mirror of
https://github.com/postgres/postgres.git
synced 2025-07-27 12:41:57 +03:00
Add a role property 'rolinherit' which, when false, denotes that the role
doesn't automatically inherit the privileges of roles it is a member of; for such a role, membership in another role can be exploited only by doing explicit SET ROLE. The default inherit setting is TRUE, so by default the behavior doesn't change, but creating a user with NOINHERIT gives closer adherence to our current reading of SQL99. Documentation still lacking, and I think the information schema needs another look.
This commit is contained in:
@ -1,6 +1,6 @@
|
||||
<!--
|
||||
Documentation of the system catalogs, directed toward PostgreSQL developers
|
||||
$PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.108 2005/07/14 05:13:38 tgl Exp $
|
||||
$PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.109 2005/07/26 16:38:25 tgl Exp $
|
||||
-->
|
||||
|
||||
<chapter id="catalogs">
|
||||
@ -976,6 +976,14 @@
|
||||
<entry>Role has superuser privileges</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><structfield>rolinherit</structfield></entry>
|
||||
<entry><type>bool</type></entry>
|
||||
<entry></entry>
|
||||
<entry>Role automatically inherits privileges of roles it is a
|
||||
member of</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><structfield>rolcreaterole</structfield></entry>
|
||||
<entry><type>bool</type></entry>
|
||||
@ -4728,6 +4736,11 @@
|
||||
that blanks out the password field.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This view explicitly exposes the OID column of the underlying table,
|
||||
since that is needed to do joins to other catalogs.
|
||||
</para>
|
||||
|
||||
<table>
|
||||
<title><structname>pg_roles</> Columns</title>
|
||||
|
||||
@ -4756,6 +4769,14 @@
|
||||
<entry>Role has superuser privileges</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><structfield>rolinherit</structfield></entry>
|
||||
<entry><type>bool</type></entry>
|
||||
<entry></entry>
|
||||
<entry>Role automatically inherits privileges of roles it is a
|
||||
member of</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><structfield>rolcreaterole</structfield></entry>
|
||||
<entry><type>bool</type></entry>
|
||||
@ -4811,6 +4832,13 @@
|
||||
<entry></entry>
|
||||
<entry>Session defaults for run-time configuration variables</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><structfield>oid</structfield></entry>
|
||||
<entry><type>oid</type></entry>
|
||||
<entry><literal><link linkend="catalog-pg-authid"><structname>pg_authid</structname></link>.oid</literal></entry>
|
||||
<entry>ID of role</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
@ -1,5 +1,5 @@
|
||||
<!--
|
||||
$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.271 2005/07/26 00:04:17 tgl Exp $
|
||||
$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.272 2005/07/26 16:38:25 tgl Exp $
|
||||
PostgreSQL documentation
|
||||
-->
|
||||
|
||||
@ -8559,7 +8559,12 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
|
||||
can access a role in a particular way. The possibilities for its
|
||||
arguments are analogous to <function>has_table_privilege</function>.
|
||||
The desired access privilege type must evaluate to
|
||||
<literal>MEMBER</literal>.
|
||||
<literal>MEMBER</literal> or
|
||||
<literal>USAGE</literal>.
|
||||
<literal>MEMBER</literal> denotes direct or indirect membership in
|
||||
the role (that is, the right to do <literal>SET ROLE</>), while
|
||||
<literal>USAGE</literal> denotes whether the privileges of the role
|
||||
are immediately available without doing <literal>SET ROLE</>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
Reference in New Issue
Block a user