Improve some documentation about the bootstrap superuser.

This commit adds some notes about the inability to remove superuser privileges from the bootstrap superuser. This has been blocked since commit e530be2c5c, but it wasn't intended be a supported feature before that, either. In passing, change "bootstrap user" to "bootstrap superuser" in a couple places. Author: Yurii Rashkovskii Reviewed-by: Vignesh C, David G. Johnston Discussion: https://postgr.es/m/CA%2BRLCQzSx_eTC2Fch0EzeNHD3zFUcPvBYOoB%2BpPScFLch1DEQw%40mail.gmail.com
2025-10-27 00:12:01 +03:00 · 2024-01-18 21:39:51 -06:00
parent dd3ca8cbb0
commit d891dcc065
4 changed files with 7 additions and 4 deletions
--- a/doc/src/sgml/glossary.sgml
+++ b/doc/src/sgml/glossary.sgml
@@ -247,7 +247,8 @@
    </para>
    <para>
     This role also behaves as a normal
-     <glossterm linkend="glossary-database-superuser">database superuser</glossterm>.
+     <glossterm linkend="glossary-database-superuser">database superuser</glossterm>,
+     and its superuser status cannot be removed.
    </para>
   </glossdef>
  </glossentry>
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -69,7 +69,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   <link linkend="sql-grant"><command>GRANT</command></link> and
   <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
   Attributes not mentioned in the command retain their previous settings.
-   Database superusers can change any of these settings for any role.
+   Database superusers can change any of these settings for any role, except
+   for changing the <literal>SUPERUSER</literal> property for the
+   <glossterm linkend="glossary-bootstrap-superuser">bootstrap superuser</glossterm>.
   Non-superuser roles having <literal>CREATEROLE</literal> privilege can
   change most of these properties, but only for non-superuser and
   non-replication roles for which they have been granted
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -350,7 +350,7 @@ ALTER ROLE myname SET enable_indexscan TO off;
   options. Thus, the fact that privileges are not inherited by default nor
   is <literal>SET ROLE</literal> granted by default is a safeguard against
   accidents, not a security feature. Also note that, because this automatic
-   grant is granted by the bootstrap user, it cannot be removed or changed by
+   grant is granted by the bootstrap superuser, it cannot be removed or changed by
   the <literal>CREATEROLE</literal> user; however, any superuser could
   revoke it, modify it, and/or issue additional such grants to other
   <literal>CREATEROLE</literal> users. Whichever <literal>CREATEROLE</literal>
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -868,7 +868,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 					 errmsg("permission denied to alter role"),
-					 errdetail("The bootstrap user must have the %s attribute.",
+					 errdetail("The bootstrap superuser must have the %s attribute.",
 							   "SUPERUSER")));

 		new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(should_be_super);