diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/catalogs.sgml | 127 | ||||
| -rw-r--r-- | doc/src/sgml/func.sgml | 127 |
2 files changed, 41 insertions, 213 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 947091627fd..9ceb96b54c7 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -1391,134 +1391,89 @@ </row> <row> - <entry><structfield>rolattr</structfield></entry> - <entry><type>bigint</type></entry> - <entry> - Role attributes; see <xref linkend="catalog-rolattr-bitmap-table"> and - <xref linkend="sql-createrole"> for details - </entry> - </row> - - <row> - <entry><structfield>rolconnlimit</structfield></entry> - <entry><type>int4</type></entry> - <entry> - For roles that can log in, this sets maximum number of concurrent - connections this role can make. -1 means no limit. - </entry> - </row> - - <row> - <entry><structfield>rolpassword</structfield></entry> - <entry><type>text</type></entry> - <entry> - Password (possibly encrypted); null if none. If the password - is encrypted, this column will begin with the string <literal>md5</> - followed by a 32-character hexadecimal MD5 hash. The MD5 hash - will be of the user's password concatenated to their user name. - For example, if user <literal>joe</> has password <literal>xyzzy</>, - <productname>PostgreSQL</> will store the md5 hash of - <literal>xyzzyjoe</>. A password that does not follow that - format is assumed to be unencrypted. - </entry> - </row> - - <row> - <entry><structfield>rolvaliduntil</structfield></entry> - <entry><type>timestamptz</type></entry> - <entry>Password expiry time (only used for password authentication); - null if no expiration</entry> - </row> - </tbody> - </tgroup> - </table> - - <table id="catalog-rolattr-bitmap-table"> - <title>Attributes in <structfield>rolattr</></title> - - <tgroup cols="4"> - <thead> - <row> - <entry>Attribute</entry> - <entry>CREATE ROLE Option</entry> - <entry>Description</entry> - <entry>Position</entry> - </row> - </thead> - - <tbody> - <row> - <entry>Superuser</entry> - <entry>SUPERUSER</entry> + <entry><structfield>rolsuper</structfield></entry> + <entry><type>bool</type></entry> <entry>Role has superuser privileges</entry> - <entry><literal>0</literal></entry> </row> <row> - <entry>Inherit</entry> - <entry>INHERIT</entry> - <entry> - Role automatically inherits privileges of roles it is a member of - </entry> - <entry><literal>1</literal></entry> + <entry><structfield>rolinherit</structfield></entry> + <entry><type>bool</type></entry> + <entry>Role automatically inherits privileges of roles it is a + member of</entry> </row> <row> - <entry>Create Role</entry> - <entry>CREATEROLE</entry> + <entry><structfield>rolcreaterole</structfield></entry> + <entry><type>bool</type></entry> <entry>Role can create more roles</entry> - <entry><literal>2</literal></entry> </row> <row> - <entry>Create DB</entry> - <entry>CREATEDB</entry> + <entry><structfield>rolcreatedb</structfield></entry> + <entry><type>bool</type></entry> <entry>Role can create databases</entry> - <entry><literal>3</literal></entry> </row> <row> - <entry>Catalog Update</entry> - <entry>CATUPDATE</entry> + <entry><structfield>rolcatupdate</structfield></entry> + <entry><type>bool</type></entry> <entry> Role can update system catalogs directly. (Even a superuser cannot do this unless this column is true) </entry> - <entry><literal>4</literal></entry> </row> <row> - <entry>Can Login</entry> - <entry>LOGIN</entry> + <entry><structfield>rolcanlogin</structfield></entry> + <entry><type>bool</type></entry> <entry> Role can log in. That is, this role can be given as the initial session authorization identifier </entry> - <entry><literal>5</literal></entry> </row> <row> - <entry>Replication</entry> - <entry>REPLICATION</entry> + <entry><structfield>rolreplication</structfield></entry> + <entry><type>bool</type></entry> <entry> Role is a replication role. That is, this role can initiate streaming replication (see <xref linkend="streaming-replication">) and set/unset the system backup mode using <function>pg_start_backup</> and <function>pg_stop_backup</> </entry> - <entry><literal>6</literal></entry> </row> <row> - <entry>Bypass Row Level Security</entry> - <entry>BYPASSRLS</entry> + <entry><structfield>rolconnlimit</structfield></entry> + <entry><type>int4</type></entry> <entry> - Role can bypass row level security policies when <literal>row_security</> - is set <literal>off</> + For roles that can log in, this sets maximum number of concurrent + connections this role can make. -1 means no limit. + </entry> + </row> + + <row> + <entry><structfield>rolpassword</structfield></entry> + <entry><type>text</type></entry> + <entry> + Password (possibly encrypted); null if none. If the password + is encrypted, this column will begin with the string <literal>md5</> + followed by a 32-character hexadecimal MD5 hash. The MD5 hash + will be of the user's password concatenated to their user name. + For example, if user <literal>joe</> has password <literal>xyzzy</>, + <productname>PostgreSQL</> will store the md5 