Allow granting SET and ALTER SYSTEM privileges on GUC parameters.

This patch allows "PGC_SUSET" parameters to be set by non-superusers if they have been explicitly granted the privilege to do so. The privilege to perform ALTER SYSTEM SET/RESET on a specific parameter can also be granted. Such privileges are cluster-wide, not per database. They are tracked in a new shared catalog, pg_parameter_acl. Granting and revoking these new privileges works as one would expect. One caveat is that PGC_USERSET GUCs are unaffected by the SET privilege --- one could wish that those were handled by a revocable grant to PUBLIC, but they are not, because we couldn't make it robust enough for GUCs defined by extensions. Mark Dilger, reviewed at various times by Andrew Dunstan, Robert Haas, Joshua Brindle, and myself Discussion: https://postgr.es/m/3D691E20-C1D5-4B80-8BA5-6BEB63AF3029@enterprisedb.com
2025-08-31 17:02:12 +03:00 · 2022-04-06 13:24:33 -04:00
parent 2ef6f11b0c
commit a0ffa885e4
44 changed files with 2465 additions and 194 deletions
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -77,6 +77,11 @@ GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
    TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]
    [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]

+GRANT { { SET | ALTER SYSTEM } [, ... ] | ALL [ PRIVILEGES ] }
+    ON PARAMETER <replaceable class="parameter">configuration_parameter</replaceable> [, ...]
+    TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]
+    [ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
+
 GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
    ON SCHEMA <replaceable>schema_name</replaceable> [, ...]
    TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]
@@ -111,9 +116,10 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace

  <para>
   The <command>GRANT</command> command has two basic variants: one
-   that grants privileges on a database object (table, column, view, foreign
-   table, sequence, database, foreign-data wrapper, foreign server, function, procedure,
-   procedural language, schema, or tablespace), and one that grants
+   that grants privileges on a database object (table, column, view,
+   foreign table, sequence, database, foreign-data wrapper, foreign server,
+   function, procedure, procedural language, large object, configuration
+   parameter, schema, tablespace, or type), and one that grants
   membership in a role.  These variants are similar in many ways, but
   they are different enough to be described separately.
  </para>
@@ -185,6 +191,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
     <term><literal>TEMPORARY</literal></term>
     <term><literal>EXECUTE</literal></term>
     <term><literal>USAGE</literal></term>
+     <term><literal>SET</literal></term>
+     <term><literal>ALTER SYSTEM</literal></term>
     <listitem>
      <para>
       Specific types of privileges, as defined in <xref linkend="ddl-priv"/>.
@@ -452,7 +460,8 @@ GRANT admins TO joe;
   </para>

   <para>
-    Privileges on databases, tablespaces, schemas, and languages are
+    Privileges on databases, tablespaces, schemas, languages, and
+    configuration parameters are
    <productname>PostgreSQL</productname> extensions.
   </para>
 </refsect1>