Commit c9c41c7a authored by Stephen Frost's avatar Stephen Frost

Rename Default Roles to Predefined Roles

The term 'default roles' wasn't quite apt as these roles aren't able to
be modified or removed after installation, so rename them to be
'Predefined Roles' instead, adding an entry into the newly added
Obsolete Appendix to help users of current releases find the new
documentation.

Bruce Momjian and Stephen Frost

Discussion: https://postgr.es/m/157742545062.1149.11052653770497832538%40wrigleys.postgresql.org
and https://www.postgresql.org/message-id/20201120211304.GG16415@tamriel.snowman.net
parent a68a894f
...@@ -79,10 +79,13 @@ convert_and_check_filename(text *arg) ...@@ -79,10 +79,13 @@ convert_and_check_filename(text *arg)
* files on the server as the PG user, so no need to do any further checks * files on the server as the PG user, so no need to do any further checks
* here. * here.
*/ */
if (is_member_of_role(GetUserId(), DEFAULT_ROLE_WRITE_SERVER_FILES)) if (is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES))
return filename; return filename;
/* User isn't a member of the default role, so check if it's allowable */ /*
* User isn't a member of the pg_write_server_files role, so check if it's
* allowable
*/
if (is_absolute_path(filename)) if (is_absolute_path(filename))
{ {
/* Disallow '/a/b/data/..' */ /* Disallow '/a/b/data/..' */
......
...@@ -269,13 +269,13 @@ file_fdw_validator(PG_FUNCTION_ARGS) ...@@ -269,13 +269,13 @@ file_fdw_validator(PG_FUNCTION_ARGS)
* otherwise there'd still be a security hole. * otherwise there'd still be a security hole.
*/ */
if (strcmp(def->defname, "filename") == 0 && if (strcmp(def->defname, "filename") == 0 &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES)) !is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("only superuser or a member of the pg_read_server_files role may specify the filename option of a file_fdw foreign table"))); errmsg("only superuser or a member of the pg_read_server_files role may specify the filename option of a file_fdw foreign table")));
if (strcmp(def->defname, "program") == 0 && if (strcmp(def->defname, "program") == 0 &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM)) !is_member_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("only superuser or a member of the pg_execute_server_program role may specify the program option of a file_fdw foreign table"))); errmsg("only superuser or a member of the pg_execute_server_program role may specify the program option of a file_fdw foreign table")));
......
...@@ -1587,7 +1587,7 @@ pg_stat_statements_internal(FunctionCallInfo fcinfo, ...@@ -1587,7 +1587,7 @@ pg_stat_statements_internal(FunctionCallInfo fcinfo,
pgssEntry *entry; pgssEntry *entry;
/* Superusers or members of pg_read_all_stats members are allowed */ /* Superusers or members of pg_read_all_stats members are allowed */
is_allowed_role = is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS); is_allowed_role = is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS);
/* hash table must exist already */ /* hash table must exist already */
if (!pgss || !pgss_hash) if (!pgss || !pgss_hash)
......
...@@ -130,7 +130,7 @@ pgrowlocks(PG_FUNCTION_ARGS) ...@@ -130,7 +130,7 @@ pgrowlocks(PG_FUNCTION_ARGS)
aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(),
ACL_SELECT); ACL_SELECT);
if (aclresult != ACLCHECK_OK) if (aclresult != ACLCHECK_OK)
aclresult = is_member_of_role(GetUserId(), DEFAULT_ROLE_STAT_SCAN_TABLES) ? ACLCHECK_OK : ACLCHECK_NO_PRIV; aclresult = is_member_of_role(GetUserId(), ROLE_PG_STAT_SCAN_TABLES) ? ACLCHECK_OK : ACLCHECK_NO_PRIV;
if (aclresult != ACLCHECK_OK) if (aclresult != ACLCHECK_OK)
aclcheck_error(aclresult, get_relkind_objtype(rel->rd_rel->relkind), aclcheck_error(aclresult, get_relkind_objtype(rel->rd_rel->relkind),
......
<!-- doc/src/sgml/obsolete-default-roles.sgml -->
<!--
See doc/src/sgml/obsolete.sgml for why this file exists. Do not change the id attribute.
-->
<sect1 id="default-roles" xreflabel="default-roles">
<title>Default Roles renamed to Predefined Roles</title>
<indexterm>
<primary>default-roles</primary>
</indexterm>
<para>
PostgreSQL 13 and below used the term 'Default Roles', however, as these
roles are not able to actually be changed and are installed as part of the
system at initialization time, the more appropriate term to use is "Predefined Roles".
