From 1826987a46d079458007b7b6bbcbbd852353adbb Mon Sep 17 00:00:00 2001
From: Alvaro Herrera <alvherre@alvh.no-ip.org>
Date: Tue, 23 Dec 2014 10:22:09 -0300
Subject: Use a bitmask to represent role attributes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous representation using a boolean column for each attribute
would not scale as well as we want to add further attributes.

Extra auxilliary functions are added to go along with this change, to
make up for the lost convenience of access of the old representation.

Catalog version bumped due to change in catalogs and the new functions.

Author: Adam Brightwell, minor tweaks by Álvaro
Reviewed by: Stephen Frost, Andres Freund, Álvaro Herrera
---
 doc/src/sgml/catalogs.sgml | 127 ++++++++++++++++++++++++++++++---------------
 doc/src/sgml/func.sgml     | 127 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 213 insertions(+), 41 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 9ceb96b54c7..947091627fd 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1391,89 +1391,134 @@
      </row>
 
      <row>
-      <entry><structfield>rolsuper</structfield></entry>
-      <entry><type>bool</type></entry>
+      <entry><structfield>rolattr</structfield></entry>
+      <entry><type>bigint</type></entry>
+      <entry>
+       Role attributes; see <xref linkend="catalog-rolattr-bitmap-table"> and
+       <xref linkend="sql-createrole"> for details
+      </entry>
+     </row>
+
+     <row>
+      <entry><structfield>rolconnlimit</structfield></entry>
+      <entry><type>int4</type></entry>
+      <entry>
+       For roles that can log in, this sets maximum number of concurrent
+       connections this role can make.  -1 means no limit.
+      </entry>
+     </row>
+
+     <row>
+      <entry><structfield>rolpassword</structfield></entry>
+      <entry><type>text</type></entry>
+      <entry>
+       Password (possibly encrypted); null if none.  If the password
+       is encrypted, this column will begin with the string <literal>md5</>
+       followed by a 32-character hexadecimal MD5 hash.  The MD5 hash
+       will be of the user's password concatenated to their user name.
+       For example, if user <literal>joe</> has password <literal>xyzzy</>,
+       <productname>PostgreSQL</> will store the md5 hash of
+       <literal>xyzzyjoe</>.  A password that does not follow that
+       format is assumed to be unencrypted.
+      </entry>
+     </row>
+
+     <row>
+      <entry><structfield>rolvaliduntil</structfield></entry>
+      <entry><type>timestamptz</type></entry>
+      <entry>Password expiry time (only used for password authentication);
+       null if no expiration</entry>
+     </row>
+    </tbody>
+   </tgroup>
+  </table>
+
+  <table id="catalog-rolattr-bitmap-table">
+   <title>Attributes in <structfield>rolattr</></title>
+
+   <tgroup cols="4">
+    <thead>
+     <row>
+      <entry>Attribute</entry>
+      <entry>CREATE ROLE Option</entry>
+      <entry>Description</entry>
+      <entry>Position</entry>
+     </row>
+    </thead>
+
+    <tbody>
+     <row>
+      <entry>Superuser</entry>
+      <entry>SUPERUSER</entry>
       <entry>Role has superuser privileges</entry>
+      <entry><literal>0</literal></entry>
      </row>
 
      <row>
-      <entry><structfield>rolinherit</structfield></entry>
-      <entry><type>bool</type></entry>
-      <entry>Role automatically inherits privileges of roles it is a
-       member of</entry>
+      <entry>Inherit</entry>
+      <entry>INHERIT</entry>
+      <entry>
+       Role automatically inherits privileges of roles it is a member of
+      </entry>
+      <entry><literal>1</literal></entry>
      </row>
 
      <row>
-      <entry><structfield>rolcreaterole</structfield></entry>
-      <entry><type>bool</type></entry>
+      <entry>Create Role</entry>
+      <entry>CREATEROLE</entry>
       <entry>Role can create more roles</entry>
+      <entry><literal>2</literal></entry>
      </row>
 
