Commit 58d214e5 authored by Tom Lane's avatar Tom Lane

Basic documentation for ROLEs. The user-manag chapter still needs to

be rewritten, but at least the reference pages are reasonably sane.
parent 0c2d7e39
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/allfiles.sgml,v 1.64 2005/07/25 22:12:31 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/allfiles.sgml,v 1.65 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
Complete list of usable sgml source files in this directory. Complete list of usable sgml source files in this directory.
--> -->
...@@ -16,6 +16,7 @@ Complete list of usable sgml source files in this directory. ...@@ -16,6 +16,7 @@ Complete list of usable sgml source files in this directory.
<!entity alterLanguage system "alter_language.sgml"> <!entity alterLanguage system "alter_language.sgml">
<!entity alterOperator system "alter_operator.sgml"> <!entity alterOperator system "alter_operator.sgml">
<!entity alterOperatorClass system "alter_opclass.sgml"> <!entity alterOperatorClass system "alter_opclass.sgml">
<!entity alterRole system "alter_role.sgml">
<!entity alterSchema system "alter_schema.sgml"> <!entity alterSchema system "alter_schema.sgml">
<!entity alterSequence system "alter_sequence.sgml"> <!entity alterSequence system "alter_sequence.sgml">
<!entity alterTable system "alter_table.sgml"> <!entity alterTable system "alter_table.sgml">
...@@ -44,6 +45,7 @@ Complete list of usable sgml source files in this directory. ...@@ -44,6 +45,7 @@ Complete list of usable sgml source files in this directory.
<!entity createLanguage system "create_language.sgml"> <!entity createLanguage system "create_language.sgml">
<!entity createOperator system "create_operator.sgml"> <!entity createOperator system "create_operator.sgml">
<!entity createOperatorClass system "create_opclass.sgml"> <!entity createOperatorClass system "create_opclass.sgml">
<!entity createRole system "create_role.sgml">
<!entity createRule system "create_rule.sgml"> <!entity createRule system "create_rule.sgml">
<!entity createSchema system "create_schema.sgml"> <!entity createSchema system "create_schema.sgml">
<!entity createSequence system "create_sequence.sgml"> <!entity createSequence system "create_sequence.sgml">
...@@ -68,6 +70,7 @@ Complete list of usable sgml source files in this directory. ...@@ -68,6 +70,7 @@ Complete list of usable sgml source files in this directory.
<!entity dropLanguage system "drop_language.sgml"> <!entity dropLanguage system "drop_language.sgml">
<!entity dropOperator system "drop_operator.sgml"> <!entity dropOperator system "drop_operator.sgml">
<!entity dropOperatorClass system "drop_opclass.sgml"> <!entity dropOperatorClass system "drop_opclass.sgml">
<!entity dropRole system "drop_role.sgml">
<!entity dropRule system "drop_rule.sgml"> <!entity dropRule system "drop_rule.sgml">
<!entity dropSchema system "drop_schema.sgml"> <!entity dropSchema system "drop_schema.sgml">
<!entity dropSequence system "drop_sequence.sgml"> <!entity dropSequence system "drop_sequence.sgml">
......
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/alter_group.sgml,v 1.15 2005/01/04 00:39:53 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/alter_group.sgml,v 1.16 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -11,7 +11,7 @@ PostgreSQL documentation ...@@ -11,7 +11,7 @@ PostgreSQL documentation
<refnamediv> <refnamediv>
<refname>ALTER GROUP</refname> <refname>ALTER GROUP</refname>
<refpurpose>change a user group</refpurpose> <refpurpose>change role name or membership</refpurpose>
</refnamediv> </refnamediv>
<indexterm zone="sql-altergroup"> <indexterm zone="sql-altergroup">
...@@ -32,16 +32,25 @@ ALTER GROUP <replaceable class="PARAMETER">groupname</replaceable> RENAME TO <re ...@@ -32,16 +32,25 @@ ALTER GROUP <replaceable class="PARAMETER">groupname</replaceable> RENAME TO <re
<para> <para>
<command>ALTER GROUP</command> changes the attributes of a user group. <command>ALTER GROUP</command> changes the attributes of a user group.
This is an obsolete command, though still accepted for backwards
compatibility, because groups (and users too) have been superseded by the
more general concept of roles.
</para> </para>
<para> <para>
The first two variants add users to a group or remove them from a group. The first two variants add users to a group or remove them from a group.
Only database superusers can use this command. (Any role can play the part of either a <quote>user</> or a
<quote>group</> for this purpose.) These variants are effectively
equivalent to granting or revoking membership in the role named as the
<quote>group</>; so the preferred way to do this is to use
<xref linkend="SQL-GRANT" endterm="SQL-GRANT-title"> or
<xref linkend="SQL-REVOKE" endterm="SQL-REVOKE-title">.
</para> </para>
<para> <para>
The third variant changes the name of the group. Only a database The third variant changes the name of the group. This is exactly
superuser can rename groups. equivalent to renaming the role with
<xref linkend="sql-alterrole" endterm="sql-alterrole-title">.
</para> </para>
</refsect1> </refsect1>
...@@ -53,7 +62,7 @@ ALTER GROUP <replaceable class="PARAMETER">groupname</replaceable> RENAME TO <re ...@@ -53,7 +62,7 @@ ALTER GROUP <replaceable class="PARAMETER">groupname</replaceable> RENAME TO <re
<term><replaceable class="PARAMETER">groupname</replaceable></term> <term><replaceable class="PARAMETER">groupname</replaceable></term>
<listitem> <listitem>
<para> <para>
The name of the group to modify. The name of the group (role) to modify.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -62,9 +71,9 @@ ALTER GROUP <replaceable class="PARAMETER">groupname</replaceable> RENAME TO <re ...@@ -62,9 +71,9 @@ ALTER GROUP <replaceable class="PARAMETER">groupname</replaceable> RENAME TO <re
<term><replaceable class="PARAMETER">username</replaceable></term> <term><replaceable class="PARAMETER">username</replaceable></term>
<listitem> <listitem>
<para> <para>
Users that are to be added to or removed from the group. The users Users (roles) that are to be added to or removed from the group.
must already exist; <command>ALTER GROUP</> does not create or The users must already exist; <command>ALTER GROUP</> does not
drop users. create or drop users.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -103,7 +112,7 @@ ALTER GROUP workers DROP USER beth; ...@@ -103,7 +112,7 @@ ALTER GROUP workers DROP USER beth;
<para> <para>
There is no <command>ALTER GROUP</command> statement in the SQL There is no <command>ALTER GROUP</command> statement in the SQL
standard. The concept of roles is similar. standard.
</para> </para>
</refsect1> </refsect1>
...@@ -111,8 +120,9 @@ ALTER GROUP workers DROP USER beth; ...@@ -111,8 +120,9 @@ ALTER GROUP workers DROP USER beth;
<title>See Also</title> <title>See Also</title>
<simplelist type="inline"> <simplelist type="inline">
<member><xref linkend="sql-creategroup" endterm="sql-creategroup-title"></member> <member><xref linkend="sql-grant" endterm="sql-grant-title"></member>
<member><xref linkend="sql-dropgroup" endterm="sql-dropgroup-title"></member> <member><xref linkend="sql-revoke" endterm="sql-revoke-title"></member>
<member><xref linkend="sql-alterrole" endterm="sql-alterrole-title"></member>
</simplelist> </simplelist>
</refsect1> </refsect1>
......
