mirror of
https://github.com/postgres/postgres.git
synced 2025-08-27 07:42:10 +03:00
cf5eb37c5e
Previously, CREATEROLE users were permitted to make nearly arbitrary changes to roles that they didn't create, with certain exceptions, particularly superuser roles. Instead, allow CREATEROLE users to make such changes to roles for which they possess ADMIN OPTION, and to grant membership only in roles for which they possess ADMIN OPTION. When a CREATEROLE user who is not a superuser creates a role, grant ADMIN OPTION on the newly-created role to the creator, so that they can administer roles they create or for which they have been given privileges. With these changes, CREATEROLE users still have very significant powers that unprivileged users do not receive: they can alter, rename, drop, comment on, change the password for, and change security labels on roles. However, they can now do these things only for roles for which they possess appropriate privileges, rather than all non-superuser roles; moreover, they cannot grant a role such as pg_execute_server_program unless they themselves possess it. Patch by me, reviewed by Mark Dilger. Discussion: https://postgr.es/m/CA+TgmobN59ct+Emmz6ig1Nua2Q-_o=r6DSD98KfU53kctq_kQw@mail.gmail.com
125 lines
3.3 KiB
Plaintext
125 lines
3.3 KiB
Plaintext
<!--
|
|
doc/src/sgml/ref/drop_role.sgml
|
|
PostgreSQL documentation
|
|
-->
|
|
|
|
<refentry id="sql-droprole">
|
|
<indexterm zone="sql-droprole">
|
|
<primary>DROP ROLE</primary>
|
|
</indexterm>
|
|
|
|
<refmeta>
|
|
<refentrytitle>DROP ROLE</refentrytitle>
|
|
<manvolnum>7</manvolnum>
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>DROP ROLE</refname>
|
|
<refpurpose>remove a database role</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<synopsis>
|
|
DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...]
|
|
</synopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
<command>DROP ROLE</command> removes the specified role(s).
|
|
To drop a superuser role, you must be a superuser yourself;
|
|
to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
|
|
privilege and have been granted <literal>ADMIN OPTION</literal> on the role.
|
|
</para>
|
|
|
|
<para>
|
|
A role cannot be removed if it is still referenced in any database
|
|
of the cluster; an error will be raised if so. Before dropping the role,
|
|
you must drop all the objects it owns (or reassign their ownership)
|
|
and revoke any privileges the role has been granted on other objects.
|
|
The <link linkend="sql-reassign-owned"><command>REASSIGN
|
|
OWNED</command></link> and <link linkend="sql-drop-owned"><command>DROP
|
|
OWNED</command></link>
|
|
commands can be useful for this purpose; see <xref linkend="role-removal"/>
|
|
for more discussion.
|
|
</para>
|
|
|
|
<para>
|
|
However, it is not necessary to remove role memberships involving
|
|
the role; <command>DROP ROLE</command> automatically revokes any memberships
|
|
of the target role in other roles, and of other roles in the target role.
|
|
The other roles are not dropped nor otherwise affected.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Parameters</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><literal>IF EXISTS</literal></term>
|
|
<listitem>
|
|
<para>
|
|
Do not throw an error if the role does not exist. A notice is issued
|
|
in this case.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><replaceable class="parameter">name</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
The name of the role to remove.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Notes</title>
|
|
|
|
<para>
|
|
<productname>PostgreSQL</productname> includes a program <xref
|
|
linkend="app-dropuser"/> that has the
|
|
same functionality as this command (in fact, it calls this command)
|
|
but can be run from the command shell.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
|
|
<para>
|
|
To drop a role:
|
|
<programlisting>
|
|
DROP ROLE jonathan;
|
|
</programlisting></para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Compatibility</title>
|
|
|
|
<para>
|
|
The SQL standard defines <command>DROP ROLE</command>, but it allows
|
|
only one role to be dropped at a time, and it specifies different
|
|
privilege requirements than <productname>PostgreSQL</productname> uses.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
|
|
<simplelist type="inline">
|
|
<member><xref linkend="sql-createrole"/></member>
|
|
<member><xref linkend="sql-alterrole"/></member>
|
|
<member><xref linkend="sql-set-role"/></member>
|
|
</simplelist>
|
|
</refsect1>
|
|
|
|
</refentry>
|