm> + <function>has_parameter_privilege</function> ( + <optional> <parameter>user</parameter> <type>name</type> or <type>oid</type>, </optional> + <parameter>parameter</parameter> <type>text</type>, + <parameter>privilege</parameter> <type>text</type> ) + <returnvalue>boolean</returnvalue> + </para> + <para> + Does user have privilege for configuration parameter? + The parameter name is case-insensitive. + Allowable privilege types are <literal>SET</literal> + and <literal>ALTER SYSTEM</literal>. + </para></entry> + </row> + + <row> + <entry role="func_table_entry"><para role="func_signature"> + <indexterm> <primary>has_schema_privilege</primary> </indexterm> <function>has_schema_privilege</function> ( @@ -23137,6 +23156,7 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute'); 'l' for <literal>LANGUAGE</literal>, 'L' for <literal>LARGE OBJECT</literal>, 'n' for <literal>SCHEMA</literal>, + 'p' for <literal>PARAMETER</literal>, 't' for <literal>TABLESPACE</literal>, 'F' for <literal>FOREIGN DATA WRAPPER</literal>, 'S' for <literal>FOREIGN SERVER</literal>, @@ -23905,7 +23925,7 @@ SELECT currval(pg_get_serial_sequence('sometable', 'id')); </simplelist> </para></entry> </row> - + <row> <entry role="func_table_entry"><para role="func_signature"> <indexterm> @@ -27427,7 +27447,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size are excluded. </para> <para> - This function is restricted to superusers and roles with privileges of + This function is restricted to superusers and roles with privileges of the <literal>pg_monitor</literal> role by default, but other users can be granted EXECUTE to run the function. </para></entry> diff --git a/doc/src/sgml/ref/alter_system.sgml b/doc/src/sgml/ref/alter_system.sgml index 5e41f7f6444..6f8bd39eaf8 100644 --- a/doc/src/sgml/ref/alter_system.sgml +++ b/doc/src/sgml/ref/alter_system.sgml @@ -55,7 +55,8 @@ ALTER SYSTEM RESET ALL </para> <para> - Only superusers can use <command>ALTER SYSTEM</command>. Also, since + Only superusers and users granted <literal>ALTER SYSTEM</literal> privilege + on a parameter can change it using <command>ALTER SYSTEM</command>. Also, since this command acts directly on the file system and cannot be rolled back, it is not allowed inside a transaction block or function. </para> diff --git a/doc/src/sgml/ref/drop_owned.sgml b/doc/src/sgml/ref/drop_owned.sgml index 8fa8c414a10..efda01a39e8 100644 --- a/doc/src/sgml/ref/drop_owned.sgml +++ b/doc/src/sgml/ref/drop_owned.sgml @@ -32,8 +32,8 @@ DROP OWNED BY { <replaceable class="parameter">name</replaceable> | CURRENT_ROLE <command>DROP OWNED</command> drops all the objects within the current database that are owned by one of the specified roles. Any privileges granted to the given roles on objects in the current - database or on shared objects (databases, tablespaces) will also be - revoked. + database or on shared objects (databases, tablespaces, configuration + parameters) will also be revoked. </para> </refsect1> diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml index 8c4edd9b0a7..f744b05b55d 100644 --- a/doc/src/sgml/ref/grant.sgml +++ b/doc/src/sgml/ref/grant.sgml @@ -77,6 +77,11 @@ GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] } TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ] [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ] +GRANT { { SET | ALTER SYSTEM } [, ... ] | ALL [ PRIVILEGES ] } + ON PARAMETER <replaceable class="parameter">configuration_parameter</replaceable> [, ...] + TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ] + [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ] + GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] } ON SCHEMA <replaceable>schema_name</replaceable> [, ...] TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ] @@ -111,9 +116,10 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace <para> The <command>GRANT</command> command has two basic variants: one - that grants privileges on a database object (table, column, view, foreign - table, sequence, database, foreign-data wrapper, foreign server, function, procedure, - procedural language, schema, or tablespace), and one that grants + that grants privileges on a database object (table, column, view, + foreign table, sequence, database, foreign-data wrapper, foreign server, + function, procedure, procedural language, large object, configuration + parameter, schema, tablespace, or type), and one that grants membership in a role. These variants are similar in many ways, but they are different enough to be described separately. </para> @@ -185,6 +191,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace <term><literal>TEMPORARY</literal></term> <term><literal>EXECUTE</literal></term> <term><literal>USAGE</literal></term> + <term><literal>SET</literal></term> + <term><literal>ALTER SYSTEM</literal></term> <listitem> <para> Specific types of privileges, as defined in <xref linkend="ddl-priv"/>. @@ -452,7 +460,8 @@ GRANT admins TO joe; </para> <para> - Privileges on databases, tablespaces, schemas, and languages are + Privileges on databases, tablespaces, schemas, languages, and + configuration parameters are <productname>PostgreSQL</productname> extensions. </para> </refsect1> diff --git a/doc/src/sgml/ref/pg_dumpall.sgml b/doc/src/sgml/ref/pg_dumpall.sgml index c9aef776ebb..8a081f0080f 100644 --- a/doc/src/sgml/ref/pg_dumpall.sgml +++ b/doc/src/sgml/ref/pg_dumpall.sgml @@ -38,7 +38,8 @@ PostgreSQL documentation linkend="app-psql"/> to restore the databases. It does this by calling <xref linkend="app-pgdump"/> for each database in the cluster. <application>pg_dumpall</application> also dumps global objects - that are common to all databases, that is, database roles and tablespaces. + that are common to all databases, namely database roles, tablespaces, + and privilege grants for configuration parameters. (<application>pg_dump</application> does not save these objects.) </para> diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml index 3014c864ea3..62f19710369 100644 --- a/doc/src/sgml/ref/revoke.sgml +++ b/doc/src/sgml/ref/revoke.sgml @@ -98,6 +98,13 @@ REVOKE [ GRANT OPTION FOR ] [ CASCADE | RESTRICT ] REVOKE [ GRANT OPTION FOR ] + { { SET | ALTER SYSTEM } [, ...] | ALL [ PRIVILEGES ] } + ON PARAMETER <replaceable class="parameter">configuration_parameter</replaceable> [, ...] + FROM <replaceable class="parameter">role_specification</replaceable> [, ...] + [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ] + [ CASCADE | RESTRICT ] + +REVOKE [ GRANT OPTION FOR ] { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] } ON SCHEMA <replaceable>schema_name</replaceable> [, ...] FROM <replaceable class="parameter">role_specification</replaceable> [, ...] diff --git a/doc/src/sgml/ref/set.sgml b/doc/src/sgml/ref/set.sgml index 339ee9eec94..ae508d026e2 100644 --- a/doc/src/sgml/ref/set.sgml +++ b/doc/src/sgml/ref/set.sgml @@ -34,8 +34,10 @@ SET [ SESSION | LOCAL ] TIME ZONE { <replaceable class="parameter">timezone</rep parameters. Many of the run-time parameters listed in <xref linkend="runtime-config"/> can be changed on-the-fly with <command>SET</command>. - (But some require superuser privileges to change, and others cannot - be changed after server or session start.) + (Some parameters can only be changed by superusers and users who + have been granted <literal>SET</literal> privilege on that parameter. + There are also parameters that cannot be changed after server or + session start.) <command>SET</command> only affects the value used by the current session. </para> |