<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/alter_role.sgml,v 1.1 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation
-->
<refentry id="SQL-ALTERROLE">
<refmeta>
<refentrytitle id="sql-alterrole-title">ALTER ROLE</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>
<refname>ALTER ROLE</refname>
<refpurpose>change a database role</refpurpose>
</refnamediv>
<indexterm zone="sql-alterrole">
<primary>ALTER ROLE</primary>
</indexterm>
<refsynopsisdiv>
<synopsis>
ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replaceable class="PARAMETER">option</replaceable> [ ... ] ]
where <replaceable class="PARAMETER">option</replaceable> can be:
SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
| VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
ALTER ROLE <replaceable class="PARAMETER">name</replaceable> RENAME TO <replaceable>newname</replaceable>
ALTER ROLE <replaceable class="PARAMETER">name</replaceable> SET <replaceable>parameter</replaceable> { TO | = } { <replaceable>value</replaceable> | DEFAULT }
ALTER ROLE <replaceable class="PARAMETER">name</replaceable> RESET <replaceable>parameter</replaceable>
</synopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
<command>ALTER ROLE</command> changes the attributes of a
<productname>PostgreSQL</productname> role.
</para>
<para>
The first variant of this command listed in the synopsis can change
many of the role attributes that can be specified in
<xref linkend="sql-createrole" endterm="sql-createrole-title">,
which see for details. (All the possible attributes are covered,
except that there are no options for adding or removing memberships; use
<xref linkend="SQL-GRANT" endterm="SQL-GRANT-title"> and
<xref linkend="SQL-REVOKE" endterm="SQL-REVOKE-title"> for that.)
Attributes not mentioned in the command retain their previous settings.
Database superusers can change any of these settings for any role.
Roles having <literal>CREATEROLE</> privilege can change any of these
settings, but only for non-superuser roles.
Ordinary roles can only change their own password.
</para>
<para>
The second variant changes the name of the role.
Database superusers can rename any role.
Roles having <literal>CREATEROLE</> privilege can rename non-superuser
roles.
The current session user cannot be renamed.
(Connect as a different user if you need to do that.)
Because <literal>MD5</>-encrypted passwords use the role name as
cryptographic salt, renaming a role clears its password if the
password is <literal>MD5</>-encrypted.
</para>
<para>
The third and the fourth variant change a role's session default for
a specified configuration variable. Whenever the role subsequently
starts a new session, the specified value becomes the session default,
overriding whatever setting is present in <filename>postgresql.conf</>
or has been received from the <command>postmaster</command> command line.
(For a role without <literal>LOGIN</> privilege, session defaults have
no effect.)
Ordinary roles can change their own session defaults.
Superusers can change anyone's session defaults.
Roles having <literal>CREATEROLE</> privilege can change defaults for
non-superuser roles.
Certain variables cannot be set this way, or can only be
set if a superuser issues the command.
</para>
</refsect1>
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">name</replaceable></term>
<listitem>
<para>
The name of the role whose attributes are to be altered.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>SUPERUSER</literal></term>
<term><literal>NOSUPERUSER</literal></term>
<term><literal>CREATEDB</></term>
<term><literal>NOCREATEDB</></term>
<term><literal>CREATEROLE</literal></term>
<term><literal>NOCREATEROLE</literal></term>
<term><literal>CREATEUSER</literal></term>
<term><literal>NOCREATEUSER</literal></term>
<term><literal>INHERIT</literal></term>
<term><literal>NOINHERIT</literal></term>
<term><literal>LOGIN</literal></term>
<term><literal>NOLOGIN</literal></term>
<term><literal>PASSWORD</> <replaceable class="parameter">password</replaceable></term>
<term><literal>ENCRYPTED</></term>
<term><literal>UNENCRYPTED</></term>
<term><literal>VALID UNTIL</literal> '<replaceable class="parameter">timestamp</replaceable>'</term>
<listitem>
<para>
These clauses alter attributes originally set by
<xref linkend="SQL-CREATEROLE" endterm="SQL-CREATEROLE-title">,
which see for more information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>newname</replaceable></term>
<listitem>
<para>
The new name of the role.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>parameter</replaceable></term>
<term><replaceable>value</replaceable></term>
<listitem>
<para>
Set this role's session default for the specified configuration
parameter to the given value. If
<replaceable>value</replaceable> is <literal>DEFAULT</literal>
or, equivalently, <literal>RESET</literal> is used, the
role-specific variable setting is removed, so the role will
inherit the system-wide default setting in new sessions. Use
<literal>RESET ALL</literal> to clear all role-specific settings.
</para>
<para>
See <xref linkend="sql-set" endterm="sql-set-title"> and <xref
linkend="runtime-config"> for more information about allowed
parameter names and values.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
Use <xref linkend="SQL-CREATEROLE" endterm="SQL-CREATEROLE-title">
to add new roles, and <xref linkend="SQL-DROPROLE"
endterm="SQL-DROPROLE-title"> to remove a role.
</para>
<para>
<command>ALTER ROLE</command> cannot change a role's memberships.
Use <xref linkend="SQL-GRANT" endterm="SQL-GRANT-title"> and
<xref linkend="SQL-REVOKE" endterm="SQL-REVOKE-title">
to do that.
</para>
<para>
It is also possible to tie a
session default to a specific database rather than to a role; see
<xref linkend="sql-alterdatabase" endterm="sql-alterdatabase-title">.
Role-specific settings override database-specific
ones if there is a conflict.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
Change a role's password:
<programlisting>
ALTER ROLE davide WITH PASSWORD 'hu8jmn3';
</programlisting>
</para>
<para>
Change a password expiration date, specifying that the password
should expire at midday on 4th May 2015 using
the time zone which is one hour ahead of <acronym>UTC</>:
<programlisting>
ALTER ROLE chris VALID UNTIL 'May 4 12:00:00 2015 +1';
</programlisting>
</para>
<para>
Make a password valid forever:
<programlisting>
ALTER ROLE fred VALID UNTIL 'infinity';
</programlisting>
</para>
<para>
Give a role the ability to create other roles and new databases:
<programlisting>
ALTER ROLE miriam CREATEROLE CREATEDB;
</programlisting>
</para>
<para>
Give a role a non-default setting of the
<xref linkend="guc-maintenance-work-mem"> parameter:
<programlisting>
ALTER ROLE worker_bee SET maintenance_work_mem = 100000;
</programlisting>
</para>
</refsect1>
<refsect1>
<title>Compatibility</title>
<para>
The <command>ALTER ROLE</command> statement is a
<productname>PostgreSQL</productname> extension.
