database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-13 07:41:39 +03:00
Code Activity

Add SET ROLE. This is a partial commit of Stephen Frost's recent patch;

Browse Source 
I'm still working on the has_role function and information_schema changes.
This commit is contained in:
Tom Lane
2005-07-25 22:12:34 +00:00
parent f5df006a04
commit e5d6b91220
17 changed files with 533 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
doc/src/sgml/func.sgml
View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.269 2005/07/22 21:16:14 momjian Exp $
$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.270 2005/07/25 22:12:30 tgl Exp $
PostgreSQL documentation
-->
@ -8266,7 +8266,9 @@ select current_date + s.a as dates from generate_series(0,14,7) as s(a);
with <xref linkend="sql-set-session-authorization" endterm="sql-set-session-authorization-title">.
The <function>current_user</function> is the user identifier
that is applicable for permission checking. Normally, it is equal
to the session user, but it changes during the execution of
to the session user, but it can be changed with
<xref linkend="sql-set-role" endterm="sql-set-role-title">.
It also changes during the execution of
functions with the attribute <literal>SECURITY DEFINER</literal>.
In Unix parlance, the session user is the <quote>real user</quote> and
the current user is the <quote>effective user</quote>.

3
doc/src/sgml/ref/allfiles.sgml
View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/allfiles.sgml,v 1.63 2005/06/17 22:32:42 tgl Exp $
$PostgreSQL: pgsql/doc/src/sgml/ref/allfiles.sgml,v 1.64 2005/07/25 22:12:31 tgl Exp $
PostgreSQL documentation
Complete list of usable sgml source files in this directory.
-->
@ -102,6 +102,7 @@ Complete list of usable sgml source files in this directory.
<!entity selectInto system "select_into.sgml">
<!entity set system "set.sgml">
<!entity setConstraints system "set_constraints.sgml">
<!entity setRole system "set_role.sgml">
<!entity setSessionAuth system "set_session_auth.sgml">
<!entity setTransaction system "set_transaction.sgml">
<!entity show system "show.sgml">

6
doc/src/sgml/ref/pg_dump.sgml
View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dump.sgml,v 1.79 2005/07/10 15:08:52 momjian Exp $
$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dump.sgml,v 1.80 2005/07/25 22:12:31 tgl Exp $
PostgreSQL documentation
-->
@ -474,8 +474,8 @@ PostgreSQL documentation
<term><option>--use-set-session-authorization</></term>
<listitem>
<para>
Output SQL standard SET SESSION AUTHORIZATION commands instead
of OWNER TO commands. This makes the dump more standards compatible,
Output SQL standard SET SESSION AUTHORIZATION commands instead of
ALTER OWNER commands. This makes the dump more standards compatible,
but depending on the history of the objects in the dump, may not
restore properly.
</para>

6
doc/src/sgml/ref/pg_dumpall.sgml
View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dumpall.sgml,v 1.51 2005/06/21 20:45:43 tgl Exp $
$PostgreSQL: pgsql/doc/src/sgml/ref/pg_dumpall.sgml,v 1.52 2005/07/25 22:12:31 tgl Exp $
PostgreSQL documentation
-->
@ -277,8 +277,8 @@ PostgreSQL documentation
<term><option>--use-set-session-authorization</></term>
<listitem>
<para>
Output SQL standard SET SESSION AUTHORIZATION commands instead
of OWNER TO commands. This makes the dump more standards compatible,
Output SQL standard SET SESSION AUTHORIZATION commands instead of
ALTER OWNER commands. This makes the dump more standards compatible,
but depending on the history of the objects in the dump, may not
restore properly.
</para>

6
doc/src/sgml/ref/pg_restore.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/pg_restore.sgml,v 1.53 2005/06/21 20:45:43 tgl Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/pg_restore.sgml,v 1.54 2005/07/25 22:12:31 tgl Exp $ -->
<refentry id="APP-PGRESTORE">
<refmeta>
@ -361,8 +361,8 @@
<term><option>--use-set-session-authorization</option></term>
<listitem>
<para>
Output SQL standard SET SESSION AUTHORIZATION commands instead
of OWNER TO commands. This makes the dump more standards compatible,
Output SQL standard SET SESSION AUTHORIZATION commands instead of
ALTER OWNER commands. This makes the dump more standards compatible,
but depending on the history of the objects in the dump, may not
restore properly.
</para>

116
doc/src/sgml/ref/set_role.sgml Normal file
View File

@ -0,0 +1,116 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_role.sgml,v 1.1 2005/07/25 22:12:31 tgl Exp $ -->
<refentry id="SQL-SET-ROLE">
<refmeta>
<refentrytitle id="sql-set-role-title">SET ROLE</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>
<refname>SET ROLE</refname>
<refpurpose>set the current user identifier of the current session</refpurpose>
</refnamediv>
<indexterm zone="sql-set-role">
<primary>SET ROLE</primary>
</indexterm>
<refsynopsisdiv>
<synopsis>
SET [ SESSION | LOCAL ] ROLE <replaceable class="parameter">rolename</replaceable>
SET [ SESSION | LOCAL ] ROLE NONE
RESET ROLE
</synopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
This command sets the current user
identifier of the current SQL-session context to be <replaceable
class="parameter">rolename</replaceable>. The role name may be
written as either an identifier or a string literal. Using this
command, it is possible to either add privileges or restrict one's
privileges.
</para>
<para>
The specified <replaceable class="parameter">rolename</replaceable>
must be a role that the current session user is a member of.
(If the session user is a superuser, any role can be selected.)
</para>
<para>
The <literal>SESSION</> and <literal>LOCAL</> modifiers act the same
as for the regular <xref linkend="SQL-SET" endterm="SQL-SET-title">
command.
</para>
<para>
The <literal>NONE</> and <literal>RESET</> forms reset the current
user identifier to be the current session user identifier.
These forms may be executed by any user.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<programlisting>
SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
peter | peter
SET ROLE 'paul';
SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
peter | paul
</programlisting>
</refsect1>
<refsect1>
<title>Compatibility</title>
<para>
<productname>PostgreSQL</productname>
allows identifier syntax (<literal>"rolename"</literal>), while
the SQL standard requires the role name to be written as a string
literal. SQL does not allow this command during a transaction;
<productname>PostgreSQL</productname> does not make this
restriction because there is no reason to.
The <literal>SESSION</> and <literal>LOCAL</> modifiers are a
<productname>PostgreSQL</productname> extension, as is the
<literal>RESET</> syntax.
</para>
</refsect1>
<refsect1>
<title>See Also</title>
<simplelist type="inline">
<member><xref linkend="sql-set-session-authorization" endterm="sql-set-session-authorization-title"></member>
</simplelist>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode:sgml
sgml-omittag:nil
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:"../reference.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:("/usr/lib/sgml/catalog")
sgml-local-ecat-files:nil
End:
-->

29
doc/src/sgml/ref/set_session_auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.12 2003/11/29 19:51:39 pgsql Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.13 2005/07/25 22:12:31 tgl Exp $ -->
<refentry id="SQL-SET-SESSION-AUTHORIZATION">
<refmeta>
<refentrytitle id="sql-set-session-authorization-title">SET SESSION AUTHORIZATION</refentrytitle>
@ -31,7 +31,7 @@ RESET SESSION AUTHORIZATION
class="parameter">username</replaceable>. The user name may be
written as either an identifier or a string literal. Using this
command, it is possible, for example, to temporarily become an
unprivileged user and later switch back to become a superuser.
unprivileged user and later switch back to being a superuser.
</para>
<para>
@ -39,8 +39,9 @@ RESET SESSION AUTHORIZATION
authenticated) user name provided by the client. The current user
identifier is normally equal to the session user identifier, but
may change temporarily in the context of <quote>setuid</quote>
functions and similar mechanisms. The current user identifier is
relevant for permission checking.
functions and similar mechanisms; it can also be changed by
<xref linkend="sql-set-role" endterm="sql-set-role-title">.
The current user identifier is relevant for permission checking.
</para>
<para>
@ -93,10 +94,24 @@ SELECT SESSION_USER, CURRENT_USER;
allows identifier syntax (<literal>"username"</literal>), which SQL
does not. SQL does not allow this command during a transaction;
<productname>PostgreSQL</productname> does not make this
restriction because there is no reason to. The privileges
necessary to execute this command are left implementation-defined
by the standard.
restriction because there is no reason to.
The <literal>SESSION</> and <literal>LOCAL</> modifiers are a
<productname>PostgreSQL</productname> extension, as is the
<literal>RESET</> syntax.
</para>
<para>
The privileges necessary to execute this command are left
implementation-defined by the standard.
</para>
</refsect1>
<refsect1>
<title>See Also</title>
<simplelist type="inline">
<member><xref linkend="sql-set-role" endterm="sql-set-role-title"></member>
</simplelist>
</refsect1>
</refentry>

3
doc/src/sgml/reference.sgml
View File

@ -1,5 +1,5 @@
<!-- reference.sgml
$PostgreSQL: pgsql/doc/src/sgml/reference.sgml,v 1.53 2005/06/17 22:32:42 tgl Exp $
$PostgreSQL: pgsql/doc/src/sgml/reference.sgml,v 1.54 2005/07/25 22:12:30 tgl Exp $
PostgreSQL Reference Manual
-->
@ -134,6 +134,7 @@ PostgreSQL Reference Manual
&selectInto;
&set;
&setConstraints;
&setRole;
&setSessionAuth;
&setTransaction;
&show;