See <xref linkend="predefined-roles"/> for current documentation regarding
Predefined Roles, and <link linkend="release-prior">the release notes for
PostgreSQL 14</link> for details on this change.
</para>
</sect1>
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
--> -->
&obsolete-recovery-config; &obsolete-recovery-config;
&obsolete-default-roles;
&obsolete-pgxlogdump; &obsolete-pgxlogdump;
&obsolete-pgresetxlog; &obsolete-pgresetxlog;
&obsolete-pgreceivexlog; &obsolete-pgreceivexlog;
......
...@@ -187,8 +187,8 @@ ...@@ -187,8 +187,8 @@
<para> <para>
Changing table-level options requires being a superuser or having the privileges Changing table-level options requires being a superuser or having the privileges
of the default role <literal>pg_read_server_files</literal> (to use a filename) or of the role <literal>pg_read_server_files</literal> (to use a filename) or
the default role <literal>pg_execute_server_program</literal> (to use a program), the role <literal>pg_execute_server_program</literal> (to use a program),
for security reasons: only certain users should be able to control which file is for security reasons: only certain users should be able to control which file is
read or which program is run. In principle regular users could be allowed to read or which program is run. In principle regular users could be allowed to
change the other options, but that's not supported at present. change the other options, but that's not supported at present.
......
...@@ -188,6 +188,7 @@ ...@@ -188,6 +188,7 @@
<!-- Stubs for removed entries to preserve public links --> <!-- Stubs for removed entries to preserve public links -->
<!ENTITY obsolete SYSTEM "appendix-obsolete.sgml"> <!ENTITY obsolete SYSTEM "appendix-obsolete.sgml">
<!ENTITY obsolete-recovery-config SYSTEM "appendix-obsolete-recovery-config.sgml"> <!ENTITY obsolete-recovery-config SYSTEM "appendix-obsolete-recovery-config.sgml">
<!ENTITY obsolete-default-roles SYSTEM "appendix-obsolete-default-roles.sgml">
<!ENTITY obsolete-pgxlogdump SYSTEM "appendix-obsolete-pgxlogdump.sgml"> <!ENTITY obsolete-pgxlogdump SYSTEM "appendix-obsolete-pgxlogdump.sgml">
<!ENTITY obsolete-pgresetxlog SYSTEM "appendix-obsolete-pgresetxlog.sgml"> <!ENTITY obsolete-pgresetxlog SYSTEM "appendix-obsolete-pgresetxlog.sgml">
<!ENTITY obsolete-pgreceivexlog SYSTEM "appendix-obsolete-pgreceivexlog.sgml"> <!ENTITY obsolete-pgreceivexlog SYSTEM "appendix-obsolete-pgreceivexlog.sgml">
...@@ -282,7 +282,7 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser ...@@ -282,7 +282,7 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
existence of a session and its general properties such as its sessions user existence of a session and its general properties such as its sessions user
and database are visible to all users. Superusers and members of the and database are visible to all users. Superusers and members of the
built-in role <literal>pg_read_all_stats</literal> (see also <xref built-in role <literal>pg_read_all_stats</literal> (see also <xref
linkend="default-roles"/>) can see all the information about all sessions. linkend="predefined-roles"/>) can see all the information about all sessions.
</para> </para>
<table id="monitoring-stats-dynamic-views-table"> <table id="monitoring-stats-dynamic-views-table">
......
...@@ -465,7 +465,7 @@ COPY <replaceable class="parameter">count</replaceable> ...@@ -465,7 +465,7 @@ COPY <replaceable class="parameter">count</replaceable>
by the server, not by the client application, must be executable by the by the server, not by the client application, must be executable by the
<productname>PostgreSQL</productname> user. <productname>PostgreSQL</productname> user.
<command>COPY</command> naming a file or command is only allowed to <command>COPY</command> naming a file or command is only allowed to
database superusers or users who are granted one of the default roles database superusers or users who are granted one of the roles
<literal>pg_read_server_files</literal>, <literal>pg_read_server_files</literal>,
<literal>pg_write_server_files</literal>, <literal>pg_write_server_files</literal>,
or <literal>pg_execute_server_program</literal>, since it allows reading or <literal>pg_execute_server_program</literal>, since it allows reading
......
