diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/catalogs.sgml | 127 | ||||
| -rw-r--r-- | doc/src/sgml/func.sgml | 127 |
2 files changed, 213 insertions, 41 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 9ceb96b54c7..947091627fd 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -1391,89 +1391,134 @@ </row> <row> - <entry><structfield>rolsuper</structfield></entry> - <entry><type>bool</type></entry> + <entry><structfield>rolattr</structfield></entry> + <entry><type>bigint</type></entry> + <entry> + Role attributes; see <xref linkend="catalog-rolattr-bitmap-table"> and + <xref linkend="sql-createrole"> for details + </entry> + </row> + + <row> + <entry><structfield>rolconnlimit</structfield></entry> + <entry><type>int4</type></entry> + <entry> + For roles that can log in, this sets maximum number of concurrent + connections this role can make. -1 means no limit. + </entry> + </row> + + <row> + <entry><structfield>rolpassword</structfield></entry> + <entry><type>text</type></entry> + <entry> + Password (possibly encrypted); null if none. If the password + is encrypted, this column will begin with the string <literal>md5</> + followed by a 32-character hexadecimal MD5 hash. The MD5 hash + will be of the user's password concatenated to their user name. + For example, if user <literal>joe</> has password <literal>xyzzy</>, + <productname>PostgreSQL</> will store the md5 hash of + <literal>xyzzyjoe</>. A password that does not follow that + format is assumed to be unencrypted. + </entry> + </row> + + <row> + <entry><structfield>rolvaliduntil</structfield></entry> + <entry><type>timestamptz</type></entry> + <entry>Password expiry time (only used for password authentication); + null if no expiration</entry> + </row> + </tbody> + </tgroup> + </table> + + <table id="catalog-rolattr-bitmap-table"> + <title>Attributes in <structfield>rolattr</></title> + + <tgroup cols="4"> + <thead> + <row> + <entry>Attribute</entry> + <entry>CREATE ROLE Option</entry> + <entry>Description</entry> + <entry>Position</entry> + </row> + </thead> + + <tbody> + <row> + <entry>Superuser</entry> + <entry>SUPERUSER</entry> <entry>Role has superuser privileges</entry> + <entry><literal>0</literal></entry> </row> <row> - <entry><structfield>rolinherit</structfield></entry> - <entry><type>bool</type></entry> - <entry>Role automatically inherits privileges of roles it is a - member of</entry> + <entry>Inherit</entry> + <entry>INHERIT</entry> + <entry> + Role automatically inherits privileges of roles it is a member of + </entry> + <entry><literal>1</literal></entry> </row> <row> - <entry><structfield>rolcreaterole</structfield></entry> - <entry><type>bool</type></entry> + <entry>Create Role</entry> + <entry>CREATEROLE</entry> <entry>Role can create more roles</entry> + <entry><literal>2</literal></entry> </row> <row> - <entry><structfield>rolcreatedb</structfield></entry> - <entry><type>bool</type></entry> + <entry>Create DB</entry> + <entry>CREATEDB</entry> <entry>Role can create databases</entry> + <entry><literal>3</literal></entry> </row> <row> - <entry><structfield>rolcatupdate</structfield></entry> - <entry><type>bool</type></entry> + <entry>Catalog Update</entry> + <entry>CATUPDATE</entry> <entry> Role can update system catalogs directly. (Even a superuser cannot do this unless this column is true) </entry> + <entry><literal>4</literal></entry> </row> <row> - <entry><structfield>rolcanlogin</structfield></entry> - <entry><type>bool</type></entry> + <entry>Can Login</entry> + <entry>LOGIN</entry> <entry> Role can log in. That is, this role can be given as the initial session authorization identifier </entry> + <entry><literal>5</literal></entry> </row> <row> - <entry><structfield>rolreplication</structfield></entry> - <entry><type>bool</type></entry> + <entry>Replication</entry> + <entry>REPLICATION</entry> <entry> Role is a replication role. That is, this role can initiate streaming replication (see <xref linkend="streaming-replication">) and set/unset the system backup mode using <function>pg_start_backup</> and <function>pg_stop_backup</> </entry> + <entry><literal>6</literal></entry> </row> <row> - <entry><structfield>rolconnlimit</structfield></entry> - <entry><type>int4</type></entry> + <entry>Bypass Row Level Security</entry> + <entry>BYPASSRLS</entry> <entry> - For roles that can log in, this sets maximum number of concurrent - connections this role can make. -1 means no limit. - </entry> - </row> - - <row> - <entry><structfield>rolpassword</structfield></entry> - <entry><type>text</type></entry> - <entry> - Password (possibly encrypted); null if none. If the password - is encrypted, this column will begin with the string <literal>md5</> - followed by a 32-character hexadecimal MD5 hash. The MD5 hash - will be of the user's password concatenated to their user name. - For example, if user <literal>joe</> has password <literal>xyzzy</>, - <productname>PostgreSQL</> will store the md5 hash of - <literal>xyzzyjoe</>. A password that does not follow that - format is assumed to be