</para>
</refsect1>
<refsect1>
<title>See Also</title>
<simplelist type="inline">
<member><xref linkend="sql-createrole" endterm="sql-createrole-title"></member>
<member><xref linkend="sql-droprole" endterm="sql-droprole-title"></member>
<member><xref linkend="sql-set" endterm="sql-set-title"></member>
</simplelist>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:nil
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:"../reference.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:"/usr/lib/sgml/catalog"
sgml-local-ecat-files:nil
End:
-->
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/alter_user.sgml,v 1.37 2005/01/06 00:11:14 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/alter_user.sgml,v 1.38 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -11,7 +11,7 @@ PostgreSQL documentation ...@@ -11,7 +11,7 @@ PostgreSQL documentation
<refnamediv> <refnamediv>
<refname>ALTER USER</refname> <refname>ALTER USER</refname>
<refpurpose>change a database user account</refpurpose> <refpurpose>change a database role</refpurpose>
</refnamediv> </refnamediv>
<indexterm zone="sql-alteruser"> <indexterm zone="sql-alteruser">
...@@ -23,11 +23,15 @@ PostgreSQL documentation ...@@ -23,11 +23,15 @@ PostgreSQL documentation
ALTER USER <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replaceable class="PARAMETER">option</replaceable> [ ... ] ] ALTER USER <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replaceable class="PARAMETER">option</replaceable> [ ... ] ]
where <replaceable class="PARAMETER">option</replaceable> can be: where <replaceable class="PARAMETER">option</replaceable> can be:
CREATEDB | NOCREATEDB SUPERUSER | NOSUPERUSER
| CREATEUSER | NOCREATEUSER | CREATEDB | NOCREATEDB
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>' | CREATEROLE | NOCREATEROLE
| VALID UNTIL '<replaceable class="PARAMETER">abstime</replaceable>' | CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
| VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
ALTER USER <replaceable class="PARAMETER">name</replaceable> RENAME TO <replaceable>newname</replaceable> ALTER USER <replaceable class="PARAMETER">name</replaceable> RENAME TO <replaceable>newname</replaceable>
...@@ -40,218 +44,9 @@ ALTER USER <replaceable class="PARAMETER">name</replaceable> RESET <replaceable> ...@@ -40,218 +44,9 @@ ALTER USER <replaceable class="PARAMETER">name</replaceable> RESET <replaceable>
<title>Description</title> <title>Description</title>
<para> <para>
<command>ALTER USER</command> changes the attributes of a <command>ALTER USER</command> is now an alias for
<productname>PostgreSQL</productname> user account. Attributes not <xref linkend="sql-alterrole" endterm="sql-alterrole-title">,
mentioned in the command retain their previous settings. which see for more information.
</para>
<para>
The first variant of this command listed in the synopsis changes certain
per-user privileges and authentication settings. (See below for
details.) Database superusers can change any of these settings for any
user. Ordinary users can only change their own password.
</para>
<para>
The second variant changes the name of the user. Only a database
superuser can rename user accounts. The current session user cannot be
renamed. (Connect as a different user if you need to do that.)
Because <literal>MD5</>-encrypted passwords use the user name as
cryptographic salt, renaming a user clears their <literal>MD5</>
password.
</para>
<para>
The third and the fourth variant change a user's session default for
a specified configuration variable. Whenever the user subsequently
starts a new session, the specified value becomes the session default,
overriding whatever setting is present in <filename>postgresql.conf</>
or has been received from the <command>postmaster</command> command line.
Ordinary users can change their own session defaults.
Superusers can change anyone's session defaults.
Certain variables cannot be set this way, or can only be
set by a superuser.
</para>
</refsect1>
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">name</replaceable></term>
<listitem>
<para>
The name of the user whose attributes are to be altered.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>CREATEDB</literal></term>
<term><literal>NOCREATEDB</literal></term>
<listitem>
<para>
These clauses define a user's ability to create databases. If
<literal>CREATEDB</literal> is specified, the user
will be allowed to create his own databases. Using
<literal>NOCREATEDB</literal> will deny a user the ability to
create databases. (If the user is also a superuser, then this
setting has no real effect.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>CREATEUSER</literal></term>
<term><literal>NOCREATEUSER</literal></term>
<listitem>
<para>
These clauses determine whether a user will be permitted to
create new users himself. <literal>CREATEUSER</literal> will also make
the user a superuser, who can override all access restrictions.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="PARAMETER">password</replaceable></term>
<listitem>
<para>
The new password to be used for this account.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>ENCRYPTED</literal></term>
<term><literal>UNENCRYPTED</literal></term>
<listitem>
<para>
These key words control whether the password is stored
encrypted in <literal>pg_shadow</>. (See
<xref linkend="SQL-CREATEUSER" endterm="SQL-CREATEUSER-title">
for more information about this choice.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="PARAMETER">abstime</replaceable></term>
<listitem>
<para>
The date (and, optionally, the time)
at which this user's password is to expire. To set the password
never to expire, use <literal>'infinity'</>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>newname</replaceable></term>
<listitem>
<para>
The new name of the user.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>parameter</replaceable></term>
<term><replaceable>value</replaceable></term>
<listitem>
<para>
Set this user's session default for the specified configuration
parameter to the given value. If
<replaceable>value</replaceable> is <literal>DEFAULT</literal>
or, equivalently, <literal>RESET</literal> is used, the
user-specific variable setting is removed, so the user will
inherit the system-wide default setting in new sessions. Use
<literal>RESET ALL</literal> to clear all user-specific settings.
</para>
<para>
See <xref linkend="sql-set" endterm="sql-set-title"> and <xref
linkend="runtime-config"> for more information about allowed
parameter names and values.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
Use <xref linkend="SQL-CREATEUSER" endterm="SQL-CREATEUSER-title">
to add new users, and <xref linkend="SQL-DROPUSER"
endterm="SQL-DROPUSER-title"> to remove a user.
</para>
<para>
<command>ALTER USER</command> cannot change a user's group memberships.
Use <xref linkend="SQL-ALTERGROUP" endterm="SQL-ALTERGROUP-title">
to do that.
</para>
<para>
The <literal>VALID UNTIL</> clause defines an expiration time for a
password only, not for the user account <foreignphrase>per se</>. In
particular, the expiration time is not enforced when logging in using
a non-password-based authentication method.
</para>
<para>
It is also possible to tie a
session default to a specific database rather than to a user; see
<xref linkend="sql-alterdatabase" endterm="sql-alterdatabase-title">.
