1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00

Add a role property 'rolinherit' which, when false, denotes that the role

doesn't automatically inherit the privileges of roles it is a member of;
for such a role, membership in another role can be exploited only by doing
explicit SET ROLE.  The default inherit setting is TRUE, so by default
the behavior doesn't change, but creating a user with NOINHERIT gives closer
adherence to our current reading of SQL99.  Documentation still lacking,
and I think the information schema needs another look.
This commit is contained in:
Tom Lane
2005-07-26 16:38:29 +00:00
parent f9fd176461
commit af019fb9ae
15 changed files with 328 additions and 81 deletions

View File

@ -1,6 +1,6 @@
<!--
Documentation of the system catalogs, directed toward PostgreSQL developers
$PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.108 2005/07/14 05:13:38 tgl Exp $
$PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.109 2005/07/26 16:38:25 tgl Exp $
-->
<chapter id="catalogs">
@ -976,6 +976,14 @@
<entry>Role has superuser privileges</entry>
</row>
<row>
<entry><structfield>rolinherit</structfield></entry>
<entry><type>bool</type></entry>
<entry></entry>
<entry>Role automatically inherits privileges of roles it is a
member of</entry>
</row>
<row>
<entry><structfield>rolcreaterole</structfield></entry>
<entry><type>bool</type></entry>
@ -4728,6 +4736,11 @@
that blanks out the password field.
</para>
<para>
This view explicitly exposes the OID column of the underlying table,
since that is needed to do joins to other catalogs.
</para>
<table>
<title><structname>pg_roles</> Columns</title>
@ -4756,6 +4769,14 @@
<entry>Role has superuser privileges</entry>
</row>
<row>
<entry><structfield>rolinherit</structfield></entry>
<entry><type>bool</type></entry>
<entry></entry>
<entry>Role automatically inherits privileges of roles it is a
member of</entry>
</row>
<row>
<entry><structfield>rolcreaterole</structfield></entry>
<entry><type>bool</type></entry>
@ -4811,6 +4832,13 @@
<entry></entry>
<entry>Session defaults for run-time configuration variables</entry>
</row>
<row>
<entry><structfield>oid</structfield></entry>
<entry><type>oid</type></entry>
<entry><literal><link linkend="catalog-pg-authid"><structname>pg_authid</structname></link>.oid</literal></entry>
<entry>ID of role</entry>
</row>
</tbody>
</tgroup>
</table>

View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.271 2005/07/26 00:04:17 tgl Exp $
$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.272 2005/07/26 16:38:25 tgl Exp $
PostgreSQL documentation
-->
@ -8559,7 +8559,12 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
can access a role in a particular way. The possibilities for its
arguments are analogous to <function>has_table_privilege</function>.
The desired access privilege type must evaluate to
<literal>MEMBER</literal>.
<literal>MEMBER</literal> or
<literal>USAGE</literal>.
<literal>MEMBER</literal> denotes direct or indirect membership in
the role (that is, the right to do <literal>SET ROLE</>), while
<literal>USAGE</literal> denotes whether the privileges of the role
are immediately available without doing <literal>SET ROLE</>.
</para>
<para>