Add a --role option to pg_dump, pg_dumpall, and pg_restore. This allows

performing dumps and restores in accordance with a security policy that forbids logging in directly as superuser, but instead specifies that you should log into an admin account and then SET ROLE to the superuser. In passing, clean up some ugly and mostly-broken code for quoting shell arguments in pg_dumpall. Benedek László, with some help from Tom Lane
2025-07-28 23:42:10 +03:00 · 2009-01-05 16:54:37 +00:00
parent f42a7f1e62
commit b0a6ad70a1
8 changed files with 195 additions and 115 deletions
--- a/doc/src/sgml/ref/pg_dump.sgml
+++ b/doc/src/sgml/ref/pg_dump.sgml
@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dump.sgml,v 1.105 2008/08/26 00:03:15 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dump.sgml,v 1.106 2009/01/05 16:54:36 tgl Exp $
 PostgreSQL documentation
 -->

@ -698,6 +698,23 @@ PostgreSQL documentation
       </para>
      </listitem>
     </varlistentry>
+
+     <varlistentry>
+      <term><option>--role=<replaceable class="parameter">rolename</replaceable></option></term>
+      <listitem>
+       <para>
+        Specifies a role name to be used to create the dump.
+        This option causes <application>pg_dump</> to issue a
+        <command>SET ROLE</> <replaceable class="parameter">rolename</>
+        command after connecting to the database. It is useful when the
+        authenticated user (specified by <option>-U</>) lacks privileges
+        needed by <application>pg_dump</>, but can switch to a role with
+        the required rights.  Some installations have a policy against
+        logging in directly as a superuser, and use of this option allows
+        dumps to be made without violating the policy.
+       </para>
+      </listitem>
+     </varlistentry>
    </variablelist>
   </para>
 </refsect1>
--- a/doc/src/sgml/ref/pg_dumpall.sgml
+++ b/doc/src/sgml/ref/pg_dumpall.sgml
@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dumpall.sgml,v 1.73 2008/08/29 17:28:43 alvherre Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dumpall.sgml,v 1.74 2009/01/05 16:54:36 tgl Exp $
 PostgreSQL documentation
 -->

@ -129,7 +129,7 @@ PostgreSQL documentation
       </para>
      </listitem>
     </varlistentry>
- 
+
     <varlistentry>
      <term><option>-f <replaceable class="parameter">filename</replaceable></option></term>
      <term><option>--file=<replaceable class="parameter">filename</replaceable></option></term>
@ -183,7 +183,7 @@ PostgreSQL documentation
        Do not output commands to set
        ownership of objects to match the original database.
        By default, <application>pg_dumpall</application> issues
-        <command>ALTER OWNER</> or 
+        <command>ALTER OWNER</> or
        <command>SET SESSION AUTHORIZATION</command>
        statements to set ownership of created schema elements.
        These statements
@ -342,8 +342,8 @@ PostgreSQL documentation

   <variablelist>
     <varlistentry>
-      <term>-h <replaceable>host</replaceable></term>
-      <term>--host=<replaceable>host</replaceable></term>
+      <term><option>-h <replaceable>host</replaceable></option></term>
+      <term><option>--host=<replaceable>host</replaceable></option></term>
      <listitem>
       <para>
        Specifies the host name of the machine on which the database
@ -354,10 +354,10 @@ PostgreSQL documentation
       </para>
      </listitem>
     </varlistentry>
- 
+
     <varlistentry>
-      <term>-l <replaceable>dbname</replaceable></term>
-      <term>--database=<replaceable>dbname</replaceable></term>
+      <term><option>-l <replaceable>dbname</replaceable></option></term>
+      <term><option>--database=<replaceable>dbname</replaceable></option></term>
      <listitem>
       <para>
         Specifies the name of the database to connect to to dump global
@ -369,8 +369,8 @@ PostgreSQL documentation
     </varlistentry>

     <varlistentry>
-      <term>-p <replaceable>port</replaceable></term>
-      <term>--port=<replaceable>port</replaceable></term>
+      <term><option>-p <replaceable>port</replaceable></option></term>
+      <term><option>--port=<replaceable>port</replaceable></option></term>
      <listitem>
       <para>
        Specifies the TCP port or local Unix domain socket file
@ -382,8 +382,8 @@ PostgreSQL documentation
     </varlistentry>

     <varlistentry>
-      <term>-U <replaceable>username</replaceable></term>
-      <term>--username=<replaceable>username</replaceable></term>
+      <term><option>-U <replaceable>username</replaceable></option></term>
+      <term><option>--username=<replaceable>username</replaceable></option></term>
      <listitem>
       <para>
        User name to connect as.
@ -392,12 +392,12 @@ PostgreSQL documentation
     </varlistentry>