User-specific settings override database-specific
ones if there is a conflict.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
Change a user's password:
<programlisting>
ALTER USER davide WITH PASSWORD 'hu8jmn3';
</programlisting>
</para>
<para>
Change the expiration date of the user's password:
<programlisting>
ALTER USER manuel VALID UNTIL 'Jan 31 2030';
</programlisting>
</para>
<para>
Change a password expiration date, specifying that the password
should expire at midday on 4th May 2005 using
the time zone which is one hour ahead of <acronym>UTC</>:
<programlisting>
ALTER USER chris VALID UNTIL 'May 4 12:00:00 2005 +1';
</programlisting>
</para>
<para>
Make a password valid forever:
<programlisting>
ALTER USER fred VALID UNTIL 'infinity';
</programlisting>
</para>
<para>
Give a user the ability to create other users and new databases:
<programlisting>
ALTER USER miriam CREATEUSER CREATEDB;
</programlisting>
</para> </para>
</refsect1> </refsect1>
...@@ -269,9 +64,7 @@ ALTER USER miriam CREATEUSER CREATEDB; ...@@ -269,9 +64,7 @@ ALTER USER miriam CREATEUSER CREATEDB;
<title>See Also</title> <title>See Also</title>
<simplelist type="inline"> <simplelist type="inline">
<member><xref linkend="sql-createuser" endterm="sql-createuser-title"></member> <member><xref linkend="sql-alterrole" endterm="sql-alterrole-title"></member>
<member><xref linkend="sql-dropuser" endterm="sql-dropuser-title"></member>
<member><xref linkend="sql-set" endterm="sql-set-title"></member>
</simplelist> </simplelist>
</refsect1> </refsect1>
</refentry> </refentry>
......
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/create_group.sgml,v 1.15 2005/01/04 00:39:53 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/create_group.sgml,v 1.16 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -11,7 +11,7 @@ PostgreSQL documentation ...@@ -11,7 +11,7 @@ PostgreSQL documentation
<refnamediv> <refnamediv>
<refname>CREATE GROUP</refname> <refname>CREATE GROUP</refname>
<refpurpose>define a new user group</refpurpose> <refpurpose>define a new database role</refpurpose>
</refnamediv> </refnamediv>
<indexterm zone="sql-creategroup"> <indexterm zone="sql-creategroup">
...@@ -23,9 +23,21 @@ PostgreSQL documentation ...@@ -23,9 +23,21 @@ PostgreSQL documentation
CREATE GROUP <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replaceable class="PARAMETER">option</replaceable> [ ... ] ] CREATE GROUP <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replaceable class="PARAMETER">option</replaceable> [ ... ] ]
where <replaceable class="PARAMETER">option</replaceable> can be: where <replaceable class="PARAMETER">option</replaceable> can be:
SYSID <replaceable class="PARAMETER">gid</replaceable> SUPERUSER | NOSUPERUSER
| USER <replaceable class="PARAMETER">username</replaceable> [, ...] | CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER
| INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
| VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
| IN ROLE <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| IN GROUP <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| ROLE <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| ADMIN <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| USER <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| SYSID <replaceable class="PARAMETER">uid</replaceable>
</synopsis> </synopsis>
</refsynopsisdiv> </refsynopsisdiv>
...@@ -33,89 +45,18 @@ where <replaceable class="PARAMETER">option</replaceable> can be: ...@@ -33,89 +45,18 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
<title>Description</title> <title>Description</title>
<para> <para>
<command>CREATE GROUP</command> will create a new group of users. <command>CREATE GROUP</command> is now an alias for
You must be a database superuser to use this command. <xref linkend="sql-createrole" endterm="sql-createrole-title">,
</para> which see for more information.
<para>
Note that both users and groups are defined at the database cluster
level, and so are valid in all databases in the cluster.
</para> </para>
<para>
Use <xref linkend="SQL-ALTERGROUP" endterm="SQL-ALTERGROUP-title">
to change a group's membership, and <xref linkend="SQL-DROPGROUP"
endterm="SQL-DROPGROUP-title"> to remove a group.
</para>
</refsect1> </refsect1>
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
The name of the group.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">gid</replaceable></term>
<listitem>
<para>
The <literal>SYSID</literal> clause can be used to choose
the <productname>PostgreSQL</productname> group ID of the new
group.
This is normally not necessary, but may
be useful if you need to recreate a group referenced in the
permissions of some object.
</para>
<para>
If this is not specified, the highest assigned group ID plus one
(with a minimum of 100) will be used as default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">username</replaceable></term>
<listitem>
<para>
A list of users to include in the group. The users must already exist.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
Create an empty group:
<programlisting>
CREATE GROUP staff;
</programlisting>
</para>
<para>
Create a group with members:
<programlisting>
CREATE GROUP marketing WITH USER jonathan, david;
</programlisting>
</para>
</refsect1>
<refsect1> <refsect1>
<title>Compatibility</title> <title>Compatibility</title>
<para> <para>
There is no <command>CREATE GROUP</command> statement in the SQL There is no <command>CREATE GROUP</command> statement in the SQL
standard. Roles are similar in concept to groups. standard.
</para> </para>
</refsect1> </refsect1>
...@@ -123,8 +64,7 @@ CREATE GROUP marketing WITH USER jonathan, david; ...@@ -123,8 +64,7 @@ CREATE GROUP marketing WITH USER jonathan, david;
<title>See Also</title> <title>See Also</title>
<simplelist type="inline"> <simplelist type="inline">
<member><xref linkend="sql-altergroup" endterm="sql-altergroup-title"></member> <member><xref linkend="sql-createrole" endterm="sql-createrole-title"></member>
<member><xref linkend="sql-dropgroup" endterm="sql-dropgroup-title"></member>
</simplelist> </simplelist>
</refsect1> </refsect1>
</refentry> </refentry>
......
This diff is collapsed.
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/create_user.sgml,v 1.36 2005/01/06 00:11:14 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/create_user.sgml,v 1.37 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -11,7 +11,7 @@ PostgreSQL documentation ...@@ -11,7 +11,7 @@ PostgreSQL documentation
<refnamediv> <refnamediv>
<refname>CREATE USER</refname> <refname>CREATE USER</refname>
<refpurpose>define a new database user account</refpurpose> <refpurpose>define a new database role</refpurpose>
</refnamediv> </refnamediv>
<indexterm zone="sql-createuser"> <indexterm zone="sql-createuser">
...@@ -24,12 +24,20 @@ CREATE USER <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac ...@@ -24,12 +24,20 @@ CREATE USER <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
where <replaceable class="PARAMETER">option</replaceable> can be: where <replaceable class="PARAMETER">option</replaceable> can be:
SYSID <replaceable class="PARAMETER">uid</replaceable> SUPERUSER | NOSUPERUSER
| CREATEDB | NOCREATEDB | CREATEDB | NOCREATEDB
| CREATEROLE | NOCREATEROLE
| CREATEUSER | NOCREATEUSER | CREATEUSER | NOCREATEUSER
| IN GROUP <replaceable class="PARAMETER">groupname</replaceable> [, ...] | INHERIT | NOINHERIT
| LOGIN | NOLOGIN
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>' | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
| VALID UNTIL '<replaceable class="PARAMETER">abstime</replaceable>' | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
| IN ROLE <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| IN GROUP <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| ROLE <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| ADMIN <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| USER <replaceable class="PARAMETER">rolename</replaceable> [, ...]
| SYSID <replaceable class="PARAMETER">uid</replaceable>
</synopsis> </synopsis>
</refsynopsisdiv> </refsynopsisdiv>
...@@ -37,194 +45,14 @@ where <replaceable class="PARAMETER">option</replaceable> can be: ...@@ -37,194 +45,14 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
<title>Description</title> <title>Description</title>
<para> <para>
<command>CREATE USER</command> adds a new user to a <command>CREATE USER</command> is now an alias for
<productname>PostgreSQL</productname> database cluster. Refer to <xref linkend="sql-createrole" endterm="sql-createrole-title">,
<xref linkend="user-manag"> and <xref which see for more information.
linkend="client-authentication"> for information about managing The only difference is that when the command is spelled
users and authentication. You must be a database superuser to use <command>CREATE USER</command>, <literal>LOGIN</> is assumed
this command. by default, whereas <literal>NOLOGIN</> is assumed when
</para> the command is spelled
</refsect1> <command>CREATE ROLE</command>.
