public inbox for [email protected]
help / color / mirror / Atom feedFrom: Shinya Kato <[email protected]>
To: Laurenz Albe <[email protected]>
Cc: [email protected]
Subject: Re: Question about role attributes docs
Date: Thu, 13 Jan 2022 16:07:38 +0900
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
On 2022-01-12 02:07, Laurenz Albe wrote:
> On Tue, 2022-01-11 at 16:40 +0900, Shinya Kato wrote:
>> I have a question about the documentation on ROLE.
>>
>> According to [1], INHERIT and BYPASSRLS can be specified when
>> executing
>> the CREATE ROLE command. However, there is no such description in Role
>> Attributes in [2]. Are these concepts different from Role Attributes?
>> Or
>> are they just not documented? If they need to be documented, I'll
>> create
>> a patch.
>>
>> [1] https://www.postgresql.org/docs/devel/sql-createrole.html
>> [2] https://www.postgresql.org/docs/devel/role-attributes.html
>
> I think that is indeed an omission, and adding documentation would be a
> good idea.
Thanks! I created the patch, and attached it.
> On the other hand, a lot of that information is more or less
> a duplicate of the CREATE ROLE documentation. I wonder if the latter
> page could be removed altogether.
I think there is certainly a lot of overlap. However, I think that the
SQL commands page and the database roles page should exist separately,
and should be maintained as they are because there are parts that do not
overlap (for example, IN ROLE and ADMIN).
--
Regards,
--
Shinya Kato
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION
Attachments:
[text/x-diff] add-role-attributes-to-docs.patch (2.1K, 2-add-role-attributes-to-docs.patch)
download | inline diff:
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 9067be1d9c..cf6adb3436 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -236,6 +236,42 @@ CREATE USER <replaceable>name</replaceable>;
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>inheritance of privileges<indexterm><primary>role</primary><secondary>privilege to inherit</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role is needed to permission to inherit privileges of roles it is a member of.
+ (except for superusers, since those bypass all permission checks).
+ If not specified, <literal>INHERIT</literal> is the default, so to create such a role, use either:
+<programlisting>
+CREATE ROLE <replaceable>name</replaceable> INHERIT;
+CREATE ROLE <replaceable>name</replaceable>;
+</programlisting>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>bypass row-level security<indexterm><primary>role</primary><secondary>privilege to bypass</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role must be explicitly given permission to bypass row-level security (RLS) policy.
+ (except for superusers, since those bypass all permission checks).
+ To create such a role, use <literal>CREATE ROLE <replaceable>name</replaceable> BYPASSRLS</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>connection limit<indexterm><primary>role</primary><secondary>privilege to limit connection</secondary></indexterm></term>
+ <listitem>
+ <para>
+ Connection limit can specify how many concurrent connections a role can make.
+ -1 (the default) means no limit. To create such a role, use <literal>CREATE ROLE <replaceable>name</replaceable> CONNECTION LIMIT<replaceable> connlimit</replaceable> LOGIN</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
A role's attributes can be modified after creation with
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Question about role attributes docs
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox