NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit7a54270

committed

Create default roles

This creates an initial set of default roles which administrators mayuse to grant access to, historically, superuser-only functions. Usingthese roles instead of granting superuser access reduces the number ofsuperuser roles required for a system. Documention for each of thedefault roles has been added to user-manag.sgml.Bump catversion to 201604082, as we had a commit that bumped it to201604081 and another that set it back to 201604071...Reviews by José Luis Tallón and Robert Haas

1 parent2930078 commit7a54270Copy full SHA for 7a54270

File tree

7 files changed

+76

-8

lines changed

doc/src/sgml
- func.sgml
- user-manag.sgml
src
- backend/utils/adt
  - misc.c
- include/catalog
  - catversion.h
  - pg_authid.h
- test/regress
  - expected
    - rolenames.out
  - sql
    - rolenames.sql

7 files changed

+76

-8

lines changed

`‎doc/src/sgml/func.sgml`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -17454,7 +17454,8 @@ SELECT set_config('log_statement_stats', 'off', false);`
`17454`	`17454`	`</entry>`
`17455`	`17455`	`<entry><type>boolean</type></entry>`
`17456`	`17456`	`<entry>Cancel a backend's current query. This is also allowed if the`
`17457`		`- calling role is a member of the role whose backend is being canceled,`
	`17457`	`+ calling role is a member of the role whose backend is being canceled or`
	`17458`	`+ the calling role has been granted <literal>pg_signal_backend</literal>,`
`17458`	`17459`	`however only superusers can cancel superuser backends.`
`17459`	`17460`	`</entry>`
`17460`	`17461`	`</row>`
`@@ -17478,8 +17479,9 @@ SELECT set_config('log_statement_stats', 'off', false);`
`17478`	`17479`	`</entry>`
`17479`	`17480`	`<entry><type>boolean</type></entry>`
`17480`	`17481`	`<entry>Terminate a backend. This is also allowed if the calling role`
`17481`		`- is a member of the role whose backend is being terminated, however only`
`17482`		`- superusers can terminate superuser backends.`
	`17482`	`+ is a member of the role whose backend is being terminated or the`
	`17483`	`+ calling role has been granted <literal>pg_signal_backend</literal>,`
	`17484`	`+ however only superusers can terminate superuser backends.`
`17483`	`17485`	`</entry>`
`17484`	`17486`	`</row>`
`17485`	`17487`	`</tbody>`

`‎doc/src/sgml/user-manag.sgml`

Lines changed: 51 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -483,6 +483,57 @@ DROP ROLE doomed_role;`
`483`	`483`	`</para>`
`484`	`484`	`</sect1>`
`485`	`485`
	`486`	`+ <sect1 id="default-roles">`
	`487`	`+ <title>Default Roles</title>`
	`488`	`+`
	`489`	`+ <indexterm zone="default-roles">`
	`490`	`+ <primary>role</>`
	`491`	`+ </indexterm>`
	`492`	`+`
	`493`	`+ <para>`
	`494`	`+ <productname>PostgreSQL</productname> provides a set of default roles`
	`495`	`+ which provide access to certain, commonly needed, privileged capabilities`
	`496`	`+ and information. Administrators can GRANT these roles to users and/or`
	`497`	`+ other roles in their environment, providing those users with access to`
	`498`	`+ the specified capabilities and information.`
	`499`	`+ </para>`
	`500`	`+`
	`501`	`+ <para>`
	`502`	`+ The default roles are described in <xref linkend="default-roles-table">.`
	`503`	`+ Note that the specific permissions for each of the default roles may`
	`504`	`+ change in the future as additional capabilities are added. Administrators`
	`505`	`+ should monitor the release notes for changes.`
	`506`	`+ </para>`
	`507`	`+`
	`508`	`+ <table tocentry="1" id="default-roles-table">`
	`509`	`+ <title>Default Roles</title>`
	`510`	`+ <tgroup cols="2">`
	`511`	`+ <thead>`
	`512`	`+ <row>`
	`513`	`+ <entry>Role</entry>`
	`514`	`+ <entry>Allowed Access</entry>`
	`515`	`+ </row>`
	`516`	`+ </thead>`
	`517`	`+ <tbody>`
	`518`	`+ <row>`
	`519`	`+ <entry>pg_signal_backend</entry>`
	`520`	`+ <entry>Send signals to other backends (eg: cancel query, terminate).</entry>`
	`521`	`+ </row>`
	`522`	`+ </tbody>`
	`523`	`+ </tgroup>`
	`524`	`+ </table>`
	`525`	`+`
	`526`	`+ <para>`
	`527`	`+ Administrators can grant access to these roles to users using the GRANT`
	`528`	`+ command:`
	`529`	`+`
	`530`	`+<programlisting>`
	`531`	`+GRANT pg_signal_backend TO admin_user;`
	`532`	`+</programlisting>`
	`533`	`+ </para>`
	`534`	`+`
	`535`	`+ </sect1>`
	`536`	`+`
`486`	`537`	`<sect1 id="perm-functions">`
`487`	`538`	`<title>Function and Trigger Security</title>`
`488`	`539`

`‎src/backend/utils/adt/misc.c`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@`
`21`	`21`	`#include<unistd.h>`
`22`	`22`
`23`	`23`	`#include"access/sysattr.h"`
	`24`	`+#include"catalog/pg_authid.h"`
`24`	`25`	`#include"catalog/catalog.h"`
`25`	`26`	`#include"catalog/pg_tablespace.h"`
`26`	`27`	`#include"catalog/pg_type.h"`
`@@ -244,7 +245,8 @@ pg_signal_backend(int pid, int sig)`
`244`	`245`	`returnSIGNAL_BACKEND_NOSUPERUSER;`
`245`	`246`
`246`	`247`	`/* Users can signal backends they have role membership in. */`
`247`		`-if (!has_privs_of_role(GetUserId(),proc->roleId))`
	`248`	`+if (!has_privs_of_role(GetUserId(),proc->roleId)&&`
	`249`	`+!has_privs_of_role(GetUserId(),DEFAULT_ROLE_SIGNAL_BACKENDID))`
`248`	`250`	`returnSIGNAL_BACKEND_NOPERMISSION;`
`249`	`251`
`250`	`252`	`/*`
`@@ -290,7 +292,7 @@ pg_cancel_backend(PG_FUNCTION_ARGS)`
`290`	`292`	`if (r==SIGNAL_BACKEND_NOPERMISSION)`
`291`	`293`	`ereport(ERROR,`
`292`	`294`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`293`		`- (errmsg("must be a member of the role whose query is being canceled"))));`
	`295`	`+ (errmsg("must be a member of the role whose query is being canceled or member of pg_signal_backend"))));`
`294`	`296`
`295`	`297`	`PG_RETURN_BOOL(r==SIGNAL_BACKEND_SUCCESS);`
`296`	`298`	`}`
`@@ -314,7 +316,7 @@ pg_terminate_backend(PG_FUNCTION_ARGS)`
`314`	`316`	`if (r==SIGNAL_BACKEND_NOPERMISSION)`
`315`	`317`	`ereport(ERROR,`
`316`	`318`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`317`		`- (errmsg("must be a member of the role whose process is being terminated"))));`
	`319`	`+ (errmsg("must be a member of the role whose process is being terminated or member of pg_signal_backend"))));`
`318`	`320`
`319`	`321`	`PG_RETURN_BOOL(r==SIGNAL_BACKEND_SUCCESS);`
`320`	`322`	`}`

`‎src/include/catalog/catversion.h`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@`
`53`	`53`	`*/`
`54`	`54`
`55`	`55`	`/yyyymmddN /`
`56`		`-#defineCATALOG_VERSION_NO201604071`
	`56`	`+#defineCATALOG_VERSION_NO201604082`
`57`	`57`
`58`	`58`	`#endif`

`‎src/include/catalog/pg_authid.h`

Lines changed: 7 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -93,10 +93,16 @@ typedef FormData_pg_authid *Form_pg_authid;`
`93`	`93`	`*`
`94`	`94`	`* The uppercase quantities will be replaced at initdb time with`
`95`	`95`	`* user choices.`
	`96`	`+ *`
	`97`	`+ * If adding new default roles or changing the OIDs below, be sure to add or`
	`98`	`+ * update the #defines which follow as appropriate.`
`96`	`99`	`* ----------------`
`97`	`100`	`*/`
`98`	`101`	`DATA(insertOID=10 ("POSTGRES"ttttttt-1_null__null_));`
	`102`	`+DATA(insertOID=4200 ("pg_signal_backend"ftfffff-1_null__null_));`
	`103`	`+`
	`104`	`+#defineBOOTSTRAP_SUPERUSERID10`
`99`	`105`
`100`		`-#defineBOOTSTRAP_SUPERUSERID 10`
	`106`	`+#defineDEFAULT_ROLE_SIGNAL_BACKENDID4200`
`101`	`107`
`102`	`108`	`#endif/* PG_AUTHID_H */`

`‎src/test/regress/expected/rolenames.out`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -824,6 +824,11 @@ ERROR: role "pg_abcdef" is reserved`
`824`	`824`	`DETAIL: Cannot GRANT roles to a reserved role.`
`825`	`825`	`SET ROLE pg_testrole; -- error`
`826`	`826`	`ERROR: invalid value for parameter "role": "pg_testrole"`
	`827`	`+SET ROLE pg_signal_backend; --error`
	`828`	`+ERROR: invalid value for parameter "role": "pg_signal_backend"`
	`829`	`+CREATE SCHEMA test_schema AUTHORIZATION pg_signal_backend; --error`
	`830`	`+ERROR: role "pg_signal_backend" is reserved`
	`831`	`+DETAIL: Cannot specify reserved role as owner.`
`827`	`832`	`UPDATE pg_proc SET proacl = null WHERE proname LIKE 'testagg_';`
`828`	`833`	`SELECT proname, proacl FROM pg_proc WHERE proname LIKE 'testagg_';`
`829`	`834`	`proname \| proacl`

`‎src/test/regress/sql/rolenames.sql`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -385,6 +385,8 @@ GRANT testrol0 TO pg_abc; -- error`
`385`	`385`	`GRANT pg_abc TO pg_abcdef;-- error`
`386`	`386`
`387`	`387`	`SET ROLE pg_testrole;-- error`
	`388`	`+SET ROLE pg_signal_backend;--error`
	`389`	`+CREATESCHEMAtest_schema AUTHORIZATION pg_signal_backend;--error`
`388`	`390`
`389`	`391`	`UPDATE pg_procSET proacl=nullWHERE pronameLIKE'testagg_';`
`390`	`392`	`SELECT proname, proaclFROM pg_procWHERE pronameLIKE'testagg_';`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7a54270

File tree

7 files changed

7 files changed

`‎doc/src/sgml/func.sgml`

`‎doc/src/sgml/user-manag.sgml`

`‎src/backend/utils/adt/misc.c`

`‎src/include/catalog/catversion.h`

`‎src/include/catalog/pg_authid.h`

`‎src/test/regress/expected/rolenames.out`

`‎src/test/regress/sql/rolenames.sql`

0 commit comments