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
The name of the new user.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">uid</replaceable></term>
<listitem>
<para>
The <literal>SYSID</literal> clause can be used to choose the
<productname>PostgreSQL</productname> user ID of the new user.
This is normally not necessary, but may
be useful if you need to recreate the owner of an orphaned
object.
</para>
<para>
If this is not specified, the highest assigned user ID plus one
(with a minimum of 100) will be used as default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>CREATEDB</></term>
<term><literal>NOCREATEDB</></term>
<listitem>
<para>
These clauses define a user's ability to create databases. If
<literal>CREATEDB</literal> is specified, the user being
defined will be allowed to create his own databases. Using
<literal>NOCREATEDB</literal> will deny a user the ability to
create databases. If not specified,
<literal>NOCREATEDB</literal> is the default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>CREATEUSER</literal></term>
<term><literal>NOCREATEUSER</literal></term>
<listitem>
<para>
These clauses determine whether a user will be permitted to
create new users himself. <literal>CREATEUSER</literal> will also make
the user a superuser, who can override all access restrictions.
If not specified,
<literal>NOCREATEUSER</literal> is the default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">groupname</replaceable></term>
<listitem>
<para>
A name of an existing group into which to insert the user as a new
member. Multiple group names may be listed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">password</replaceable></term>
<listitem>
<para>
Sets the user's password. If you do not plan to use password
authentication you can omit this option, but then the user
won't be able to connect if you decide to switch to password
authentication. The password can be set or changed later,
using <xref linkend="SQL-ALTERUSER"
endterm="SQL-ALTERUSER-title">.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>ENCRYPTED</></term>
<term><literal>UNENCRYPTED</></term>
<listitem>
<para>
These key words control whether the password is stored
encrypted in the system catalogs. (If neither is specified,
the default behavior is determined by the configuration
parameter <xref linkend="guc-password-encryption">.) If the
presented password string is already in MD5-encrypted format,
then it is stored encrypted as-is, regardless of whether
<literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified
(since the system cannot decrypt the specified encrypted
password string). This allows reloading of encrypted
passwords during dump/restore.
</para>
<para>
Note that older clients may lack support for the MD5
authentication mechanism that is needed to work with passwords
that are stored encrypted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="parameter">abstime</replaceable></term>
<listitem>
<para>
The <literal>VALID UNTIL</literal> clause sets an absolute
time after which the user's password is no longer valid. If
this clause is omitted the password will be valid for all time.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
Use <xref linkend="SQL-ALTERUSER" endterm="SQL-ALTERUSER-title"> to
change the attributes of a user, and <xref linkend="SQL-DROPUSER"
endterm="SQL-DROPUSER-title"> to remove a user. Use <xref
linkend="SQL-ALTERGROUP" endterm="SQL-ALTERGROUP-title"> to add the
user to groups or remove the user from groups.
</para>
<para>
<productname>PostgreSQL</productname> includes a program <xref
linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has
the same functionality as <command>CREATE USER</command> (in fact, it calls this
command) but can be run from the command shell.
</para>
<para>
The <literal>VALID UNTIL</> clause defines an expiration time for a
password only, not for the user account <foreignphrase>per se</>. In
particular, the expiration time is not enforced when logging in using
a non-password-based authentication method.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
Create a user with no password:
<programlisting>
CREATE USER jonathan;
</programlisting>
</para>
<para>
Create a user with a password:
<programlisting>
CREATE USER davide WITH PASSWORD 'jw8s0F4';
</programlisting>
</para>
<para>
Create a user with a password that is valid until the end of 2004.
After one second has ticked in 2005, the password is no longer
valid.
<programlisting>
CREATE USER miriam WITH PASSWORD 'jw8s0F4' VALID UNTIL '2005-01-01';
</programlisting>
</para>
<para>
Create an account where the user can create databases:
<programlisting>
CREATE USER manuel WITH PASSWORD 'jw8s0F4' CREATEDB;
</programlisting>
</para> </para>
</refsect1> </refsect1>
...@@ -242,9 +70,7 @@ CREATE USER manuel WITH PASSWORD 'jw8s0F4' CREATEDB; ...@@ -242,9 +70,7 @@ CREATE USER manuel WITH PASSWORD 'jw8s0F4' CREATEDB;
<title>See Also</title> <title>See Also</title>
<simplelist type="inline"> <simplelist type="inline">
<member><xref linkend="sql-alteruser" endterm="sql-alteruser-title"></member> <member><xref linkend="sql-createrole" endterm="sql-createrole-title"></member>
<member><xref linkend="sql-dropuser" endterm="sql-dropuser-title"></member>
<member><xref linkend="app-createuser"></member>
</simplelist> </simplelist>
</refsect1> </refsect1>
</refentry> </refentry>
......
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/drop_group.sgml,v 1.10 2005/01/09 05:57:45 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/drop_group.sgml,v 1.11 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -11,7 +11,7 @@ PostgreSQL documentation ...@@ -11,7 +11,7 @@ PostgreSQL documentation
<refnamediv> <refnamediv>
<refname>DROP GROUP</refname> <refname>DROP GROUP</refname>
<refpurpose>remove a user group</refpurpose> <refpurpose>remove a database role</refpurpose>
</refnamediv> </refnamediv>
<indexterm zone="sql-dropgroup"> <indexterm zone="sql-dropgroup">
...@@ -20,7 +20,7 @@ PostgreSQL documentation ...@@ -20,7 +20,7 @@ PostgreSQL documentation
<refsynopsisdiv> <refsynopsisdiv>
<synopsis> <synopsis>
DROP GROUP <replaceable class="PARAMETER">name</replaceable> DROP GROUP <replaceable class="PARAMETER">name</replaceable> [, ...]
</synopsis> </synopsis>
</refsynopsisdiv> </refsynopsisdiv>
...@@ -28,48 +28,12 @@ DROP GROUP <replaceable class="PARAMETER">name</replaceable> ...@@ -28,48 +28,12 @@ DROP GROUP <replaceable class="PARAMETER">name</replaceable>
<title>Description</title> <title>Description</title>
<para> <para>
<command>DROP GROUP</command> removes the specified group. The <command>DROP GROUP</command> is now an alias for
users in the group are not removed. <xref linkend="sql-droprole" endterm="sql-droprole-title">,
which see for more information.
