NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitf1358ca

committed

Adjust interaction of CREATEROLE with role properties.

Previously, a CREATEROLE user without SUPERUSER could not alterREPLICATION users in any way, and could not set the BYPASSRLSattribute. However, they could manipulate the CREATEDB propertyeven if they themselves did not possess it.With this change, a CREATEROLE user without SUPERUSER can set orclear the REPLICATION, BYPASSRLS, or CREATEDB property on a newrole or a role that they have rights to manage if and only ifthat property is set for their own role.This implements the standard idea that you can't give permissionsyou don't have (but you can give the ones you do have). We mightin the future want to provide more powerful ways to constrainwhat a CREATEROLE user can do - for example, to limit whetherCONNECTION LIMIT can be set or the values to which it can be set -but that is left as future work.Patch by me, reviewed by Nathan Bossart, Tushar Ahuja, and NehaSharma.Discussion:http://postgr.es/m/CA+TgmobX=LHg_J5aT=0pi9gJy=JdtrUVGAu0zhr-i5v5nNbJDg@mail.gmail.com

1 parent6c6d6ba commitf1358caCopy full SHA for f1358ca

File tree

7 files changed

+137

-83

lines changed

doc/src/sgml/ref
- alter_role.sgml
- create_role.sgml
src
- backend/commands
  - dbcommands.c
  - user.c
- include/commands
  - dbcommands.h
- test/regress
  - expected
    - create_role.out
  - sql
    - create_role.sql

7 files changed

+137

-83

lines changed

`‎doc/src/sgml/ref/alter_role.sgml`

Lines changed: 8 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -70,11 +70,14 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> \| A`
`70`	`70`	`<link linkend="sql-revoke"><command>REVOKE</command></link> for that.)`
`71`	`71`	`Attributes not mentioned in the command retain their previous settings.`
`72`	`72`	`Database superusers can change any of these settings for any role.`
`73`		`- Roles having <literal>CREATEROLE</literal> privilege can change any of these`
`74`		`- settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,`
`75`		`- and <literal>BYPASSRLS</literal>; but only for non-superuser and`
`76`		`- non-replication roles for which they have been`
`77`		`- granted <literal>ADMIN OPTION</literal>.`
	`73`	`+ Non-superuser roles having <literal>CREATEROLE</literal> privilege can`
	`74`	`+ change most of these properties, but only for non-superuser and`
	`75`	`+ non-replication roles for which they have been granted`
	`76`	`+ <literal>ADMIN OPTION</literal>. Non-superusers cannot change the`
	`77`	`+ <literal>SUPERUSER</literal> property and can change the`
	`78`	`+ <literal>CREATEDB</literal>, <literal>REPLICATION</literal>, and`
	`79`	`+ <literal>BYPASSRLS</literal> properties only if they possess the`
	`80`	`+ corresponding property themselves.`
`78`	`81`	`Ordinary roles can only change their own password.`
`79`	`82`	`</para>`
`80`	`83`

