Movatterモバイル変換

[0]ホーム
URL:

Facebook
Postgres Pro
Facebook
Downloads
51.8. pg_authid
Prev UpChapter 51. System CatalogsHome Next

51.8. pg_authid#

The catalogpg_authid contains information about database authorization identifiers (roles). A role subsumes the concepts ofusers andgroups. A user is essentially just a role with therolcanlogin flag set. Any role (with or withoutrolcanlogin) can have other roles as members; seepg_auth_members.

Since this catalog contains passwords, it must not be publicly readable.pg_roles is a publicly readable view onpg_authid that blanks out the password field.

Chapter 20 contains detailed information about user and privilege management.

Because user identities are cluster-wide,pg_authid is shared across all databases of a cluster: there is only one copy ofpg_authid per cluster, not one per database.

Table 51.8. pg_authid Columns

Column Type

Description

oidoid

Row identifier

rolnamename

Role name

rolsuperbool

Role has superuser privileges

rolinheritbool

Role automatically inherits privileges of roles it is a member of

rolcreaterolebool

Role can create more roles

rolcreatedbbool

Role can create databases

rolcanloginbool

Role can log in. That is, this role can be given as the initial session authorization identifier.

rolreplicationbool

Role is a replication role. A replication role can initiate replication connections and create and drop replication slots.

rolbypassrlsbool

Role bypasses every row-level security policy, seeSection 5.9 for more information.

rolconnlimitint4

For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit.

rolprofileregprofile (referencespg_profile.oid)

The OID of the role's profile

rolloginattemptsint4

Number of consecutive failed login attempts of a user. It is always0 ifFAILED_LOGIN_ATTEMPTS value of the corresponding role profile isUNLIMITED (seeCREATE PROFILE). After a successful login,rolloginattempts is reset to0.

rollastlogintimestamptz

The timestamp the role logged in last time

rolfirstfailedauthtimestamptz

The timestamp of the role's first authentication failure

rolstatusint2

Status of the role:0 for the active role,1 the role is manually locked (seeACCOUNT LOCK inALTER ROLE),2 the role is locked because of inactivity (see parameterUSER_INACTIVE_TIME inCREATE PROFILE),4 the role is locked because the number of consecutive authentication failures has reached the limit (see parameterFAILED_LOGIN_ATTEMPTS inCREATE PROFILE)

rolpasswordtext

Password (possibly encrypted); null if none. The format depends on the form of encryption used.

rolvaliduntiltimestamptz

Password expiry time (only used for password authentication); null if no expiration

rolpasssetattimestamptz

Password set time (only used for password authentication); null if password is not set.


For an MD5 encrypted password,rolpassword column will begin with the stringmd5 followed by a 32-character hexadecimal MD5 hash. The MD5 hash will be of the user's password concatenated to their user name. For example, if userjoe has passwordxyzzy,Postgres Pro will store the md5 hash ofxyzzyjoe.

If the password is encrypted with SCRAM-SHA-256, it has the format:

SCRAM-SHA-256$<iteration count>:<salt>$<StoredKey>:<ServerKey>

wheresalt,StoredKey andServerKey are in Base64 encoded format. This format is the same as that specified byRFC 5803.

A password that does not follow either of those formats is assumed to be unencrypted.

Prev Up Next
51.7. pg_attribute Home 51.9. pg_auth_members
pdfepub
Go to Postgres Pro Standard 17
By continuing to browse this website, you agree to the use of cookies. Go toPrivacy Policy.
[8]ページ先頭
©2009-2025 Movatter.jp