</para> </para>
</refsect1> </refsect1>
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">name</replaceable></term>
<listitem>
<para>
The name of an existing group.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
It is unwise to drop a group that has any
granted permissions on objects. Currently, this is not enforced,
but it is likely that future versions of
<productname>PostgreSQL</productname> will check for the error.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
To drop a group:
<programlisting>
DROP GROUP staff;
</programlisting>
</para>
</refsect1>
<refsect1> <refsect1>
<title>Compatibility</title> <title>Compatibility</title>
...@@ -82,8 +46,7 @@ DROP GROUP staff; ...@@ -82,8 +46,7 @@ DROP GROUP staff;
<title>See Also</title> <title>See Also</title>
<simplelist type="inline"> <simplelist type="inline">
<member><xref linkend="sql-altergroup" endterm="sql-altergroup-title"></member> <member><xref linkend="sql-droprole" endterm="sql-droprole-title"></member>
<member><xref linkend="sql-creategroup" endterm="sql-creategroup-title"></member>
</simplelist> </simplelist>
</refsect1> </refsect1>
......
<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/drop_role.sgml,v 1.1 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation
-->
<refentry id="SQL-DROPROLE">
<refmeta>
<refentrytitle id="SQL-DROPROLE-TITLE">DROP ROLE</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>
<refname>DROP ROLE</refname>
<refpurpose>remove a database role</refpurpose>
</refnamediv>
<indexterm zone="sql-droprole">
<primary>DROP ROLE</primary>
</indexterm>
<refsynopsisdiv>
<synopsis>
DROP ROLE <replaceable class="PARAMETER">name</replaceable> [, ...]
</synopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
<command>DROP ROLE</command> removes the specified role(s).
To drop a superuser role, you must be a superuser yourself;
to drop non-superuser roles, you must have <literal>CREATEROLE</>
privilege.
</para>
<para>
A role cannot be removed if it is still referenced in any database
of the cluster; an error will be raised if so. Before dropping the role,
you must drop all the objects it owns (or reassign their ownership)
and revoke any privileges the role has been granted.
</para>
<para>
However, it is not necessary to remove role memberships involving
the role; <command>DROP ROLE</> automatically revokes any memberships
of the target role in other roles, and of other roles in the target role.
The other roles are not dropped nor otherwise affected.
</para>
</refsect1>
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">name</replaceable></term>
<listitem>
<para>
The name of the role to remove.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
<productname>PostgreSQL</productname> includes a program <xref
linkend="APP-DROPUSER" endterm="APP-DROPUSER-title"> that has the
same functionality as this command (in fact, it calls this command)
but can be run from the command shell.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
To drop a role:
<programlisting>
DROP ROLE jonathan;
</programlisting>
</para>
</refsect1>
<refsect1>
<title>Compatibility</title>
<para>
The SQL standard defines <command>DROP ROLE</command>, but it allows
only one role to be dropped at a time, and it specifies different
privilege requirements than <productname>PostgreSQL</productname> uses.
</para>
</refsect1>
<refsect1>
<title>See Also</title>
<simplelist type="inline">
<member><xref linkend="sql-createrole" endterm="sql-createrole-title"></member>
<member><xref linkend="sql-alterrole" endterm="sql-alterrole-title"></member>
<member><xref linkend="sql-set-role" endterm="sql-set-role-title"></member>
</simplelist>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:nil
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:"../reference.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:"/usr/lib/sgml/catalog"
sgml-local-ecat-files:nil
End:
-->
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/drop_user.sgml,v 1.20 2005/01/04 00:39:53 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/drop_user.sgml,v 1.21 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -11,7 +11,7 @@ PostgreSQL documentation ...@@ -11,7 +11,7 @@ PostgreSQL documentation
<refnamediv> <refnamediv>
<refname>DROP USER</refname> <refname>DROP USER</refname>
<refpurpose>remove a database user account</refpurpose> <refpurpose>remove a database role</refpurpose>
</refnamediv> </refnamediv>
<indexterm zone="sql-dropuser"> <indexterm zone="sql-dropuser">
...@@ -20,7 +20,7 @@ PostgreSQL documentation ...@@ -20,7 +20,7 @@ PostgreSQL documentation
<refsynopsisdiv> <refsynopsisdiv>
<synopsis> <synopsis>
DROP USER <replaceable class="PARAMETER">name</replaceable> DROP USER <replaceable class="PARAMETER">name</replaceable> [, ...]
</synopsis> </synopsis>
</refsynopsisdiv> </refsynopsisdiv>
...@@ -28,64 +28,15 @@ DROP USER <replaceable class="PARAMETER">name</replaceable> ...@@ -28,64 +28,15 @@ DROP USER <replaceable class="PARAMETER">name</replaceable>
<title>Description</title> <title>Description</title>
<para> <para>
<command>DROP USER</command> removes the specified user. <command>DROP USER</command> is now an alias for
It does not remove tables, views, or other objects owned by the user. If the <xref linkend="sql-droprole" endterm="sql-droprole-title">,
user owns any database, an error is raised. which see for more information.
</para> </para>
</refsect1> </refsect1>
<refsect1>
<title>Parameters</title>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">name</replaceable></term>
<listitem>
<para>
The name of the user to remove.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
<productname>PostgreSQL</productname> includes a program <xref
linkend="APP-DROPUSER" endterm="APP-DROPUSER-title"> that has the
same functionality as this command (in fact, it calls this command)
but can be run from the command shell.
</para>
<para>
To drop a user who owns a database, first drop the database or change
its ownership.
</para>
<para>
It is unwise to drop a user who either owns any database objects or has any
granted permissions on objects. Currently, this is only enforced for
the case of owners of databases, but it is likely that future versions of
<productname>PostgreSQL</productname> will check other cases.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
To drop a user account:
<programlisting>
DROP USER jonathan;
</programlisting>
</para>
</refsect1>
<refsect1> <refsect1>
<title>Compatibility</title> <title>Compatibility</title>
<para> <para>
The <command>DROP USER</command> statement is a The <command>DROP USER</command> statement is a
<productname>PostgreSQL</productname> extension. The SQL standard <productname>PostgreSQL</productname> extension. The SQL standard
...@@ -97,8 +48,7 @@ DROP USER jonathan; ...@@ -97,8 +48,7 @@ DROP USER jonathan;
<title>See Also</title> <title>See Also</title>
<simplelist type="inline"> <simplelist type="inline">
<member><xref linkend="sql-alteruser" endterm="sql-alteruser-title"></member> <member><xref linkend="sql-droprole" endterm="sql-droprole-title"></member>
<member><xref linkend="sql-createuser" endterm="sql-createuser-title"></member>
</simplelist> </simplelist>
</refsect1> </refsect1>
......
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.47 2005/05/26 20:05:03 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.48 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -44,6 +44,9 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] } ...@@ -44,6 +44,9 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
GRANT { CREATE | ALL [ PRIVILEGES ] } GRANT { CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE <replaceable>tablespacename</> [, ...] ON TABLESPACE <replaceable>tablespacename</> [, ...]
