Allow granting SET and ALTER SYSTEM privileges on GUC parameters.

This patch allows "PGC_SUSET" parameters to be set by non-superusers
if they have been explicitly granted the privilege to do so.
The privilege to perform ALTER SYSTEM SET/RESET on a specific parameter
can also be granted.
Such privileges are cluster-wide, not per database.  They are tracked
in a new shared catalog, pg_parameter_acl.

Granting and revoking these new privileges works as one would expect.
One caveat is that PGC_USERSET GUCs are unaffected by the SET privilege
--- one could wish that those were handled by a revocable grant to
PUBLIC, but they are not, because we couldn't make it robust enough
for GUCs defined by extensions.

Mark Dilger, reviewed at various times by Andrew Dunstan, Robert Haas,
Joshua Brindle, and myself

Discussion: https://postgr.es/m/3D691E20-C1D5-4B80-8BA5-6BEB63AF3029@enterprisedb.com

doc/src/sgml/ref/alter_system.sgml

@@ -55,7 +55,8 @@ ALTER SYSTEM RESET ALL
   </para>
 
   <para>
-   Only superusers can use <command>ALTER SYSTEM</command>.  Also, since
+   Only superusers and users granted <literal>ALTER SYSTEM</literal> privilege
+   on a parameter can change it using <command>ALTER SYSTEM</command>.  Also, since
    this command acts directly on the file system and cannot be rolled back,
    it is not allowed inside a transaction block or function.
   </para>

doc/src/sgml/ref/drop_owned.sgml

@@ -32,8 +32,8 @@ DROP OWNED BY { <replaceable class="parameter">name</replaceable> | CURRENT_ROLE
    <command>DROP OWNED</command> drops all the objects within the current
    database that are owned by one of the specified roles. Any
    privileges granted to the given roles on objects in the current
-   database or on shared objects (databases, tablespaces) will also be
-   revoked.
+   database or on shared objects (databases, tablespaces, configuration
+   parameters) will also be revoked.
   </para>
  </refsect1>
 

doc/src/sgml/ref/grant.sgml

@@ -77,6 +77,11 @@ GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
     TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]
     [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
 
+GRANT { { SET | ALTER SYSTEM } [, ... ] | ALL [ PRIVILEGES ] }
+    ON PARAMETER <replaceable class="parameter">configuration_parameter</replaceable> [, ...]
+    TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]
+    [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
+
 GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
     ON SCHEMA <replaceable>schema_name</replaceable> [, ...]
     TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]
@@ -111,9 +116,10 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
 
   <para>
    The <command>GRANT</command> command has two basic variants: one
-   that grants privileges on a database object (table, column, view, foreign
-   table, sequence, database, foreign-data wrapper, foreign server, function, procedure,
-   procedural language, schema, or tablespace), and one that grants
+   that grants privileges on a database object (table, column, view,
+   foreign table, sequence, database, foreign-data wrapper, foreign server,
+   function, procedure, procedural language, large object, configuration
+   parameter, schema, tablespace, or type), and one that grants
    membership in a role.  These variants are similar in many ways, but
    they are different enough to be described separately.
   </para>
@@ -185,6 +191,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
      <term><literal>TEMPORARY</literal></term>
      <term><literal>EXECUTE</literal></term>
      <term><literal>USAGE</literal></term>
+     <term><literal>SET</literal></term>
+     <term><literal>ALTER SYSTEM</literal></term>
      <listitem>
       <para>
        Specific types of privileges, as defined in <xref linkend="ddl-priv"/>.
@@ -452,7 +460,8 @@ GRANT admins TO joe;
    </para>
 
    <para>
-    Privileges on databases, tablespaces, schemas, and languages are
+    Privileges on databases, tablespaces, schemas, languages, and
+    configuration parameters are
     <productname>PostgreSQL</productname> extensions.
    </para>
  </refsect1>

doc/src/sgml/ref/pg_dumpall.sgml

@@ -38,7 +38,8 @@ PostgreSQL documentation
    linkend="app-psql"/> to restore the databases.  It does this by
    calling <xref linkend="app-pgdump"/> for each database in the cluster.
    <application>pg_dumpall</application> also dumps global objects
-   that are common to all databases, that is, database roles and tablespaces.
+   that are common to all databases, namely database roles, tablespaces,
+   and privilege grants for configuration parameters.
    (<application>pg_dump</application> does not save these objects.)
   </para>
 

doc/src/sgml/ref/revoke.sgml

@@ -97,6 +97,13 @@ REVOKE [ GRANT OPTION FOR ]
     [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
     [ CASCADE | RESTRICT ]
 
+REVOKE [ GRANT OPTION FOR ]
+    { { SET | ALTER SYSTEM } [, ...] | ALL [ PRIVILEGES ] }
+    ON PARAMETER <replaceable class="parameter">configuration_parameter</replaceable> [, ...]
+    FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
+    [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
+    [ CASCADE | RESTRICT ]
+
 REVOKE [ GRANT OPTION FOR ]
     { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
     ON SCHEMA <replaceable>schema_name</replaceable> [, ...]

doc/src/sgml/ref/set.sgml

@@ -34,8 +34,10 @@ SET [ SESSION | LOCAL ] TIME ZONE { <replaceable class="parameter">timezone</rep
    parameters.  Many of the run-time parameters listed in
    <xref linkend="runtime-config"/> can be changed on-the-fly with
    <command>SET</command>.
-   (But some require superuser privileges to change, and others cannot
-   be changed after server or session start.)
+   (Some parameters can only be changed by superusers and users who
+   have been granted <literal>SET</literal> privilege on that parameter.
+   There are also parameters that cannot be changed after server or
+   session start.)
    <command>SET</command> only affects the value used by the current
    session.
   </para>