      <row>
-      <entry><structfield>rolcreatedb</structfield></entry>
-      <entry><type>bool</type></entry>
+      <entry>Create DB</entry>
+      <entry>CREATEDB</entry>
       <entry>Role can create databases</entry>
+      <entry><literal>3</literal></entry>
      </row>
 
      <row>
-      <entry><structfield>rolcatupdate</structfield></entry>
-      <entry><type>bool</type></entry>
+      <entry>Catalog Update</entry>
+      <entry>CATUPDATE</entry>
       <entry>
        Role can update system catalogs directly.  (Even a superuser cannot do
        this unless this column is true)
       </entry>
+      <entry><literal>4</literal></entry>
      </row>
 
      <row>
-      <entry><structfield>rolcanlogin</structfield></entry>
-      <entry><type>bool</type></entry>
+      <entry>Can Login</entry>
+      <entry>LOGIN</entry>
       <entry>
        Role can log in. That is, this role can be given as the initial
        session authorization identifier
       </entry>
+      <entry><literal>5</literal></entry>
      </row>
 
      <row>
-      <entry><structfield>rolreplication</structfield></entry>
-      <entry><type>bool</type></entry>
+      <entry>Replication</entry>
+      <entry>REPLICATION</entry>
       <entry>
        Role is a replication role. That is, this role can initiate streaming
        replication (see <xref linkend="streaming-replication">) and set/unset
        the system backup mode using <function>pg_start_backup</> and
        <function>pg_stop_backup</>
       </entry>
+      <entry><literal>6</literal></entry>
      </row>
 
      <row>
-      <entry><structfield>rolconnlimit</structfield></entry>
-      <entry><type>int4</type></entry>
+      <entry>Bypass Row Level Security</entry>
+      <entry>BYPASSRLS</entry>
       <entry>
-       For roles that can log in, this sets maximum number of concurrent
-       connections this role can make.  -1 means no limit.
-      </entry>
-     </row>
-
-     <row>
-      <entry><structfield>rolpassword</structfield></entry>
-      <entry><type>text</type></entry>
-      <entry>
-       Password (possibly encrypted); null if none.  If the password
-       is encrypted, this column will begin with the string <literal>md5</>
-       followed by a 32-character hexadecimal MD5 hash.  The MD5 hash
-       will be of the user's password concatenated to their user name.
-       For example, if user <literal>joe</> has password <literal>xyzzy</>,
-       <productname>PostgreSQL</> will store the md5 hash of
-       <literal>xyzzyjoe</>.  A password that does not follow that
-       format is assumed to be unencrypted.
+       Role can bypass row level security policies when <literal>row_security</>
+       is set <literal>off</>
       </entry>
+      <entry><literal>7</literal></entry>
      </row>
 
-     <row>
-      <entry><structfield>rolvaliduntil</structfield></entry>
-      <entry><type>timestamptz</type></entry>
-      <entry>Password expiry time (only used for password authentication);
-       null if no expiration</entry>
-     </row>
     </tbody>
    </tgroup>
   </table>
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 24c64b7187f..2a37e65eb9a 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -15139,6 +15139,133 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
     are immediately available without doing <command>SET ROLE</>.
    </para>
 