`‎doc/src/sgml/ref/create_role.sgml`

Lines changed: 6 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,8 @@ in sync when changing the above synopsis!`
`109`	`109`	`<literal>NOCREATEDB</literal> will deny a role the ability to`
`110`	`110`	`create databases. If not specified,`
`111`	`111`	`<literal>NOCREATEDB</literal> is the default.`
	`112`	`+ Only superuser roles or roles with <literal>CREATEDB</literal>`
	`113`	`+ can specify <literal>CREATEDB</literal>.`
`112`	`114`	`</para>`
`113`	`115`	`</listitem>`
`114`	`116`	`</varlistentry>`
`@@ -188,8 +190,8 @@ in sync when changing the above synopsis!`
`188`	`190`	`highly privileged role, and should only be used on roles actually`
`189`	`191`	`used for replication. If not specified,`
`190`	`192`	`<literal>NOREPLICATION</literal> is the default.`
`191`		`-You must be asuperuserto create a new role having the`
`192`		`- <literal>REPLICATION</literal> attribute.`
	`193`	`+Onlysuperuserroles or roles with <literal>REPLICATION</literal>`
	`194`	`+can specify<literal>REPLICATION</literal>.`
`193`	`195`	`</para>`
`194`	`196`	`</listitem>`
`195`	`197`	`</varlistentry>`
`@@ -201,8 +203,8 @@ in sync when changing the above synopsis!`
`201`	`203`	`<para>`
`202`	`204`	`These clauses determine whether a role bypasses every row-level`
`203`	`205`	`security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default.`
`204`		`-You must be asuperuserto create a new role having`
`205`		`-the<literal>BYPASSRLS</literal> attribute.`
	`206`	`+Onlysuperuserroles or roles with <literal>BYPASSRLS</literal>`
	`207`	`+can specify<literal>BYPASSRLS</literal>.`
`206`	`208`	`</para>`
`207`	`209`
`208`	`210`	`<para>`
`@@ -390,19 +392,6 @@ in sync when changing the above synopsis!`
`390`	`392`	`specified in the SQL standard.`
`391`	`393`	`</para>`
`392`	`394`
`393`		`- <para>`
`394`		`- Be careful with the <literal>CREATEROLE</literal> privilege. There is no concept of`
`395`		`- inheritance for the privileges of a <literal>CREATEROLE</literal>-role. That`
`396`		`- means that even if a role does not have a certain privilege but is allowed`
`397`		`- to create other roles, it can easily create another role with different`
`398`		`- privileges than its own (except for creating roles with superuser`
`399`		`- privileges). For example, if the role <quote>user</quote> has the`
`400`		`- <literal>CREATEROLE</literal> privilege but not the <literal>CREATEDB</literal> privilege,`
`401`		`- nonetheless it can create a new role with the <literal>CREATEDB</literal>`
`402`		`- privilege. Therefore, regard roles that have the <literal>CREATEROLE</literal>`
`403`		`- privilege as almost-superuser-roles.`
`404`		`- </para>`
`405`		`-`
`406`	`395`	`<para>`
`407`	`396`	`<productname>PostgreSQL</productname> includes a program <xref`
`408`	`397`	`linkend="app-createuser"/> that has`

`‎src/backend/commands/dbcommands.c`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,6 @@ static bool get_db_info(const char *name, LOCKMODE lockmode,`
`121`	`121`	`OiddbTablespace,chardbCollate,chardbCtype,char*dbIculocale,`
`122`	`122`	`char*dbLocProvider,`
`123`	`123`	`char**dbCollversion);`
`124`		`-staticboolhave_createdb_privilege(void);`
`125`	`124`	`staticvoidremove_dbtablespaces(Oiddb_id);`
`126`	`125`	`staticboolcheck_db_file_conflict(Oiddb_id);`
`127`	`126`	`staticinterrdetail_busy_db(intnotherbackends,intnpreparedxacts);`
`@@ -2742,7 +2741,7 @@ get_db_info(const char *name, LOCKMODE lockmode,`
`2742`	`2741`	`}`
`2743`	`2742`
`2744`	`2743`	`/* Check if current user has createdb privileges */`
`2745`		`-staticbool`
	`2744`	`+bool`
`2746`	`2745`	`have_createdb_privilege(void)`
`2747`	`2746`	`{`
`2748`	`2747`	`boolresult= false;`