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ] TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH ADMIN OPTION ]
</synopsis> </synopsis>
</refsynopsisdiv> </refsynopsisdiv>
...@@ -51,20 +54,39 @@ GRANT { CREATE | ALL [ PRIVILEGES ] } ...@@ -51,20 +54,39 @@ GRANT { CREATE | ALL [ PRIVILEGES ] }
<title>Description</title> <title>Description</title>
<para> <para>
The <command>GRANT</command> command gives specific privileges on The <command>GRANT</command> command has two basic variants: one
an object (table, view, sequence, database, function, that grants privileges on a database object (table, view, sequence,
procedural language, schema, or tablespace) to database, function, procedural language, schema, or tablespace),
one or more users or groups of users. These privileges are added and one that grants membership in a role. These variants are
similar in many ways, but they are different enough to be described
separately.
</para>
<para>
As of <productname>PostgreSQL</productname> 8.1, the concepts of users and
groups have been unified into a single kind of entity called a role.
It is therefore no longer necessary to use the keyword <literal>GROUP</>
to identify whether a grantee is a user or a group. <literal>GROUP</>
is still allowed in the command, but it is a noise word.
</para>
<refsect2 id="sql-grant-description-objects">
<title>GRANT on Database Objects</title>
<para>
This variant of the <command>GRANT</command> command gives specific
privileges on a database object to
one or more roles. These privileges are added
to those already granted, if any. to those already granted, if any.
</para> </para>
<para> <para>
The key word <literal>PUBLIC</literal> indicates that the The key word <literal>PUBLIC</literal> indicates that the
privileges are to be granted to all users, including those that may privileges are to be granted to all roles, including those that may
be created later. <literal>PUBLIC</literal> may be thought of as an be created later. <literal>PUBLIC</literal> may be thought of as an
implicitly defined group that always includes all users. implicitly defined group that always includes all roles.
Any particular user will have the sum Any particular role will have the sum
of privileges granted directly to him, privileges granted to any group he of privileges granted directly to it, privileges granted to any role it
is presently a member of, and privileges granted to is presently a member of, and privileges granted to
<literal>PUBLIC</literal>. <literal>PUBLIC</literal>.
</para> </para>
...@@ -72,9 +94,8 @@ GRANT { CREATE | ALL [ PRIVILEGES ] } ...@@ -72,9 +94,8 @@ GRANT { CREATE | ALL [ PRIVILEGES ] }
<para> <para>
If <literal>WITH GRANT OPTION</literal> is specified, the recipient If <literal>WITH GRANT OPTION</literal> is specified, the recipient
of the privilege may in turn grant it to others. Without a grant of the privilege may in turn grant it to others. Without a grant
option, the recipient cannot do that. At present, grant options can option, the recipient cannot do that. Grant options cannot be granted
only be granted to individual users, not to groups or to <literal>PUBLIC</literal>.
<literal>PUBLIC</literal>.
</para> </para>
<para> <para>
...@@ -258,6 +279,24 @@ GRANT { CREATE | ALL [ PRIVILEGES ] } ...@@ -258,6 +279,24 @@ GRANT { CREATE | ALL [ PRIVILEGES ] }
The privileges required by other commands are listed on the The privileges required by other commands are listed on the
reference page of the respective command. reference page of the respective command.
</para> </para>
</refsect2>
<refsect2 id="sql-grant-description-roles">
<title>GRANT on Roles</title>
<para>
This variant of the <command>GRANT</command> command grants membership
in a role to one or more other roles. Membership in a role is significant
because it conveys the privileges granted to a role to each of its
members.
</para>
<para>
If <literal>WITH ADMIN OPTION</literal> is specified, the member may
in turn grant membership in the role to others. Without the admin
option, the recipient cannot do that.
</para>
</refsect2>
</refsect1> </refsect1>
...@@ -296,6 +335,8 @@ GRANT { CREATE | ALL [ PRIVILEGES ] } ...@@ -296,6 +335,8 @@ GRANT { CREATE | ALL [ PRIVILEGES ] }
command, the command is performed as though it were issued by the command, the command is performed as though it were issued by the
owner of the affected object. In particular, privileges granted via owner of the affected object. In particular, privileges granted via
such a command will appear to have been granted by the object owner. such a command will appear to have been granted by the object owner.
(For role membership, the membership appears to have been granted
by the containing role itself.)
</para> </para>
<para> <para>
...@@ -392,6 +433,14 @@ GRANT ALL PRIVILEGES ON kinds TO manuel; ...@@ -392,6 +433,14 @@ GRANT ALL PRIVILEGES ON kinds TO manuel;
else it will only grant those permissions for which the someone else has else it will only grant those permissions for which the someone else has
grant options. grant options.
</para> </para>
<para>
Grant membership in role <literal>admins</> to user <literal>joe</>:
<programlisting>
GRANT admins TO joe;
</programlisting>
</para>
</refsect1> </refsect1>
<refsect1 id="sql-grant-compatibility"> <refsect1 id="sql-grant-compatibility">
......
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.33 2005/05/26 20:05:03 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.34 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
...@@ -56,6 +56,11 @@ REVOKE [ GRANT OPTION FOR ] ...@@ -56,6 +56,11 @@ REVOKE [ GRANT OPTION FOR ]
ON TABLESPACE <replaceable>tablespacename</replaceable> [, ...] ON TABLESPACE <replaceable>tablespacename</replaceable> [, ...]
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
[ CASCADE | RESTRICT ] [ CASCADE | RESTRICT ]
REVOKE [ ADMIN OPTION FOR ]
<replaceable class="PARAMETER">role</replaceable> [, ...]
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
[ CASCADE | RESTRICT ]
</synopsis> </synopsis>
</refsynopsisdiv> </refsynopsisdiv>
...@@ -64,9 +69,9 @@ REVOKE [ GRANT OPTION FOR ] ...@@ -64,9 +69,9 @@ REVOKE [ GRANT OPTION FOR ]
<para> <para>
The <command>REVOKE</command> command revokes previously granted The <command>REVOKE</command> command revokes previously granted
privileges from one or more users or groups of users. The key word privileges from one or more roles. The key word
<literal>PUBLIC</literal> refers to the implicitly defined group of <literal>PUBLIC</literal> refers to the implicitly defined group of
all users. all roles.
</para> </para>
<para> <para>
...@@ -75,13 +80,13 @@ REVOKE [ GRANT OPTION FOR ] ...@@ -75,13 +80,13 @@ REVOKE [ GRANT OPTION FOR ]
</para> </para>
<para> <para>
Note that any particular user will have the sum Note that any particular role will have the sum
of privileges granted directly to him, privileges granted to any group he of privileges granted directly to it, privileges granted to any role it
is presently a member of, and privileges granted to is presently a member of, and privileges granted to
<literal>PUBLIC</literal>. Thus, for example, revoking <literal>SELECT</> privilege <literal>PUBLIC</literal>. Thus, for example, revoking <literal>SELECT</> privilege
from <literal>PUBLIC</literal> does not necessarily mean that all users from <literal>PUBLIC</literal> does not necessarily mean that all roles
have lost <literal>SELECT</> privilege on the object: those who have it granted have lost <literal>SELECT</> privilege on the object: those who have it granted
directly or via a group will still have it. directly or via another role will still have it.
