Allow CREATE/ALTER ROLE PASSWORD NULL to allow restoring the default state

of having no password.

Allow CREATE/ALTER ROLE PASSWORD NULL to allow restoring the default state
of having no password.
98b3c3c4 · Peter Eisentraut · dcc7da8d · 98b3c3c4 · 98b3c3c4 · 98b3c3c4
Commit 98b3c3c4 authored Dec 23, 2005 by Peter Eisentraut
Showing with 24 additions and 10 deletions

doc/src/sgml/ref/create_role.sgml doc/src/sgml/ref/create_role.sgml +8 -5

src/backend/commands/user.c src/backend/commands/user.c +11 -4

src/backend/parser/gram.y src/backend/parser/gram.y +5 -1

No files found.
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.5 2005/12/18 02:17:16 petere Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.6 2005/12/23 16:46:39 petere Exp $
 PostgreSQL documentation
 -->
@@ -188,10 +188,13 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
      <listitem>
       <para>
        Sets the role's password.  (A password is only of use for
-        roles having the <literal>LOGIN</literal> attribute, but you can
+        roles having the <literal>LOGIN</literal> attribute, but you
-        nonetheless define one for roles without it.)
+        can nonetheless define one for roles without it.)  If you do
-        If you do not plan to use password
+        not plan to use password authentication you can omit this
-        authentication you can omit this option.
+        option.  If no password is specified, the password will be set
+        to null and password authentication will always fail for that
+        user.  A null password can optionally be written explicitly as
+        <literal>PASSWORD NULL</literal>.
       </para>
      </listitem>
     </varlistentry>

--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -6,7 +6,7 @@
 * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.166 2005/11/22 18:17:09 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.167 2005/12/23 16:46:39 petere Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -225,7 +225,7 @@ CreateRole(CreateRoleStmt *stmt)
 				 defel->defname);
 	}
-	if (dpassword)
+	if (dpassword && dpassword->arg)
 		password = strVal(dpassword->arg);
 	if (dissuper)
 		issuper = intVal(dissuper->arg) != 0;
@@ -517,7 +517,7 @@ AlterRole(AlterRoleStmt *stmt)
 				 defel->defname);
 	}
-	if (dpassword)
+	if (dpassword && dpassword->arg)
 		password = strVal(dpassword->arg);
 	if (dissuper)
 		issuper = intVal(dissuper->arg);
@@ -573,7 +573,7 @@ AlterRole(AlterRoleStmt *stmt)
 			  !dconnlimit &&
 			  !rolemembers &&
 			  !validUntil &&
-			  password &&
+			  dpassword &&
 			  roleid == GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -651,6 +651,13 @@ AlterRole(AlterRoleStmt *stmt)
 		new_record_repl[Anum_pg_authid_rolpassword - 1] = 'r';
 	}
+	/* unset password */
+	if (dpassword && dpassword->arg == NULL)
+	{
+		new_record_repl[Anum_pg_authid_rolpassword - 1] = 'r';
+		new_record_nulls[Anum_pg_authid_rolpassword - 1] = 'n';
+	}
 	/* valid until */
 	if (validUntil)
 	{

--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/parser/gram.y,v 2.517 2005/12/11 10:54:27 neilc Exp $
+ *	  $PostgreSQL: pgsql/src/backend/parser/gram.y,v 2.518 2005/12/23 16:46:39 petere Exp $
 *
 * HISTORY
 *	  AUTHOR			DATE			MAJOR EVENT
@@ -616,6 +616,10 @@ OptRoleElem:
 					$$ = makeDefElem("password",
 									 (Node *)makeString($2));
 				}
+			| PASSWORD NULL_P
+				{
+					$$ = makeDefElem("password", NULL);
+				}
 			| ENCRYPTED PASSWORD Sconst
 				{
 					$$ = makeDefElem("encryptedPassword",