...@@ -483,15 +483,15 @@ DROP ROLE doomed_role; ...@@ -483,15 +483,15 @@ DROP ROLE doomed_role;
</para> </para>
</sect1> </sect1>
<sect1 id="default-roles"> <sect1 id="predefined-roles">
<title>Default Roles</title> <title>Predefined Roles</title>
<indexterm zone="default-roles"> <indexterm zone="predefined-roles">
<primary>role</primary> <primary>role</primary>
</indexterm> </indexterm>
<para> <para>
<productname>PostgreSQL</productname> provides a set of default roles <productname>PostgreSQL</productname> provides a set of predefined roles
that provide access to certain, commonly needed, privileged capabilities that provide access to certain, commonly needed, privileged capabilities
and information. Administrators (including roles that have the and information. Administrators (including roles that have the
<literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
...@@ -500,14 +500,14 @@ DROP ROLE doomed_role; ...@@ -500,14 +500,14 @@ DROP ROLE doomed_role;
</para> </para>
<para> <para>
The default roles are described in <xref linkend="default-roles-table"/>. The predefined roles are described in <xref linkend="predefined-roles-table"/>.
Note that the specific permissions for each of the default roles may Note that the specific permissions for each of the roles may change in
change in the future as additional capabilities are added. Administrators the future as additional capabilities are added. Administrators
should monitor the release notes for changes. should monitor the release notes for changes.
</para> </para>
<table tocentry="1" id="default-roles-table"> <table tocentry="1" id="predefined-roles-table">
<title>Default Roles</title> <title>Predefined Roles</title>
<tgroup cols="2"> <tgroup cols="2">
<colspec colname="col1" colwidth="1*"/> <colspec colname="col1" colwidth="1*"/>
<colspec colname="col2" colwidth="2*"/> <colspec colname="col2" colwidth="2*"/>
......
...@@ -80,7 +80,7 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt, ...@@ -80,7 +80,7 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt,
{ {
if (stmt->is_program) if (stmt->is_program)
{ {
if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM)) if (!is_member_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser or a member of the pg_execute_server_program role to COPY to or from an external program"), errmsg("must be superuser or a member of the pg_execute_server_program role to COPY to or from an external program"),
...@@ -89,14 +89,14 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt, ...@@ -89,14 +89,14 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt,
} }
else else
{ {
if (is_from && !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES)) if (is_from && !is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser or a member of the pg_read_server_files role to COPY from a file"), errmsg("must be superuser or a member of the pg_read_server_files role to COPY from a file"),
errhint("Anyone can COPY to stdout or from stdin. " errhint("Anyone can COPY to stdout or from stdin. "
"psql's \\copy command also works for anyone."))); "psql's \\copy command also works for anyone.")));
if (!is_from && !is_member_of_role(GetUserId(), DEFAULT_ROLE_WRITE_SERVER_FILES)) if (!is_from && !is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser or a member of the pg_write_server_files role to COPY to a file"), errmsg("must be superuser or a member of the pg_write_server_files role to COPY to a file"),
......
...@@ -1501,10 +1501,10 @@ AddRoleMems(const char *rolename, Oid roleid, ...@@ -1501,10 +1501,10 @@ AddRoleMems(const char *rolename, Oid roleid,
* situation-dependent member. There's no technical need for this * situation-dependent member. There's no technical need for this
* restriction. (One could lift it and take the further step of making * restriction. (One could lift it and take the further step of making
* pg_database_ownercheck() equivalent to has_privs_of_role(roleid, * pg_database_ownercheck() equivalent to has_privs_of_role(roleid,
* DEFAULT_ROLE_DATABASE_OWNER), in which case explicit, * ROLE_DATABASE_OWNER), in which case explicit,
* situation-independent members could act as the owner of any database.) * situation-independent members could act as the owner of any database.)
*/ */
if (roleid == DEFAULT_ROLE_DATABASE_OWNER) if (roleid == ROLE_DATABASE_OWNER)
ereport(ERROR, ereport(ERROR,
errmsg("role \"%s\" cannot have explicit members", rolename)); errmsg("role \"%s\" cannot have explicit members", rolename));
...@@ -1555,7 +1555,7 @@ AddRoleMems(const char *rolename, Oid roleid, ...@@ -1555,7 +1555,7 @@ AddRoleMems(const char *rolename, Oid roleid,
* shared object. (The effect of such ownership is that any owner of * shared object. (The effect of such ownership is that any owner of
* another database can act as the owner of affected shared objects.) * another database can act as the owner of affected shared objects.)