</para> </para>
<para> <para>
...@@ -103,6 +108,11 @@ REVOKE [ GRANT OPTION FOR ] ...@@ -103,6 +108,11 @@ REVOKE [ GRANT OPTION FOR ]
Thus, the affected users may effectively keep the privilege if it Thus, the affected users may effectively keep the privilege if it
was also granted through other users. was also granted through other users.
</para> </para>
<para>
When revoking membership in a role, <literal>GRANT OPTION</> is instead
called <literal>ADMIN OPTION</>, but the behavior is similar.
</para>
</refsect1> </refsect1>
<refsect1 id="SQL-REVOKE-notes"> <refsect1 id="SQL-REVOKE-notes">
...@@ -173,6 +183,14 @@ REVOKE ALL PRIVILEGES ON kinds FROM manuel; ...@@ -173,6 +183,14 @@ REVOKE ALL PRIVILEGES ON kinds FROM manuel;
Note that this actually means <quote>revoke all privileges that I Note that this actually means <quote>revoke all privileges that I
granted</>. granted</>.
</para> </para>
<para>
Revoke membership in role <literal>admins</> from user <literal>joe</>:
<programlisting>
REVOKE admins FROM joe;
</programlisting>
</para>
</refsect1> </refsect1>
<refsect1 id="SQL-REVOKE-compatibility"> <refsect1 id="SQL-REVOKE-compatibility">
......
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_role.sgml,v 1.1 2005/07/25 22:12:31 tgl Exp $ --> <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/set_role.sgml,v 1.2 2005/07/26 23:24:02 tgl Exp $
PostgreSQL documentation
-->
<refentry id="SQL-SET-ROLE"> <refentry id="SQL-SET-ROLE">
<refmeta> <refmeta>
<refentrytitle id="sql-set-role-title">SET ROLE</refentrytitle> <refentrytitle id="sql-set-role-title">SET ROLE</refentrytitle>
...@@ -29,9 +33,10 @@ RESET ROLE ...@@ -29,9 +33,10 @@ RESET ROLE
This command sets the current user This command sets the current user
identifier of the current SQL-session context to be <replaceable identifier of the current SQL-session context to be <replaceable
class="parameter">rolename</replaceable>. The role name may be class="parameter">rolename</replaceable>. The role name may be
written as either an identifier or a string literal. Using this written as either an identifier or a string literal.
command, it is possible to either add privileges or restrict one's After <command>SET ROLE</>, permissions checking for SQL commands
privileges. is carried out as though the named role were the one that had logged
in originally.
</para> </para>
<para> <para>
...@@ -53,6 +58,39 @@ RESET ROLE ...@@ -53,6 +58,39 @@ RESET ROLE
</para> </para>
</refsect1> </refsect1>
<refsect1>
<title>Notes</title>
<para>
Using this command, it is possible to either add privileges or restrict
one's privileges. If the session user role has the <literal>INHERITS</>
attribute, then it automatically has all the privileges of every role that
it could <command>SET ROLE</> to; in this case <command>SET ROLE</>
effectively drops all the privileges assigned directly to the session user
and to the other roles it is a member of, leaving only the privileges
available to the named role. On the other hand, if the session user role
has the <literal>NOINHERITS</> attribute, <command>SET ROLE</> drops the
privileges assigned directly to the session user and instead acquires the
privileges available to the named role.
</para>
<para>
In particular, when a superuser chooses to <command>SET ROLE</> to a
non-superuser role, she loses her superuser privileges.
</para>
<para>
<command>SET ROLE</> has effects comparable to
<xref linkend="sql-set-session-authorization"
endterm="sql-set-session-authorization-title">, but the privilege
checks involved are quite different. Also,
<command>SET SESSION AUTHORIZATION</> determines which roles are
allowable for later <command>SET ROLE</> commands, whereas changing
roles with <command>SET ROLE</> does not change the set of roles
allowed to a later <command>SET ROLE</>.
</para>
</refsect1>
<refsect1> <refsect1>
<title>Examples</title> <title>Examples</title>
......
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.13 2005/07/25 22:12:31 tgl Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.14 2005/07/26 23:24:02 tgl Exp $ -->
<refentry id="SQL-SET-SESSION-AUTHORIZATION"> <refentry id="SQL-SET-SESSION-AUTHORIZATION">
<refmeta> <refmeta>
<refentrytitle id="sql-set-session-authorization-title">SET SESSION AUTHORIZATION</refentrytitle> <refentrytitle id="sql-set-session-authorization-title">SET SESSION AUTHORIZATION</refentrytitle>
...@@ -89,8 +89,8 @@ SELECT SESSION_USER, CURRENT_USER; ...@@ -89,8 +89,8 @@ SELECT SESSION_USER, CURRENT_USER;
<para> <para>
The SQL standard allows some other expressions to appear in place The SQL standard allows some other expressions to appear in place
of the literal <replaceable>username</replaceable> which are not of the literal <replaceable>username</replaceable>, but these options
important in practice. <productname>PostgreSQL</productname> are not important in practice. <productname>PostgreSQL</productname>
allows identifier syntax (<literal>"username"</literal>), which SQL allows identifier syntax (<literal>"username"</literal>), which SQL
does not. SQL does not allow this command during a transaction; does not. SQL does not allow this command during a transaction;
<productname>PostgreSQL</productname> does not make this <productname>PostgreSQL</productname> does not make this
......
<!-- reference.sgml <!-- reference.sgml
$PostgreSQL: pgsql/doc/src/sgml/reference.sgml,v 1.54 2005/07/25 22:12:30 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/reference.sgml,v 1.55 2005/07/26 23:24:01 tgl Exp $
PostgreSQL Reference Manual PostgreSQL Reference Manual
--> -->
...@@ -48,6 +48,7 @@ PostgreSQL Reference Manual ...@@ -48,6 +48,7 @@ PostgreSQL Reference Manual
&alterLanguage; &alterLanguage;
&alterOperator; &alterOperator;
&alterOperatorClass; &alterOperatorClass;
&alterRole;
&alterSchema; &alterSchema;
&alterSequence; &alterSequence;
&alterTable; &alterTable;
...@@ -76,6 +77,7 @@ PostgreSQL Reference Manual ...@@ -76,6 +77,7 @@ PostgreSQL Reference Manual
&createLanguage; &createLanguage;
&createOperator; &createOperator;
&createOperatorClass; &createOperatorClass;
&createRole;
&createRule; &createRule;
&createSchema; &createSchema;
&createSequence; &createSequence;
...@@ -100,6 +102,7 @@ PostgreSQL Reference Manual ...@@ -100,6 +102,7 @@ PostgreSQL Reference Manual
&dropLanguage; &dropLanguage;
&dropOperator; &dropOperator;
&dropOperatorClass; &dropOperatorClass;
&dropRole;
&dropRule; &dropRule;
&dropSchema; &dropSchema;
&dropSequence; &dropSequence;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment