11<!--
2- $PostgreSQL: pgsql/doc/src/sgml/ref/createuser.sgml,v 1.41 2005/05/29 03:32:18 momjian Exp $
2+ $PostgreSQL: pgsql/doc/src/sgml/ref/createuser.sgml,v 1.42 2005/08/14 20:16:02 tgl Exp $
33PostgreSQL documentation
44-->
55
@@ -32,24 +32,24 @@ PostgreSQL documentation
3232 <title>Description</title>
3333 <para>
3434 <application>createuser</application> creates a
35- new <productname>PostgreSQL</productname> user.
36- Only superusers (users with <literal>usesuper</literal> set in
37- the <literal>pg_shadow</literal> table) can create
38- new <productname>PostgreSQL</productname> users,
39- so <application>createuser</application> must be
40- invoked by someone who can connect as a <productname>PostgreSQL</productname>
41- superuser.
35+ new <productname>PostgreSQL</productname> user (or more precisely, a role).
36+ Only superusers and users with <literal>CREATEROLE</> privilege can create
37+ new users, so <application>createuser</application> must be
38+ invoked by someone who can connect as a superuser or a user with
39+ <literal>CREATEROLE</> privilege.
4240 </para>
4341
4442 <para>
45- Being a superuser also implies the ability to bypass access permission
43+ If you wish to create a new superuser, you must connect as a
44+ superuser, not merely with <literal>CREATEROLE</> privilege.
45+ Being a superuser implies the ability to bypass all access permission
4646 checks within the database, so superuserdom should not be granted lightly.
4747 </para>
4848
4949 <para>
5050 <application>createuser</application> is a wrapper around the
51- <acronym>SQL</acronym> command <xref linkend="SQL-CREATEUSER "
52- endterm="SQL-CREATEUSER -title">.
51+ <acronym>SQL</acronym> command <xref linkend="SQL-CREATEROLE "
52+ endterm="SQL-CREATEROLE -title">.
5353 There is no effective difference between creating users via
5454 this utility and via other methods for accessing the server.
5555 </para>
@@ -70,32 +70,28 @@ PostgreSQL documentation
7070 <para>
7171 Specifies the name of the <productname>PostgreSQL</productname> user
7272 to be created.
73- This name must beunique among allusers of this
73+ This name must bedifferent from allexisting roles in this
7474 <productname>PostgreSQL</productname> installation.
7575 </para>
7676 </listitem>
7777 </varlistentry>
7878
7979 <varlistentry>
80- <term><option>-a </></term>
81- <term><option>--adduser </></term>
80+ <term><option>-s </></term>
81+ <term><option>--superuser </></term>
8282 <listitem>
8383 <para>
84- The new user is allowed to create other users.
85- (Note: Actually, this makes the new user a <emphasis>superuser</>.
86- The option is poorly named.)
84+ The new user will be a superuser.
8785 </para>
8886 </listitem>
8987 </varlistentry>
9088
9189 <varlistentry>
92- <term><option>-A </></term>
93- <term><option>--no-adduser </></term>
90+ <term><option>-S </></term>
91+ <term><option>--no-superuser </></term>
9492 <listitem>
9593 <para>
96- The new user is not allowed to create other users (i.e.,
97- the new user is a regular user, not a superuser).
98- This is the default.
94+ The new user will not be a superuser.
9995 </para>
10096 </listitem>
10197 </varlistentry>
@@ -105,7 +101,7 @@ PostgreSQL documentation
105101 <term><option>--createdb</></term>
106102 <listitem>
107103 <para>
108- is allowed to create databases.
104+ will be allowed to create databases.
109105 </para>
110106 </listitem>
111107 </varlistentry>
@@ -115,52 +111,86 @@ PostgreSQL documentation
115111 <term><option>--no-createdb</></term>
116112 <listitem>
117113 <para>
118- The new user is not allowed to create databases.
119- This is the default.
114+ The new user will not be allowed to create databases.
120115 </para>
121116 </listitem>
122117 </varlistentry>
123118
124119 <varlistentry>
125- <term><option>-e </></term>
126- <term><option>--echo </></term>
120+ <term><option>-r </></term>
121+ <term><option>--createrole </></term>
127122 <listitem>
128123 <para>
129- Echo the commands that <application>createuser</application> generates
130- and sends to the server .