unencrypted. + Role can bypass row level security policies when <literal>row_security</> + is set <literal>off</> </entry> + <entry><literal>7</literal></entry> </row> - <row> - <entry><structfield>rolvaliduntil</structfield></entry> - <entry><type>timestamptz</type></entry> - <entry>Password expiry time (only used for password authentication); - null if no expiration</entry> - </row> </tbody> </tgroup> </table> diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 24c64b7187f..2a37e65eb9a 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -15139,6 +15139,133 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute'); are immediately available without doing <command>SET ROLE</>. </para> + <para> + <xref linkend="functions-info-role-attribute-table"> lists functions that + allow the user to query role attribute information programmatically. + </para> + + <table id="functions-info-role-attribute-table"> + <title>Role Attribute Inquiry Functions</title> + <tgroup cols="3"> + <thead> + <row><entry>Name</entry> <entry>Return Type</entry> <entry>Description</entry></row> + </thead> + <tbody> + <row> + <entry><literal><function>pg_has_role_attribute(role, attribute)</function></literal></entry> + <entry><type>boolean</type></entry> + <entry>does role have the permissions allowed by named attribute</entry> + </row> + <row> + <entry><literal><function>pg_check_role_attribute(role, attribute)</function></literal></entry> + <entry><type>boolean</type></entry> + <entry>does role have the named attribute</entry> + </row> + <row> + <entry><literal><function>pg_check_role_attribute(role_attributes, attribute)</function></literal></entry> + <entry><type>boolean</type></entry> + <entry>is attribute set in bitmap of role attributes</entry> + </row> + <row> + <entry><literal><function>pg_all_role_attributes(role_attributes)</function></literal></entry> + <entry><type>text[]</type></entry> + <entry>convert bitmap of role attribute representation to text[]</entry> + </row> + </tbody> + </tgroup> + </table> + + <indexterm> + <primary>pg_has_role_attribute</primary> + </indexterm> + <indexterm> + <primary>pg_check_role_attribute</primary> + </indexterm> + <indexterm> + <primary>pg_all_role_attributes</primary> + </indexterm> + + <para> + <function>pg_has_role_attribute</function> checks the attribute permissions + given to a role. It will always return <literal>true</literal> for roles + with superuser privileges unless the attribute being checked is + <literal>CATUPDATE</literal> (superuser cannot bypass + <literal>CATUPDATE</literal> permissions). The role can be specified by name + and by OID. The attribute is specified by a text string which must evaluate + to one of the following role attributes: + <literal>SUPERUSER</literal>, + <literal>INHERIT</literal>, + <literal>CREATEROLE</literal>, + <literal>CREATEDB</literal>, + <literal>CATUPDATE</literal>, + <literal>CANLOGIN</literal>, + <literal>REPLICATION</literal>, or + <literal>BYPASSRLS</literal>. See <xref linkend="sql-createrole"> for more + information. For example: +<programlisting> +SELECT pg_has_role_attribute('joe', 'SUPERUSER'); + pg_has_role_attribute +----------------------- + f +(1 row) + +SELECT rolname, pg_has_role_attribute(oid, 'INHERIT') AS rolinherit FROM pg_roles; + rolname | rolinherit +----------+------------ + postgres | t + joe | t +(2 rows) +</programlisting> + </para> + + <para> + <function>pg_check_role_attribute</function> checks the attribute value given + to a role. The role can be specified by name and by OID. The attribute is + specified by a text string which must evaluate to a valid role attribute (see + <function>pg_has_role_attribute</function>). A third variant of this function + allows for a bitmap representation (<literal>bigint</literal>) of attributes + to be given instead of a role. + Example: +<programlisting> +SELECT pg_check_role_attribute('joe', 'SUPERUSER'); + pg_check_role_attribute +------------------------- + f +(1 row) + +SELECT rolname, pg_check_role_attribute(oid, 'INHERIT') as rolinherit FROM pg_roles; + rolname | rolinherit +----------+------------ + postgres | t + joe | t +(2 rows) + t +(1 row) + + +SELECT rolname, pg_check_role_attribute(rolattr, 'SUPERUSER') AS rolsuper FROM pg_authid; + rolname | rolsuper +----------+---------- + postgres | t + joe | f +(2 rows) +</programlisting> + </para> + + <para> + <function>pg_all_role_attributes</function> convert a set of role attributes + represented by an <literal>bigint</literal> bitmap to a text array. + Example: +<programlisting> +SELECT rolname, pg_all_role_attributes(rolattr) AS attributes FROM pg_authid; + rolname | attributes +----------+----------------------------------------------------------------------------------------------- + postgres | {Superuser,Inherit,"Create Role","Create DB","Catalog Update",Login,Replication,"Bypass RLS"} + joe | {Inherit,Login} +(2 rows) +</programlisting> + </para> + <para> <xref linkend="functions-info-schema-table"> shows functions that determine whether a certain object is <firstterm>visible</> in the |