`‎src/backend/commands/user.c`

Lines changed: 38 additions & 44 deletions

Original file line number	Diff line number	Diff line change
`@@ -311,33 +311,28 @@ CreateRole(ParseState pstate, CreateRoleStmt stmt)`
`311`	`311`	`bypassrls=boolVal(dbypassRLS->arg);`
`312`	`312`
`313`	`313`	`/* Check some permissions first */`
`314`		`-if (issuper)`
	`314`	`+if (!superuser_arg(currentUserId))`
`315`	`315`	`{`
`316`		`-if (!superuser())`
	`316`	`+if (!has_createrole_privilege(currentUserId))`
	`317`	`+ereport(ERROR,`
	`318`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`319`	`+errmsg("permission denied to create role")));`
	`320`	`+if (issuper)`
`317`	`321`	`ereport(ERROR,`
`318`	`322`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`319`	`323`	`errmsg("must be superuser to create superusers")));`
`320`		`-}`
`321`		`-elseif (isreplication)`
`322`		`-{`
`323`		`-if (!superuser())`
	`324`	`+if (createdb&& !have_createdb_privilege())`
`324`	`325`	`ereport(ERROR,`
`325`	`326`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`326`		`-errmsg("must be superuser to create replication users")));`
`327`		`-}`
`328`		`-elseif (bypassrls)`
`329`		`-{`
`330`		`-if (!superuser())`
	`327`	`+errmsg("must have createdb permission to create createdb users")));`
	`328`	`+if (isreplication&& !has_rolreplication(currentUserId))`
`331`	`329`	`ereport(ERROR,`
`332`	`330`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`333`		`-errmsg("must be superuser to create bypassrls users")));`
`334`		`-}`
`335`		`-else`
`336`		`-{`
`337`		`-if (!have_createrole_privilege())`
	`331`	`+errmsg("must have replication permission to create replication users")));`
	`332`	`+if (bypassrls&& !has_bypassrls_privilege(currentUserId))`
`338`	`333`	`ereport(ERROR,`
`339`	`334`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`340`		`-errmsg("permission deniedto createrole")));`
	`335`	`+errmsg("must have bypassrlsto createbypassrls users")));`
`341`	`336`	`}`
`342`	`337`
`343`	`338`	`/*`
`@@ -748,32 +743,11 @@ AlterRole(ParseState pstate, AlterRoleStmt stmt)`
`748`	`743`	`rolename=pstrdup(NameStr(authform->rolname));`
`749`	`744`	`roleid=authform->oid;`
`750`	`745`
`751`		`-/*`
`752`		`- * To mess with a superuser or replication role in any way you gotta be`
`753`		`- * superuser. We also insist on superuser to change the BYPASSRLS`
`754`		`- * property.`
`755`		`- */`
`756`		`-if (authform->rolsuper\|\|dissuper)`
`757`		`-{`
`758`		`-if (!superuser())`
`759`		`-ereport(ERROR,`
`760`		`-(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`761`		`-errmsg("must be superuser to alter superuser roles or change superuser attribute")));`
`762`		`-}`
`763`		`-elseif (authform->rolreplication\|\|disreplication)`
`764`		`-{`
`765`		`-if (!superuser())`
`766`		`-ereport(ERROR,`
`767`		`-(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`768`		`-errmsg("must be superuser to alter replication roles or change replication attribute")));`
`769`		`-}`
`770`		`-elseif (dbypassRLS)`
`771`		`-{`
`772`		`-if (!superuser())`
`773`		`-ereport(ERROR,`
`774`		`-(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`775`		`-errmsg("must be superuser to change bypassrls attribute")));`
`776`		`-}`
	`746`	`+/* To mess with a superuser in any way you gotta be superuser. */`
	`747`	`+if (!superuser()&& (authform->rolsuper\|\|dissuper))`
	`748`	`+ereport(ERROR,`
	`749`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`750`	`+errmsg("must be superuser to alter superuser roles or change superuser attribute")));`
`777`	`751`
`778`	`752`	`/*`
`779`	`753`	`* Most changes to a role require that you both have CREATEROLE privileges`
`@@ -784,7 +758,7 @@ AlterRole(ParseState pstate, AlterRoleStmt stmt)`
`784`	`758`	`{`
`785`	`759`	`/* things an unprivileged user certainly can't do */`
`786`	`760`	`if (dinherit\|\|dcreaterole\|\|dcreatedb\|\|dcanlogin\|\|dconnlimit\|\|`
`787`		`-dvalidUntil)`
	`761`	`+dvalidUntil\|\|disreplication\|\|dbypassRLS)`
`788`	`762`	`ereport(ERROR,`
`789`	`763`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`790`	`764`	`errmsg("permission denied")));`
`@@ -795,6 +769,26 @@ AlterRole(ParseState pstate, AlterRoleStmt stmt)`
`795`	`769`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`796`	`770`	`errmsg("must have CREATEROLE privilege to change another user's password")));`
`797`	`771`	`}`
	`772`	`+elseif (!superuser())`
	`773`	`+{`
	`774`	`+/*`
	`775`	`+ * Even if you have both CREATEROLE and ADMIN OPTION on a role, you`
	`776`	`+ * can only change the CREATEDB, REPLICATION, or BYPASSRLS attributes`
	`777`	`+ * if they are set for your own role (or you are the superuser).`
	`778`	`+ */`
	`779`	`+if (dcreatedb&& !have_createdb_privilege())`
	`780`	`+ereport(ERROR,`
	`781`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`782`	`+errmsg("must have createdb privilege to change createdb attribute")));`
	`783`	`+if (disreplication&& !has_rolreplication(currentUserId))`
	`784`	`+ereport(ERROR,`
	`785`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`786`	`+errmsg("must have replication privilege to change replication attribute")));`
	`787`	`+if (dbypassRLS&& !has_bypassrls_privilege(currentUserId))`
	`788`	`+ereport(ERROR,`
	`789`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`790`	`+errmsg("must have bypassrls privilege to change bypassrls attribute")));`
	`791`	`+}`
`798`	`792`
`799`	`793`	`/* To add members to a role, you need ADMIN OPTION. */`
`800`	`794`	`if (drolemembers&& !is_admin_of_role(currentUserId,roleid))`