     <varlistentry>
-      <term>-W</term>
-      <term>--password</term>
+      <term><option>-W</option></term>
+      <term><option>--password</option></term>
      <listitem>
       <para>
        Force <application>pg_dumpall</application> to prompt for a
-        password before connecting to a database.  
+        password before connecting to a database.
       </para>

       <para>
@ -417,6 +417,23 @@ PostgreSQL documentation
       </para>
      </listitem>
     </varlistentry>
+
+     <varlistentry>
+      <term><option>--role=<replaceable class="parameter">rolename</replaceable></option></term>
+      <listitem>
+       <para>
+        Specifies a role name to be used to create the dump.
+        This option causes <application>pg_dumpall</> to issue a
+        <command>SET ROLE</> <replaceable class="parameter">rolename</>
+        command after connecting to the database. It is useful when the
+        authenticated user (specified by <option>-U</>) lacks privileges
+        needed by <application>pg_dumpall</>, but can switch to a role with
+        the required rights.  Some installations have a policy against
+        logging in directly as a superuser, and use of this option allows
+        dumps to be made without violating the policy.
+       </para>
+      </listitem>
+     </varlistentry>
   </variablelist>
  </para>
 </refsect1>
@ -503,6 +520,6 @@ PostgreSQL documentation
    Check <xref linkend="app-pgdump"> for details on possible
    error conditions.
  </para>
- </refsect1>   
+ </refsect1>

 </refentry>
--- a/doc/src/sgml/ref/pg_restore.sgml
+++ b/doc/src/sgml/ref/pg_restore.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/pg_restore.sgml,v 1.76 2008/09/07 19:12:57 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/pg_restore.sgml,v 1.77 2009/01/05 16:54:36 tgl Exp $ -->

 <refentry id="APP-PGRESTORE">
 <refmeta>
@ -135,7 +135,7 @@
      <listitem>
       <para>
        Exit if an error is encountered while sending SQL commands to
-        the database. The default is to continue and to display a count of 
+        the database. The default is to continue and to display a count of
        errors at the end of the restoration.
       </para>
      </listitem>
@ -261,7 +261,7 @@
        Do not output commands to set
        ownership of objects to match the original database.
        By default, <application>pg_restore</application> issues
-        <command>ALTER OWNER</> or 
+        <command>ALTER OWNER</> or
        <command>SET SESSION AUTHORIZATION</command>
        statements to set ownership of created schema elements.
        These statements will fail unless the initial connection to the
@ -429,6 +429,20 @@
      </listitem>
     </varlistentry>

+     <varlistentry>
+      <term><option>-1</option></term>
+      <term><option>--single-transaction</option></term>
+      <listitem>
+       <para>
+        Execute the restore as a single transaction (that is, wrap the
+        emitted commands in <command>BEGIN</>/<command>COMMIT</>).  This
+        ensures that either all the commands complete successfully, or no
+        changes are applied. This option implies
+        <option>--exit-on-error</>.
+       </para>
+      </listitem>
+     </varlistentry>
+
    </variablelist>
   </para>

@ -480,7 +494,7 @@
      <listitem>
       <para>
        Force <application>pg_restore</application> to prompt for a
-        password before connecting to a database.  
+        password before connecting to a database.
       </para>

       <para>
@ -496,15 +510,18 @@
     </varlistentry>

     <varlistentry>
-      <term><option>-1</option></term>
-      <term><option>--single-transaction</option></term>
+      <term><option>--role=<replaceable class="parameter">rolename</replaceable></option></term>
      <listitem>
       <para>
-        Execute the restore as a single transaction (that is, wrap the
-        emitted commands in <command>BEGIN</>/<command>COMMIT</>).  This
-        ensures that either all the commands complete successfully, or no
-        changes are applied. This option implies
-        <option>--exit-on-error</>.
+        Specifies a role name to be used to perform the restore.
+        This option causes <application>pg_restore</> to issue a
+        <command>SET ROLE</> <replaceable class="parameter">rolename</>
+        command after connecting to the database. It is useful when the
+        authenticated user (specified by <option>-U</>) lacks privileges
+        needed by <application>pg_restore</>, but can switch to a role with
+        the required rights.  Some installations have a policy against
+        logging in directly as a superuser, and use of this option allows
+        restores to be performed without violating the policy.
       </para>
      </listitem>
     </varlistentry>