124+ The new user will be allowed to create new roles (that is,
125+ this user will have <literal>CREATEROLE</> privilege) .
131126 </para>
132127 </listitem>
133128 </varlistentry>
134129
135130 <varlistentry>
136- <term><option>-E </></term>
137- <term><option>--encrypted </></term>
131+ <term><option>-R </></term>
132+ <term><option>--no-createrole </></term>
138133 <listitem>
139134 <para>
140- Encrypts the user's password stored in the database. If not
141- specified, the default password behavior is used.
135+ The new user will not be allowed to create new roles.
142136 </para>
143137 </listitem>
144138 </varlistentry>
145139
146140 <varlistentry>
147- <term><option>-i <replaceable class="parameter">number</replaceable> </></term>
148- <term><option>--sysid <replaceable class="parameter">number</replaceable> </></term>
141+ <term><option>-l </></term>
142+ <term><option>--login </></term>
149143 <listitem>
150144 <para>
151- Allows you to pick a non-default user ID for the new user. This is not
152- necessary, but some people like it.
145+ The new user will be allowed to log in (that is, the user name
146+ can be used as the initial session user identifier).
147+ This is the default.
153148 </para>
154149 </listitem>
155150 </varlistentry>
156151
157152 <varlistentry>
158- <term><option>-N </></term>
159- <term><option>--unencrypted </></term>
153+ <term><option>-L </></term>
154+ <term><option>--no-login </></term>
160155 <listitem>
161156 <para>
162- Does not encrypt the user's password stored in the database. If
163- not specified, the default password behavior is used.
157+ The new user will not be allowed to log in.
158+ (A role without login privilege is still useful as a means of
159+ managing database permissions.)
160+ </para>
161+ </listitem>
162+ </varlistentry>
163+
164+ <varlistentry>
165+ <term><option>-i</></term>
166+ <term><option>--inherit</></term>
167+ <listitem>
168+ <para>
169+ The new role will automatically inherit privileges of roles
170+ it is a member of.
171+ This is the default.
172+ </para>
173+ </listitem>
174+ </varlistentry>
175+
176+ <varlistentry>
177+ <term><option>-I</></term>
178+ <term><option>--no-inherit</></term>
179+ <listitem>
180+ <para>
181+ The new role will not automatically inherit privileges of roles
182+ it is a member of.
183+ </para>
184+ </listitem>
185+ </varlistentry>
186+
187+ <varlistentry>
188+ <term><option>-c <replaceable class="parameter">number</replaceable></></term>
189+ <term><option>--conn-limit <replaceable class="parameter">number</replaceable></></term>
190+ <listitem>
191+ <para>
192+ Set a maximum number of connections for the new user.
193+ The default is to set no limit.
164194 </para>
165195 </listitem>
166196 </varlistentry>
@@ -177,6 +207,39 @@ PostgreSQL documentation
177207 </listitem>
178208 </varlistentry>
179209
210+ <varlistentry>
211+ <term><option>-E</></term>
212+ <term><option>--encrypted</></term>
213+ <listitem>
214+ <para>
215+ Encrypts the user's password stored in the database. If not
216+ specified, the default password behavior is used.
217+ </para>
218+ </listitem>
219+ </varlistentry>
220+
221+ <varlistentry>
222+ <term><option>-N</></term>
223+ <term><option>--unencrypted</></term>
224+ <listitem>
225+ <para>
226+ Does not encrypt the user's password stored in the database. If
227+ not specified, the default password behavior is used.
228+ </para>
229+ </listitem>
230+ </varlistentry>
231+
232+ <varlistentry>
233+ <term><option>-e</></term>
234+ <term><option>--echo</></term>
235+ <listitem>
236+ <para>
237+ Echo the commands that <application>createuser</application> generates
238+ and sends to the server.