*/ */
if (memberid == DEFAULT_ROLE_DATABASE_OWNER) if (memberid == ROLE_DATABASE_OWNER)
ereport(ERROR, ereport(ERROR,
errmsg("role \"%s\" cannot be a member of any role", errmsg("role \"%s\" cannot be a member of any role",
get_rolespec_name(memberRole))); get_rolespec_name(memberRole)));
......
...@@ -1361,7 +1361,7 @@ pg_stat_get_wal_receiver(PG_FUNCTION_ARGS) ...@@ -1361,7 +1361,7 @@ pg_stat_get_wal_receiver(PG_FUNCTION_ARGS)
/* Fetch values */ /* Fetch values */
values[0] = Int32GetDatum(pid); values[0] = Int32GetDatum(pid);
if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) if (!is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS))
{ {
/* /*
* Only superusers and members of pg_read_all_stats can see details. * Only superusers and members of pg_read_all_stats can see details.
......
...@@ -3355,7 +3355,7 @@ pg_stat_get_wal_senders(PG_FUNCTION_ARGS) ...@@ -3355,7 +3355,7 @@ pg_stat_get_wal_senders(PG_FUNCTION_ARGS)
memset(nulls, 0, sizeof(nulls)); memset(nulls, 0, sizeof(nulls));
values[0] = Int32GetDatum(pid); values[0] = Int32GetDatum(pid);
if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) if (!is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS))
{ {
/* /*
* Only superusers and members of pg_read_all_stats can see * Only superusers and members of pg_read_all_stats can see
......
...@@ -3752,7 +3752,7 @@ TerminateOtherDBBackends(Oid databaseId) ...@@ -3752,7 +3752,7 @@ TerminateOtherDBBackends(Oid databaseId)
/* Users can signal backends they have role membership in. */ /* Users can signal backends they have role membership in. */
if (!has_privs_of_role(GetUserId(), proc->roleId) && if (!has_privs_of_role(GetUserId(), proc->roleId) &&
!has_privs_of_role(GetUserId(), DEFAULT_ROLE_SIGNAL_BACKENDID)) !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be a member of the role whose process is being terminated or member of pg_signal_backend"))); errmsg("must be a member of the role whose process is being terminated or member of pg_signal_backend")));
......
...@@ -74,7 +74,7 @@ pg_signal_backend(int pid, int sig) ...@@ -74,7 +74,7 @@ pg_signal_backend(int pid, int sig)
/* Users can signal backends they have role membership in. */ /* Users can signal backends they have role membership in. */
if (!has_privs_of_role(GetUserId(), proc->roleId) && if (!has_privs_of_role(GetUserId(), proc->roleId) &&
!has_privs_of_role(GetUserId(), DEFAULT_ROLE_SIGNAL_BACKENDID)) !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))
return SIGNAL_BACKEND_NOPERMISSION; return SIGNAL_BACKEND_NOPERMISSION;
/* /*
......
...@@ -4741,7 +4741,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, ...@@ -4741,7 +4741,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
/* /*
* Role expansion happens in a non-database backend when guc.c checks * Role expansion happens in a non-database backend when guc.c checks
* DEFAULT_ROLE_READ_ALL_SETTINGS for a physical walsender SHOW command. * ROLE_READ_ALL_SETTINGS for a physical walsender SHOW command.
* In that case, no role gets pg_database_owner. * In that case, no role gets pg_database_owner.
*/ */
if (!OidIsValid(MyDatabaseId)) if (!OidIsValid(MyDatabaseId))
...@@ -4808,7 +4808,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, ...@@ -4808,7 +4808,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
/* implement pg_database_owner implicit membership */ /* implement pg_database_owner implicit membership */
if (memberid == dba && OidIsValid(dba)) if (memberid == dba && OidIsValid(dba))
roles_list = list_append_unique_oid(roles_list, roles_list = list_append_unique_oid(roles_list,
DEFAULT_ROLE_DATABASE_OWNER); ROLE_DATABASE_OWNER);
} }
/* /*
......
...@@ -95,7 +95,7 @@ calculate_database_size(Oid dbOid) ...@@ -95,7 +95,7 @@ calculate_database_size(Oid dbOid)
*/ */
aclresult = pg_database_aclcheck(dbOid, GetUserId(), ACL_CONNECT); aclresult = pg_database_aclcheck(dbOid, GetUserId(), ACL_CONNECT);
if (aclresult != ACLCHECK_OK && if (aclresult != ACLCHECK_OK &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS))
{ {
aclcheck_error(aclresult, OBJECT_DATABASE, aclcheck_error(aclresult, OBJECT_DATABASE,
get_database_name(dbOid)); get_database_name(dbOid));
...@@ -179,7 +179,7 @@ calculate_tablespace_size(Oid tblspcOid) ...@@ -179,7 +179,7 @@ calculate_tablespace_size(Oid tblspcOid)
* is default for current database. * is default for current database.
*/ */
if (tblspcOid != MyDatabaseTableSpace && if (tblspcOid != MyDatabaseTableSpace &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS))
{ {
aclresult = pg_tablespace_aclcheck(tblspcOid, GetUserId(), ACL_CREATE); aclresult = pg_tablespace_aclcheck(tblspcOid, GetUserId(), ACL_CREATE);
if (aclresult != ACLCHECK_OK) if (aclresult != ACLCHECK_OK)
......
...@@ -62,10 +62,13 @@ convert_and_check_filename(text *arg) ...@@ -62,10 +62,13 @@ convert_and_check_filename(text *arg)
* files on the server as the PG user, so no need to do any further checks * files on the server as the PG user, so no need to do any further checks
* here. * here.
*/ */
if (is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES)) if (is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES))
return filename; return filename;
/* User isn't a member of the default role, so check if it's allowable */ /*
* User isn't a member of the pg_read_server_files role, so check if it's
* allowable
*/
if (is_absolute_path(filename)) if (is_absolute_path(filename))
{ {
/* Disallow '/a/b/data/..' */ /* Disallow '/a/b/data/..' */
......
...@@ -33,7 +33,7 @@ ...@@ -33,7 +33,7 @@
#define UINT32_ACCESS_ONCE(var) ((uint32)(*((volatile uint32 *)&(var)))) #define UINT32_ACCESS_ONCE(var) ((uint32)(*((volatile uint32 *)&(var))))
#define HAS_PGSTAT_PERMISSIONS(role) (is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS) || has_privs_of_role(GetUserId(), role)) #define HAS_PGSTAT_PERMISSIONS(role) (is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS) || has_privs_of_role(GetUserId(), role))
/* Global bgwriter statistics, from bgwriter.c */ /* Global bgwriter statistics, from bgwriter.c */
extern PgStat_MsgBgWriter bgwriterStats; extern PgStat_MsgBgWriter bgwriterStats;
......
...@@ -7985,7 +7985,7 @@ GetConfigOption(const char *name, bool missing_ok, bool restrict_privileged) ...@@ -7985,7 +7985,7 @@ GetConfigOption(const char *name, bool missing_ok, bool restrict_privileged)
} }
if (restrict_privileged && if (restrict_privileged &&
(record->flags & GUC_SUPERUSER_ONLY) && (record->flags & GUC_SUPERUSER_ONLY) &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"",
...@@ -8035,7 +8035,7 @@ GetConfigOptionResetString(const char *name) ...@@ -8035,7 +8035,7 @@ GetConfigOptionResetString(const char *name)
(errcode(ERRCODE_UNDEFINED_OBJECT), (errcode(ERRCODE_UNDEFINED_OBJECT),
errmsg("unrecognized configuration parameter \"%s\"", name))); errmsg("unrecognized configuration parameter \"%s\"", name)));
if ((record->flags & GUC_SUPERUSER_ONLY) && if ((record->flags & GUC_SUPERUSER_ONLY) &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"",
...@@ -9294,7 +9294,7 @@ ShowAllGUCConfig(DestReceiver *dest) ...@@ -9294,7 +9294,7 @@ ShowAllGUCConfig(DestReceiver *dest)
if ((conf->flags & GUC_NO_SHOW_ALL) || if ((conf->flags & GUC_NO_SHOW_ALL) ||
((conf->flags & GUC_SUPERUSER_ONLY) && ((conf->flags & GUC_SUPERUSER_ONLY) &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS))) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)))
continue; continue;
/* assign to the values array */ /* assign to the values array */
...@@ -9361,7 +9361,7 @@ get_explain_guc_options(int *num) ...@@ -9361,7 +9361,7 @@ get_explain_guc_options(int *num)
/* return only options visible to the current user */ /* return only options visible to the current user */
if ((conf->flags & GUC_NO_SHOW_ALL) || if ((conf->flags & GUC_NO_SHOW_ALL) ||
((conf->flags & GUC_SUPERUSER_ONLY) && ((conf->flags & GUC_SUPERUSER_ONLY) &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS))) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)))
continue; continue;
/* return only options that are different from their boot values */ /* return only options that are different from their boot values */
...@@ -9450,7 +9450,7 @@ GetConfigOptionByName(const char *name, const char **varname, bool missing_ok) ...@@ -9450,7 +9450,7 @@ GetConfigOptionByName(const char *name, const char **varname, bool missing_ok)
} }
if ((record->flags & GUC_SUPERUSER_ONLY) && if ((record->flags & GUC_SUPERUSER_ONLY) &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"",
...@@ -9481,7 +9481,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow) ...@@ -9481,7 +9481,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow)
{ {
if ((conf->flags & GUC_NO_SHOW_ALL) || if ((conf->flags & GUC_NO_SHOW_ALL) ||
((conf->flags & GUC_SUPERUSER_ONLY) && ((conf->flags & GUC_SUPERUSER_ONLY) &&
!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS))) !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)))
*noshow = true; *noshow = true;
else else
*noshow = false; *noshow = false;
...@@ -9676,7 +9676,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow) ...@@ -9676,7 +9676,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow)
* insufficiently-privileged users. * insufficiently-privileged users.