hash of + <literal>xyzzyjoe</>. A password that does not follow that + format is assumed to be unencrypted. </entry> - <entry><literal>7</literal></entry> </row> + <row> + <entry><structfield>rolvaliduntil</structfield></entry> + <entry><type>timestamptz</type></entry> + <entry>Password expiry time (only used for password authentication); + null if no expiration</entry> + </row> </tbody> </tgroup> </table> diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 2a37e65eb9a..24c64b7187f 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -15139,133 +15139,6 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute'); are immediately available without doing <command>SET ROLE</>. </para> - <para> - <xref linkend="functions-info-role-attribute-table"> lists functions that - allow the user to query role attribute information programmatically. - </para> - - <table id="functions-info-role-attribute-table"> - <title>Role Attribute Inquiry Functions</title> - <tgroup cols="3"> - <thead> - <row><entry>Name</entry> <entry>Return Type</entry> <entry>Description</entry></row> - </thead> - <tbody> - <row> - <entry><literal><function>pg_has_role_attribute(role, attribute)</function></literal></entry> - <entry><type>boolean</type></entry> - <entry>does role have the permissions allowed by named attribute</entry> - </row> - <row> - <entry><literal><function>pg_check_role_attribute(role, attribute)</function></literal></entry> - <entry><type>boolean</type></entry> - <entry>does role have the named attribute</entry> - </row> - <row> - <entry><literal><function>pg_check_role_attribute(role_attributes, attribute)</function></literal></entry> - <entry><type>boolean</type></entry> - <entry>is attribute set in bitmap of role attributes</entry> - </row> - <row> - <entry><literal><function>pg_all_role_attributes(role_attributes)</function></literal></entry> - <entry><type>text[]</type></entry> - <entry>convert bitmap of role attribute representation to text[]</entry> - </row> - </tbody> - </tgroup> - </table> - - <indexterm> - <primary>pg_has_role_attribute</primary> - </indexterm> - <indexterm> - <primary>pg_check_role_attribute</primary> - </indexterm> - <indexterm> - <primary>pg_all_role_attributes</primary> - </indexterm> - - <para> - <function>pg_has_role_attribute</function> checks the attribute permissions - given to a role. It will always return <literal>true</literal> for roles - with superuser privileges unless the attribute being checked is - <literal>CATUPDATE</literal> (superuser cannot bypass - <literal>CATUPDATE</literal> permissions). The role can be specified by name - and by OID. The attribute is specified by a text string which must evaluate - to one of the following role attributes: - <literal>SUPERUSER</literal>, - <literal>INHERIT</literal>, - <literal>CREATEROLE</literal>, - <literal>CREATEDB</literal>, - <literal>CATUPDATE</literal>, - <literal>CANLOGIN</literal>, - <literal>REPLICATION</literal>, or - <literal>BYPASSRLS</literal>. See <xref linkend="sql-createrole"> for more - information. For example: -<programlisting> -SELECT pg_has_role_attribute('joe', 'SUPERUSER'); - pg_has_role_attribute ------------------------ - f -(1 row) - -SELECT rolname, pg_has_role_attribute(oid, 'INHERIT') AS rolinherit FROM pg_roles; - rolname | rolinherit -----------+------------ - postgres | t - joe | t -(2 rows) -</programlisting> - </para> - - <para> - <function>pg_check_role_attribute</function> checks the attribute value given - to a role. The role can be specified by name and by OID. The attribute is - specified by a text string which must evaluate to a valid role attribute (see - <function>pg_has_role_attribute</function>). A third variant of this function - allows for a bitmap representation (<literal>bigint</literal>) of attributes - to be given instead of a role. - Example: -<programlisting> -SELECT pg_check_role_attribute('joe', 'SUPERUSER'); - pg_check_role_attribute -------------------------- - f -(1 row) - -SELECT rolname, pg_check_role_attribute(oid, 'INHERIT') as rolinherit FROM pg_roles; - rolname | rolinherit -----------+------------ - postgres | t - joe | t -(2 rows) - t -(1 row) - - -SELECT rolname, pg_check_role_attribute(rolattr, 'SUPERUSER') AS rolsuper FROM pg_authid; - rolname | rolsuper -----------+---------- - postgres | t - joe | f -(2 rows) -</programlisting> - </para> - - <para> - <function>pg_all_role_attributes</function> convert a set of role attributes - represented by an <literal>bigint</literal> bitmap to a text array. - Example: -<programlisting> -SELECT rolname, pg_all_role_attributes(rolattr) AS attributes FROM pg_authid; - rolname | attributes -----------+----------------------------------------------------------------------------------------------- - postgres | {Superuser,Inherit,"Create Role","Create DB","Catalog Update",Login,Replication,"Bypass RLS"} - joe | {Inherit,Login} -(2 rows) -</programlisting> - </para> - <para> <xref linkend="functions-info-schema-table"> shows functions that determine whether a certain object is <firstterm>visible</> in the |