239+ </para>
240+ </listitem>
241+ </varlistentry>
242+
180243 <varlistentry>
181244 <term><option>-q</></term>
182245 <term><option>--quiet</></term>
@@ -204,10 +267,10 @@ PostgreSQL documentation
204267 <term><option>--host <replaceable class="parameter">host</replaceable></></term>
205268 <listitem>
206269 <para>
207-
208-
209-
210-
270+
271+
272+
273+
211274 </para>
212275 </listitem>
213276 </varlistentry>
@@ -217,9 +280,9 @@ PostgreSQL documentation
217280 <term><option>--port <replaceable class="parameter">port</replaceable></></term>
218281 <listitem>
219282 <para>
220-
221-
222-
283+
284+
285+
223286 </para>
224287 </listitem>
225288 </varlistentry>
@@ -272,8 +335,8 @@ PostgreSQL documentation
272335 <title>Diagnostics</title>
273336
274337 <para>
275- In case of difficulty, see <xref linkend="SQL-CREATEUSER "
276- endterm="sql-createuser -title"> and <xref linkend="APP-PSQL"> for
338+ In case of difficulty, see <xref linkend="SQL-CREATEROLE "
339+ endterm="sql-createrole -title"> and <xref linkend="APP-PSQL"> for
277340 discussions of potential problems and error messages.
278341 The database server must be running at the
279342 targeted host. Also, any default connection settings and environment
@@ -292,8 +355,9 @@ PostgreSQL documentation
292355 server:
293356<screen>
294357<prompt>$ </prompt><userinput>createuser joe</userinput>
295- <computeroutput>Shall the new user be allowed to create databases? (y/n) </computeroutput><userinput>n</userinput>
296- <computeroutput>Shall the new user be allowed to create more new users? (y/n) </computeroutput><userinput>n</userinput>
358+ <computeroutput>Shall the new role be a superuser? (y/n) </computeroutput><userinput>n</userinput>
359+ <computeroutput>Shall the new role be allowed to create databases? (y/n) </computeroutput><userinput>n</userinput>
360+ <computeroutput>Shall the new role be allowed to create more new roles? (y/n) </computeroutput><userinput>n</userinput>
297361<computeroutput>CREATE USER</computeroutput>
298362</screen>
299363 </para>
@@ -303,21 +367,21 @@ PostgreSQL documentation
303367 server on host <literal>eden</>, port 5000, avoiding the prompts and
304368 taking a look at the underlying command:
305369<screen>
306- <prompt>$ </prompt><userinput>createuser -h eden -p 5000 -D -A -e joe</userinput>
307- <computeroutput>CREATEUSER joe NOCREATEDBNOCREATEUSER ;</computeroutput>
308- <computeroutput>CREATEUSER </computeroutput>
370+ <prompt>$ </prompt><userinput>createuser -h eden -p 5000 -S - D -R -e joe</userinput>
371+ <computeroutput>CREATEROLE joeNOSUPERUSER NOCREATEDBNOCREATEROLE INHERIT LOGIN ;</computeroutput>
372+ <computeroutput>CREATEROLE </computeroutput>
309373</screen>
310374 </para>
311375
312376 <para>
313377 To create the user <literal>joe</literal> as a superuser,
314378 and assign a password immediately:
315379<screen>
316- <prompt>$ </prompt><userinput>createuser -P -d -a -e joe</userinput>
317- <computeroutput>Enter password for newuser : </computeroutput><userinput>xyzzy</userinput>
380+ <prompt>$ </prompt><userinput>createuser -P -s -e joe</userinput>
381+ <computeroutput>Enter password for newrole : </computeroutput><userinput>xyzzy</userinput>
318382<computeroutput>Enter it again: </computeroutput><userinput>xyzzy</userinput>
319- <computeroutput>CREATEUSER joe PASSWORD 'xyzzy' CREATEDBCREATEUSER ;</computeroutput>
320- <computeroutput>CREATEUSER </computeroutput>
383+ <computeroutput>CREATEROLE joe PASSWORD 'xyzzy'SUPERUSER CREATEDBCREATEROLE INHERIT LOGIN ;</computeroutput>
384+ <computeroutput>CREATEROLE </computeroutput>
321385</screen>
322386 In the above example, the new password isn't actually echoed when typed,
323387 but we show what was typed for clarity. However the password
@@ -333,7 +397,7 @@ PostgreSQL documentation
333397
334398 <simplelist type="inline">
335399 <member><xref linkend="app-dropuser"></member>
336- <member><xref linkend="sql-createuser " endterm="sql-createuser -title"></member>
400+ <member><xref linkend="sql-createrole " endterm="sql-createrole -title"></member>
337401 <member>Environment Variables (<xref linkend="libpq-envars">)</member>
338402 </simplelist>
339403 </refsect1>