+   <para>
+    <xref linkend="functions-info-role-attribute-table"> lists functions that
+    allow the user to query role attribute information programmatically.
+   </para>
+
+   <table id="functions-info-role-attribute-table">
+    <title>Role Attribute Inquiry Functions</title>
+    <tgroup cols="3">
+     <thead>
+      <row><entry>Name</entry> <entry>Return Type</entry> <entry>Description</entry></row>
+     </thead>
+     <tbody>
+      <row>
+       <entry><literal><function>pg_has_role_attribute(role, attribute)</function></literal></entry>
+       <entry><type>boolean</type></entry>
+       <entry>does role have the permissions allowed by named attribute</entry>
+      </row>
+      <row>
+       <entry><literal><function>pg_check_role_attribute(role, attribute)</function></literal></entry>
+       <entry><type>boolean</type></entry>
+       <entry>does role have the named attribute</entry>
+      </row>
+      <row>
+       <entry><literal><function>pg_check_role_attribute(role_attributes, attribute)</function></literal></entry>
+       <entry><type>boolean</type></entry>
+       <entry>is attribute set in bitmap of role attributes</entry>
+      </row>
+      <row>
+       <entry><literal><function>pg_all_role_attributes(role_attributes)</function></literal></entry>
+       <entry><type>text[]</type></entry>
+       <entry>convert bitmap of role attribute representation to text[]</entry>
+      </row>
+     </tbody>
+    </tgroup>
+   </table>
+
+   <indexterm>
+    <primary>pg_has_role_attribute</primary>
+   </indexterm>
+   <indexterm>
+    <primary>pg_check_role_attribute</primary>
+   </indexterm>
+   <indexterm>
+    <primary>pg_all_role_attributes</primary>
+   </indexterm>
+
+   <para>
+    <function>pg_has_role_attribute</function> checks the attribute permissions
+    given to a role.  It will always return <literal>true</literal> for roles
+    with superuser privileges unless the attribute being checked is
+    <literal>CATUPDATE</literal> (superuser cannot bypass
+    <literal>CATUPDATE</literal> permissions). The role can be specified by name
+    and by OID. The attribute is specified by a text string which must evaluate
+    to one of the following role attributes:
+    <literal>SUPERUSER</literal>,
+    <literal>INHERIT</literal>,
+    <literal>CREATEROLE</literal>,
+    <literal>CREATEDB</literal>,
+    <literal>CATUPDATE</literal>,
+    <literal>CANLOGIN</literal>,
+    <literal>REPLICATION</literal>, or
+    <literal>BYPASSRLS</literal>. See <xref linkend="sql-createrole"> for more
+    information. For example:
+<programlisting>
+SELECT pg_has_role_attribute('joe', 'SUPERUSER');
+ pg_has_role_attribute 
+-----------------------
+ f
+(1 row)
+
+SELECT rolname, pg_has_role_attribute(oid, 'INHERIT') AS rolinherit FROM pg_roles;
+ rolname  | rolinherit 
+----------+------------
+ postgres | t
+ joe      | t
+(2 rows)
+</programlisting>
+   </para>
+
+   <para>
+    <function>pg_check_role_attribute</function> checks the attribute value given
+    to a role.  The role can be specified by name and by OID.  The attribute is
+    specified by a text string which must evaluate to a valid role attribute (see
+    <function>pg_has_role_attribute</function>).  A third variant of this function
+    allows for a bitmap representation (<literal>bigint</literal>) of attributes
+    to be given instead of a role.
+    Example:
+<programlisting>
+SELECT pg_check_role_attribute('joe', 'SUPERUSER');
+ pg_check_role_attribute 
+-------------------------
+ f
+(1 row)
+
+SELECT rolname, pg_check_role_attribute(oid, 'INHERIT') as rolinherit FROM pg_roles;
+ rolname  | rolinherit 
+----------+------------
+ postgres | t
+ joe      | t
+(2 rows)
+ t
+(1 row)
+
+
+SELECT rolname, pg_check_role_attribute(rolattr, 'SUPERUSER') AS rolsuper FROM pg_authid;
+ rolname  | rolsuper 
+----------+----------
+ postgres | t
+ joe      | f
+(2 rows)
+</programlisting>
+   </para>
+
+   <para>
+    <function>pg_all_role_attributes</function> convert a set of role attributes
+    represented by an <literal>bigint</literal> bitmap to a text array.
+    Example:
+<programlisting>
+SELECT rolname, pg_all_role_attributes(rolattr) AS attributes FROM pg_authid;
+ rolname  |                                          attributes                                           
+----------+-----------------------------------------------------------------------------------------------
+ postgres | {Superuser,Inherit,"Create Role","Create DB","Catalog Update",Login,Replication,"Bypass RLS"}
+ joe      | {Inherit,Login}
+(2 rows)
+</programlisting>
+   </para>
+
   <para>
    <xref linkend="functions-info-schema-table"> shows functions that
    determine whether a certain object is <firstterm>visible</> in the
-- 
cgit v1.2.3