public inbox for [email protected]
help / color / mirror / Atom feedFrom: Shinya Kato <[email protected]>
To: Fujii Masao <[email protected]>
Cc: Swaha Miller <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: [email protected]
Subject: Re: Question about role attributes docs
Date: Mon, 25 Jul 2022 12:29:54 +0900
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<CAPXknY4aqZZA34OPojPstXSpK8SSCGUt8aSZ_V5UE-Gt+6At6g@mail.gmail.com>
<[email protected]>
<[email protected]>
On 2022-07-23 00:35, Fujii Masao wrote:
> On 2022/03/17 17:56, Shinya Kato wrote:
>> Thank you for the review, and sorry for late reply.
>> I fixed it.
>
> Thanks for updating the patch!
Thank you for the review!
> I found that the patch has two trailing whitespaces.
Sorry, I fixed them.
> + A role can explicitly be restricted at time of creation from
> inheriting privileges of
> + roles it is a member of (except for superusers, since those
> bypass all permission checks.)
> + Restricting privileges is done by the
> <literal>NOINHERIT</literal> option.
> + If no option is specified, <literal>INHERIT</literal> is the
> default. So to create a role that inherits
> + privileges, use either:
>
> It sounds strange to me that restriction of inheritance is explained
> at the beginning. Instead, something like the following is more
> intuitive and easy-to-understand to users?
>
> ------------------------
> A role is given permission to inherit the privileges of roles it is a
> member of, by default. However, to create a role without the
> permission, use CREATE ROLE name NOINHERIT.
> ------------------------
>
> + A role must be explicitly given permission to bypass
> row-level security (RLS) policy.
> + (except for superusers, since those bypass all permission
> checks).
>
> Like CREATE ROLE docs does, isn't it better to add "every" just before
> "row-level"?
>
> A dot just between "policy" and "(except" should be removed.
>
> + <term>bypass row-level
> security<indexterm><primary>role</primary><secondary>privilege to
> bypass</secondary></indexterm></term>
>
> "bypass" should be "bypassing" or something because a noun is used for
> each entry title in other places?
>
> + To create such a role, use <literal>CREATE ROLE
> <replaceable>name</replaceable> BYPASSRLS</literal>.
>
> Isn't it better to add "as a superuser" just after
> "BYPASSRLS</literal>" because only a superuser can create a new role
> having the BYPASSRLS attribute?
>
> + -1 (the default) means no limit. To create such a role, use
> <literal>CREATE ROLE <replaceable>name</replaceable> CONNECTION
> LIMIT<replaceable> connlimit</replaceable> LOGIN</literal>.
>
> "To create such a role" sounds odd to me in this context. Instead, how
> about something like "Specify connection limit upon role creation with
> CREATE ROLE name CONNECTION LIMIT 'integer'."?
I agree with what you say. I fixed everything.
--
Regards,
--
Shinya Kato
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION
Attachments:
[text/x-diff] v3-add-role-attributes-to-docs.patch (1.9K, 2-v3-add-role-attributes-to-docs.patch)
download | inline diff:
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 6eaaaa36b8..54cb253d95 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -236,6 +236,39 @@ CREATE USER <replaceable>name</replaceable>;
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>inheritance of privileges<indexterm><primary>role</primary><secondary>privilege to inherit</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role is given permission to inherit the privileges of roles it is a
+ member of, by default. However, to create a role without the permission,
+ use <literal>CREATE ROLE <replaceable>name</replaceable> NOINHERIT</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>bypassing row-level security<indexterm><primary>role</primary><secondary>privilege to bypass</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role must be explicitly given permission to bypass every row-level security (RLS) policy
+ (except for superusers, since those bypass all permission checks).
+ To create such a role, use <literal>CREATE ROLE <replaceable>name</replaceable> BYPASSRLS</literal> as a superuser.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>connection limit<indexterm><primary>role</primary><secondary>privilege to limit connection</secondary></indexterm></term>
+ <listitem>
+ <para>
+ Connection limit can specify how many concurrent connections a role can make.
+ -1 (the default) means no limit. Specify connection limit upon role creation with
+ <literal>CREATE ROLE <replaceable>name</replaceable> CONNECTION LIMIT '<replaceable>integer</replaceable>'</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
A role's attributes can be modified after creation with
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Question about role attributes docs
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox