diff options
author | Robert Haas <rhaas@postgresql.org> | 2023-01-24 10:57:09 -0500 |
---|---|---|
committer | Robert Haas <rhaas@postgresql.org> | 2023-01-24 10:57:09 -0500 |
commit | f1358ca52dd7b8cedd29c6f2f8c163914f03ea2e (patch) | |
tree | 88920dc72fb3bfb5bd215cd10555149515e4ce23 /doc/src/sgml/ref/alter_role.sgml | |
parent | 6c6d6ba3ee2c160b53f727cf8e612014b316d6e4 (diff) | |
download | postgresql-f1358ca52dd7b8cedd29c6f2f8c163914f03ea2e.tar.gz |
Adjust interaction of CREATEROLE with role properties.
Previously, a CREATEROLE user without SUPERUSER could not alter
REPLICATION users in any way, and could not set the BYPASSRLS
attribute. However, they could manipulate the CREATEDB property
even if they themselves did not possess it.
With this change, a CREATEROLE user without SUPERUSER can set or
clear the REPLICATION, BYPASSRLS, or CREATEDB property on a new
role or a role that they have rights to manage if and only if
that property is set for their own role.
This implements the standard idea that you can't give permissions
you don't have (but you can give the ones you do have). We might
in the future want to provide more powerful ways to constrain
what a CREATEROLE user can do - for example, to limit whether
CONNECTION LIMIT can be set or the values to which it can be set -
but that is left as future work.
Patch by me, reviewed by Nathan Bossart, Tushar Ahuja, and Neha
Sharma.
Discussion: http://postgr.es/m/CA+TgmobX=LHg_J5aT=0pi9gJy=JdtrUVGAu0zhr-i5v5nNbJDg@mail.gmail.com
Diffstat (limited to 'doc/src/sgml/ref/alter_role.sgml')
-rw-r--r-- | doc/src/sgml/ref/alter_role.sgml | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index fbb4612e70..ff2b88e9b6 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -70,11 +70,14 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A <link linkend="sql-revoke"><command>REVOKE</command></link> for that.) Attributes not mentioned in the command retain their previous settings. Database superusers can change any of these settings for any role. - Roles having <literal>CREATEROLE</literal> privilege can change any of these - settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>, - and <literal>BYPASSRLS</literal>; but only for non-superuser and - non-replication roles for which they have been - granted <literal>ADMIN OPTION</literal>. + Non-superuser roles having <literal>CREATEROLE</literal> privilege can + change most of these properties, but only for non-superuser and + non-replication roles for which they have been granted + <literal>ADMIN OPTION</literal>. Non-superusers cannot change the + <literal>SUPERUSER</literal> property and can change the + <literal>CREATEDB</literal>, <literal>REPLICATION</literal>, and + <literal>BYPASSRLS</literal> properties only if they possess the + corresponding property themselves. Ordinary roles can only change their own password. </para> |