`‎src/include/commands/dbcommands.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ extern ObjectAddress AlterDatabaseOwner(const char *dbname, Oid newOwnerId);`
`30`	`30`
`31`	`31`	`externOidget_database_oid(constchar*dbname,boolmissing_ok);`
`32`	`32`	`externchar*get_database_name(Oiddbid);`
	`33`	`+externboolhave_createdb_privilege(void);`
`33`	`34`
`34`	`35`	`externvoidcheck_encoding_locale_matches(intencoding,constcharcollate,constcharctype);`
`35`	`36`

`‎src/test/regress/expected/create_role.out`

Lines changed: 44 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,19 +2,51 @@`
`2`	`2`	`CREATE ROLE regress_role_super SUPERUSER;`
`3`	`3`	`CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;`
`4`	`4`	`GRANT CREATE ON DATABASE regression TO regress_role_admin WITH GRANT OPTION;`
	`5`	`+CREATE ROLE regress_role_limited_admin CREATEROLE;`
`5`	`6`	`CREATE ROLE regress_role_normal;`
`6`		`--- fail,only superusers can create users with these privileges`
`7`		`-SET SESSION AUTHORIZATIONregress_role_admin;`
	`7`	`+-- fail,CREATEROLE user can't give away role attributes without having them`
	`8`	`+SET SESSION AUTHORIZATIONregress_role_limited_admin;`
`8`	`9`	`CREATE ROLE regress_nosuch_superuser SUPERUSER;`
`9`	`10`	`ERROR: must be superuser to create superusers`
`10`	`11`	`CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;`
`11`		`-ERROR: mustbe superuser to create replication users`
	`12`	`+ERROR: musthave replication permission to create replication users`
`12`	`13`	`CREATE ROLE regress_nosuch_replication REPLICATION;`
`13`		`-ERROR: mustbe superuser to create replication users`
	`14`	`+ERROR: musthave replication permission to create replication users`
`14`	`15`	`CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;`
`15`		`-ERROR: must be superuser to create bypassrls users`
`16`		`--- ok, having CREATEROLE is enough to create users with these privileges`
	`16`	`+ERROR: must have bypassrls to create bypassrls users`
	`17`	`+CREATE ROLE regress_nosuch_createdb CREATEDB;`
	`18`	`+ERROR: must have createdb permission to create createdb users`
	`19`	`+-- ok, can create a role without any special attributes`
	`20`	`+CREATE ROLE regress_role_limited;`
	`21`	`+-- fail, can't give it in any of the restricted attributes`
	`22`	`+ALTER ROLE regress_role_limited SUPERUSER;`
	`23`	`+ERROR: must be superuser to alter superuser roles or change superuser attribute`
	`24`	`+ALTER ROLE regress_role_limited REPLICATION;`
	`25`	`+ERROR: must have replication privilege to change replication attribute`
	`26`	`+ALTER ROLE regress_role_limited CREATEDB;`
	`27`	`+ERROR: must have createdb privilege to change createdb attribute`
	`28`	`+ALTER ROLE regress_role_limited BYPASSRLS;`