*/ */
if (conf->source == PGC_S_FILE && if (conf->source == PGC_S_FILE &&
is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))
{ {
values[14] = conf->sourcefile; values[14] = conf->sourcefile;
snprintf(buffer, sizeof(buffer), "%d", conf->sourceline); snprintf(buffer, sizeof(buffer), "%d", conf->sourceline);
......
...@@ -24,47 +24,47 @@ ...@@ -24,47 +24,47 @@
rolcreaterole => 't', rolcreatedb => 't', rolcanlogin => 't', rolcreaterole => 't', rolcreatedb => 't', rolcanlogin => 't',
rolreplication => 't', rolbypassrls => 't', rolconnlimit => '-1', rolreplication => 't', rolbypassrls => 't', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '8778', oid_symbol => 'DEFAULT_ROLE_DATABASE_OWNER', { oid => '8778', oid_symbol => 'ROLE_DATABASE_OWNER',
rolname => 'pg_database_owner', rolsuper => 'f', rolinherit => 't', rolname => 'pg_database_owner', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '3373', oid_symbol => 'DEFAULT_ROLE_MONITOR', { oid => '3373', oid_symbol => 'ROLE_PG_MONITOR',
rolname => 'pg_monitor', rolsuper => 'f', rolinherit => 't', rolname => 'pg_monitor', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '3374', oid_symbol => 'DEFAULT_ROLE_READ_ALL_SETTINGS', { oid => '3374', oid_symbol => 'ROLE_PG_READ_ALL_SETTINGS',
rolname => 'pg_read_all_settings', rolsuper => 'f', rolinherit => 't', rolname => 'pg_read_all_settings', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '3375', oid_symbol => 'DEFAULT_ROLE_READ_ALL_STATS', { oid => '3375', oid_symbol => 'ROLE_PG_READ_ALL_STATS',
rolname => 'pg_read_all_stats', rolsuper => 'f', rolinherit => 't', rolname => 'pg_read_all_stats', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '3377', oid_symbol => 'DEFAULT_ROLE_STAT_SCAN_TABLES', { oid => '3377', oid_symbol => 'ROLE_PG_STAT_SCAN_TABLES',
rolname => 'pg_stat_scan_tables', rolsuper => 'f', rolinherit => 't', rolname => 'pg_stat_scan_tables', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '4569', oid_symbol => 'DEFAULT_ROLE_READ_SERVER_FILES', { oid => '4569', oid_symbol => 'ROLE_PG_READ_SERVER_FILES',
rolname => 'pg_read_server_files', rolsuper => 'f', rolinherit => 't', rolname => 'pg_read_server_files', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '4570', oid_symbol => 'DEFAULT_ROLE_WRITE_SERVER_FILES', { oid => '4570', oid_symbol => 'ROLE_PG_WRITE_SERVER_FILES',
rolname => 'pg_write_server_files', rolsuper => 'f', rolinherit => 't', rolname => 'pg_write_server_files', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '4571', oid_symbol => 'DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM', { oid => '4571', oid_symbol => 'ROLE_PG_EXECUTE_SERVER_PROGRAM',
rolname => 'pg_execute_server_program', rolsuper => 'f', rolinherit => 't', rolname => 'pg_execute_server_program', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '4200', oid_symbol => 'DEFAULT_ROLE_SIGNAL_BACKENDID', { oid => '4200', oid_symbol => 'ROLE_PG_SIGNAL_BACKEND',
rolname => 'pg_signal_backend', rolsuper => 'f', rolinherit => 't', rolname => 'pg_signal_backend', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment