Use a bitmask to represent role attributes

The previous representation using a boolean column for each attribute
would not scale as well as we want to add further attributes.

Extra auxilliary functions are added to go along with this change, to
make up for the lost convenience of access of the old representation.

Catalog version bumped due to change in catalogs and the new functions.

Author: Adam Brightwell, minor tweaks by Álvaro
Reviewed by: Stephen Frost, Andres Freund, Álvaro Herrera

doc/src/sgml/catalogs.sgml

@@ -1391,56 +1391,11 @@
      </row>
 
      <row>
-      <entry><structfield>rolsuper</structfield></entry>
-      <entry><type>bool</type></entry>
-      <entry>Role has superuser privileges</entry>
-     </row>
-
-     <row>
-      <entry><structfield>rolinherit</structfield></entry>
-      <entry><type>bool</type></entry>
-      <entry>Role automatically inherits privileges of roles it is a
-       member of</entry>
-     </row>
-
-     <row>
-      <entry><structfield>rolcreaterole</structfield></entry>
-      <entry><type>bool</type></entry>
-      <entry>Role can create more roles</entry>
-     </row>
-
-     <row>
-      <entry><structfield>rolcreatedb</structfield></entry>
-      <entry><type>bool</type></entry>
-      <entry>Role can create databases</entry>
-     </row>
-
-     <row>
-      <entry><structfield>rolcatupdate</structfield></entry>
-      <entry><type>bool</type></entry>
+      <entry><structfield>rolattr</structfield></entry>
+      <entry><type>bigint</type></entry>
       <entry>
-       Role can update system catalogs directly.  (Even a superuser cannot do
-       this unless this column is true)
-      </entry>
-     </row>
-
-     <row>
-      <entry><structfield>rolcanlogin</structfield></entry>
-      <entry><type>bool</type></entry>
-      <entry>
-       Role can log in. That is, this role can be given as the initial
-       session authorization identifier
-      </entry>
-     </row>
-
-     <row>
-      <entry><structfield>rolreplication</structfield></entry>
-      <entry><type>bool</type></entry>
-      <entry>
-       Role is a replication role. That is, this role can initiate streaming
-       replication (see <xref linkend="streaming-replication">) and set/unset
-       the system backup mode using <function>pg_start_backup</> and
-       <function>pg_stop_backup</>
+       Role attributes; see <xref linkend="catalog-rolattr-bitmap-table"> and
+       <xref linkend="sql-createrole"> for details
       </entry>
      </row>
 
@@ -1478,6 +1433,96 @@
    </tgroup>
   </table>
 
+  <table id="catalog-rolattr-bitmap-table">
+   <title>Attributes in <structfield>rolattr</></title>
+
+   <tgroup cols="4">
+    <thead>
+     <row>
+      <entry>Attribute</entry>
+      <entry>CREATE ROLE Option</entry>
+      <entry>Description</entry>
+      <entry>Position</entry>
+     </row>
+    </thead>
+
+    <tbody>
+     <row>
+      <entry>Superuser</entry>
+      <entry>SUPERUSER</entry>
+      <entry>Role has superuser privileges</entry>
+      <entry><literal>0</literal></entry>
+     </row>
+
+     <row>
+      <entry>Inherit</entry>
+      <entry>INHERIT</entry>
+      <entry>
+       Role automatically inherits privileges of roles it is a member of
+      </entry>
+      <entry><literal>1</literal></entry>
+     </row>
+
+     <row>
+      <entry>Create Role</entry>
+      <entry>CREATEROLE</entry>
+      <entry>Role can create more roles</entry>
+      <entry><literal>2</literal></entry>
+     </row>
+
+     <row>
+      <entry>Create DB</entry>
+      <entry>CREATEDB</entry>
+      <entry>Role can create databases</entry>
+      <entry><literal>3</literal></entry>
+     </row>
+
+     <row>
+      <entry>Catalog Update</entry>
+      <entry>CATUPDATE</entry>
+      <entry>
+       Role can update system catalogs directly.  (Even a superuser cannot do
+       this unless this column is true)
+      </entry>
+      <entry><literal>4</literal></entry>
+     </row>
+
+     <row>
+      <entry>Can Login</entry>
+      <entry>LOGIN</entry>
+      <entry>
+       Role can log in. That is, this role can be given as the initial
+       session authorization identifier
+      </entry>
+      <entry><literal>5</literal></entry>
+     </row>
+
+     <row>
+      <entry>Replication</entry>
+      <entry>REPLICATION</entry>
+      <entry>
+       Role is a replication role. That is, this role can initiate streaming
+       replication (see <xref linkend="streaming-replication">) and set/unset
+       the system backup mode using <function>pg_start_backup</> and
+       <function>pg_stop_backup</>
+      </entry>
+      <entry><literal>6</literal></entry>
+     </row>
+
+     <row>
+      <entry>Bypass Row Level Security</entry>
+      <entry>BYPASSRLS</entry>
+      <entry>
+       Role can bypass row level security policies when <literal>row_security</>
+       is set <literal>off</>
+      </entry>
+      <entry><literal>7</literal></entry>
+     </row>
+
+    </tbody>
+   </tgroup>
+  </table>
+
  </sect1>
 
 

doc/src/sgml/func.sgml

@@ -15139,6 +15139,133 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
     are immediately available without doing <command>SET ROLE</>.
    </para>
 
+   <para>
+    <xref linkend="functions-info-role-attribute-table"> lists functions that
+    allow the user to query role attribute information programmatically.
+   </para>
+
+   <table id="functions-info-role-attribute-table">
+    <title>Role Attribute Inquiry Functions</title>
+    <tgroup cols="3">
+     <thead>
+      <row><entry>Name</entry> <entry>Return Type</entry> <entry>Description</entry></row>
+     </thead>
+     <tbody>
+      <row>
+       <entry><literal><function>pg_has_role_attribute(role, attribute)</function></literal></entry>
+       <entry><type>boolean</type></entry>
+       <entry>does role have the permissions allowed by named attribute</entry>
+      </row>
+      <row>
+       <entry><literal><function>pg_check_role_attribute(role, attribute)</function></literal></entry>
+       <entry><type>boolean</type></entry>
+       <entry>does role have the named attribute</entry>
+      </row>
+      <row>
+       <entry><literal><function>pg_check_role_attribute(role_attributes, attribute)</function></literal></entry>
+       <entry><type>boolean</type></entry>
+       <entry>is attribute set in bitmap of role attributes</entry>
+      </row>
+      <row>
+       <entry><literal><function>pg_all_role_attributes(role_attributes)</function></literal></entry>
+       <entry><type>text[]</type></entry>
+       <entry>convert bitmap of role attribute representation to text[]</entry>
+      </row>
+     </tbody>
+    </tgroup>
+   </table>
+
+   <indexterm>
+    <primary>pg_has_role_attribute</primary>
+   </indexterm>
+   <indexterm>
+    <primary>pg_check_role_attribute</primary>
+   </indexterm>
+   <indexterm>
+    <primary>pg_all_role_attributes</primary>
+   </indexterm>
+
+   <para>
+    <function>pg_has_role_attribute</function> checks the attribute permissions
+    given to a role.  It will always return <literal>true</literal> for roles
+    with superuser privileges unless the attribute being checked is
+    <literal>CATUPDATE</literal> (superuser cannot bypass
+    <literal>CATUPDATE</literal> permissions). The role can be specified by name
+    and by OID. The attribute is specified by a text string which must evaluate
+    to one of the following role attributes:
+    <literal>SUPERUSER</literal>,
+    <literal>INHERIT</literal>,
+    <literal>CREATEROLE</literal>,
+    <literal>CREATEDB</literal>,
+    <literal>CATUPDATE</literal>,
+    <literal>CANLOGIN</literal>,
+    <literal>REPLICATION</literal>, or
+    <literal>BYPASSRLS</literal>. See <xref linkend="sql-createrole"> for more
+    information. For example:
+<programlisting>
+SELECT pg_has_role_attribute('joe', 'SUPERUSER');
+ pg_has_role_attribute 
+-----------------------
+ f
+(1 row)
+
+SELECT rolname, pg_has_role_attribute(oid, 'INHERIT') AS rolinherit FROM pg_roles;
+ rolname  | rolinherit 
+----------+------------
+ postgres | t
+ joe      | t
+(2 rows)
+</programlisting>
+   </para>
+
+   <para>
+    <function>pg_check_role_attribute</function> checks the attribute value given
+    to a role.  The role can be specified by name and by OID.  The attribute is
+    specified by a text string which must evaluate to a valid role attribute (see
+    <function>pg_has_role_attribute</function>).  A third variant of this function
+    allows for a bitmap representation (<literal>bigint</literal>) of attributes
+    to be given instead of a role.
+    Example:
+<programlisting>
+SELECT pg_check_role_attribute('joe', 'SUPERUSER');
+ pg_check_role_attribute 
+-------------------------
+ f
+(1 row)
+
+SELECT rolname, pg_check_role_attribute(oid, 'INHERIT') as rolinherit FROM pg_roles;
+ rolname  | rolinherit 
+----------+------------
+ postgres | t
+ joe      | t
+(2 rows)
+ t
+(1 row)
+
+
+SELECT rolname, pg_check_role_attribute(rolattr, 'SUPERUSER') AS rolsuper FROM pg_authid;
+ rolname  | rolsuper 
+----------+----------
+ postgres | t
+ joe      | f
+(2 rows)
+</programlisting>
+   </para>
+
+   <para>
+    <function>pg_all_role_attributes</function> convert a set of role attributes
+    represented by an <literal>bigint</literal> bitmap to a text array.
+    Example:
+<programlisting>
+SELECT rolname, pg_all_role_attributes(rolattr) AS attributes FROM pg_authid;
+ rolname  |                                          attributes                                           
+----------+-----------------------------------------------------------------------------------------------
+ postgres | {Superuser,Inherit,"Create Role","Create DB","Catalog Update",Login,Replication,"Bypass RLS"}
+ joe      | {Inherit,Login}
+(2 rows)
+</programlisting>
+   </para>
+
   <para>
    <xref linkend="functions-info-schema-table"> shows functions that
    determine whether a certain object is <firstterm>visible</> in the