	`29`	`+ERROR: must have bypassrls privilege to change bypassrls attribute`
	`30`	`+DROP ROLE regress_role_limited;`
	`31`	`+-- ok, can give away these role attributes if you have them`
	`32`	`+SET SESSION AUTHORIZATION regress_role_admin;`
	`33`	`+CREATE ROLE regress_replication_bypassrls REPLICATION BYPASSRLS;`
	`34`	`+CREATE ROLE regress_replication REPLICATION;`
	`35`	`+CREATE ROLE regress_bypassrls BYPASSRLS;`
`17`	`36`	`CREATE ROLE regress_createdb CREATEDB;`
	`37`	`+-- ok, can toggle these role attributes off and on if you have them`
	`38`	`+ALTER ROLE regress_replication NOREPLICATION;`
	`39`	`+ALTER ROLE regress_replication REPLICATION;`
	`40`	`+ALTER ROLE regress_bypassrls NOBYPASSRLS;`
	`41`	`+ALTER ROLE regress_bypassrls BYPASSRLS;`
	`42`	`+ALTER ROLE regress_createdb NOCREATEDB;`
	`43`	`+ALTER ROLE regress_createdb CREATEDB;`
	`44`	`+-- fail, can't toggle SUPERUSER`
	`45`	`+ALTER ROLE regress_createdb SUPERUSER;`
	`46`	`+ERROR: must be superuser to alter superuser roles or change superuser attribute`
	`47`	`+ALTER ROLE regress_createdb NOSUPERUSER;`
	`48`	`+ERROR: must be superuser to alter superuser roles or change superuser attribute`
	`49`	`+-- ok, having CREATEROLE is enough to create users with these privileges`
`18`	`50`	`CREATE ROLE regress_createrole CREATEROLE NOINHERIT;`
`19`	`51`	`GRANT CREATE ON DATABASE regression TO regress_createrole WITH GRANT OPTION;`
`20`	`52`	`CREATE ROLE regress_login LOGIN;`
`@@ -53,9 +85,9 @@ ERROR: permission denied to create database`
`53`	`85`	`CREATE ROLE regress_plainrole;`
`54`	`86`	`-- ok, roles with CREATEROLE can create new roles with it`
`55`	`87`	`CREATE ROLE regress_rolecreator CREATEROLE;`
`56`		`--- ok, roles with CREATEROLE can create new roles withprivilege they lack`
`57`		`-CREATE ROLE regress_hasprivs CREATEDBCREATEROLE LOGIN INHERIT`
`58`		`-CONNECTION LIMIT 5;`
	`88`	`+-- ok, roles with CREATEROLE can create new roles withdifferent role`
	`89`	`+-- attributes, includingCREATEROLE`
	`90`	`+CREATE ROLE regress_hasprivs CREATEROLE LOGIN INHERITCONNECTION LIMIT 5;`
`59`	`91`	`-- ok, we should be able to modify a role we created`
`60`	`92`	`COMMENT ON ROLE regress_hasprivs IS 'some comment';`
`61`	`93`	`ALTER ROLE regress_hasprivs RENAME TO regress_tenant;`
`@@ -164,6 +196,9 @@ DROP ROLE regress_plainrole;`
`164`	`196`	`-- must revoke privileges before dropping role`
`165`	`197`	`REVOKE CREATE ON DATABASE regression FROM regress_createrole CASCADE;`
`166`	`198`	`-- ok, should be able to drop non-superuser roles we created`
	`199`	`+DROP ROLE regress_replication_bypassrls;`
	`200`	`+DROP ROLE regress_replication;`
	`201`	`+DROP ROLE regress_bypassrls;`
`167`	`202`	`DROP ROLE regress_createdb;`
`168`	`203`	`DROP ROLE regress_createrole;`
`169`	`204`	`DROP ROLE regress_login;`

`‎src/test/regress/sql/create_role.sql`

Lines changed: 39 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,17 +2,47 @@`
`2`	`2`	`CREATE ROLE regress_role_super SUPERUSER;`
`3`	`3`	`CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;`
`4`	`4`	`GRANT CREATEON DATABASE regression TO regress_role_admin WITHGRANT OPTION;`
	`5`	`+CREATE ROLE regress_role_limited_admin CREATEROLE;`
`5`	`6`	`CREATE ROLE regress_role_normal;`
`6`	`7`
`7`		`--- fail,only superusers can create users with these privileges`
`8`		`-SET SESSION AUTHORIZATIONregress_role_admin;`
	`8`	`+-- fail,CREATEROLE user can't give away role attributes without having them`
	`9`	`+SET SESSION AUTHORIZATIONregress_role_limited_admin;`
`9`	`10`	`CREATE ROLE regress_nosuch_superuser SUPERUSER;`
`10`	`11`	`CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;`
`11`	`12`	`CREATE ROLE regress_nosuch_replication REPLICATION;`
`12`	`13`	`CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;`
	`14`	`+CREATE ROLE regress_nosuch_createdb CREATEDB;`
`13`	`15`
`14`		`--- ok, having CREATEROLE is enough to create users with these privileges`
	`16`	`+-- ok, can create a role without any special attributes`
	`17`	`+CREATE ROLE regress_role_limited;`
	`18`	`+`
	`19`	`+-- fail, can't give it in any of the restricted attributes`
	`20`	`+ALTER ROLE regress_role_limited SUPERUSER;`
	`21`	`+ALTER ROLE regress_role_limited REPLICATION;`
	`22`	`+ALTER ROLE regress_role_limited CREATEDB;`
	`23`	`+ALTER ROLE regress_role_limited BYPASSRLS;`
	`24`	`+DROP ROLE regress_role_limited;`
	`25`	`+`
	`26`	`+-- ok, can give away these role attributes if you have them`
	`27`	`+SET SESSION AUTHORIZATION regress_role_admin;`
	`28`	`+CREATE ROLE regress_replication_bypassrls REPLICATION BYPASSRLS;`
	`29`	`+CREATE ROLE regress_replication REPLICATION;`
	`30`	`+CREATE ROLE regress_bypassrls BYPASSRLS;`
`15`	`31`	`CREATE ROLE regress_createdb CREATEDB;`
	`32`	`+`
	`33`	`+-- ok, can toggle these role attributes off and on if you have them`
	`34`	`+ALTER ROLE regress_replication NOREPLICATION;`
	`35`	`+ALTER ROLE regress_replication REPLICATION;`
	`36`	`+ALTER ROLE regress_bypassrls NOBYPASSRLS;`
	`37`	`+ALTER ROLE regress_bypassrls BYPASSRLS;`
	`38`	`+ALTER ROLE regress_createdb NOCREATEDB;`
	`39`	`+ALTER ROLE regress_createdb CREATEDB;`
	`40`	`+`
	`41`	`+-- fail, can't toggle SUPERUSER`
	`42`	`+ALTER ROLE regress_createdb SUPERUSER;`
	`43`	`+ALTER ROLE regress_createdb NOSUPERUSER;`
	`44`	`+`
	`45`	`+-- ok, having CREATEROLE is enough to create users with these privileges`
`16`	`46`	`CREATE ROLE regress_createrole CREATEROLE NOINHERIT;`
`17`	`47`	`GRANT CREATEON DATABASE regression TO regress_createrole WITHGRANT OPTION;`
`18`	`48`	`CREATE ROLE regress_login LOGIN;`
`@@ -56,9 +86,9 @@ CREATE ROLE regress_plainrole;`
`56`	`86`	`-- ok, roles with CREATEROLE can create new roles with it`
`57`	`87`	`CREATE ROLE regress_rolecreator CREATEROLE;`
`58`	`88`
`59`		`--- ok, roles with CREATEROLE can create new roles withprivilege they lack`
`60`		`-CREATE ROLE regress_hasprivs CREATEDBCREATEROLE LOGIN INHERIT`
`61`		`-CONNECTIONLIMIT5;`
	`89`	`+-- ok, roles with CREATEROLE can create new roles withdifferent role`
	`90`	`+-- attributes, includingCREATEROLE`
	`91`	`+CREATE ROLE regress_hasprivs CREATEROLE LOGIN INHERITCONNECTIONLIMIT5;`
`62`	`92`
`63`	`93`	`-- ok, we should be able to modify a role we created`
`64`	`94`	`COMMENTON ROLE regress_hasprivs IS'some comment';`
`@@ -150,6 +180,9 @@ DROP ROLE regress_plainrole;`
`150`	`180`	`REVOKE CREATEON DATABASE regressionFROM regress_createrole CASCADE;`
`151`	`181`
`152`	`182`	`-- ok, should be able to drop non-superuser roles we created`
	`183`	`+DROP ROLE regress_replication_bypassrls;`
	`184`	`+DROP ROLE regress_replication;`
	`185`	`+DROP ROLE regress_bypassrls;`
`153`	`186`	`DROP ROLE regress_createdb;`
`154`	`187`	`DROP ROLE regress_createrole;`
`155`	`188`	`DROP ROLE regress_login;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf1358ca

File tree

7 files changed

7 files changed

`‎doc/src/sgml/ref/alter_role.sgml`

`‎doc/src/sgml/ref/create_role.sgml`

`‎src/backend/commands/dbcommands.c`

`‎src/backend/commands/user.c`

`‎src/include/commands/dbcommands.h`

`‎src/test/regress/expected/create_role.out`

`‎src/test/regress/sql/create_role.sql`

0 commit comments