Improve some documentation about the bootstrap superuser.
This commit adds some notes about the inability to remove superuser
privileges from the bootstrap superuser. This has been blocked
since commit e530be2c5c
, but it wasn't intended be a supported
feature before that, either.
In passing, change "bootstrap user" to "bootstrap superuser" in a
couple places.
Author: Yurii Rashkovskii
Reviewed-by: Vignesh C, David G. Johnston
Discussion: https://postgr.es/m/CA%2BRLCQzSx_eTC2Fch0EzeNHD3zFUcPvBYOoB%2BpPScFLch1DEQw%40mail.gmail.com
This commit is contained in:
parent
dd3ca8cbb0
commit
d891dcc065
|
@ -247,7 +247,8 @@
|
|||
</para>
|
||||
<para>
|
||||
This role also behaves as a normal
|
||||
<glossterm linkend="glossary-database-superuser">database superuser</glossterm>.
|
||||
<glossterm linkend="glossary-database-superuser">database superuser</glossterm>,
|
||||
and its superuser status cannot be removed.
|
||||
</para>
|
||||
</glossdef>
|
||||
</glossentry>
|
||||
|
|
|
@ -69,7 +69,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
|
|||
<link linkend="sql-grant"><command>GRANT</command></link> and
|
||||
<link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
|
||||
Attributes not mentioned in the command retain their previous settings.
|
||||
Database superusers can change any of these settings for any role.
|
||||
Database superusers can change any of these settings for any role, except
|
||||
for changing the <literal>SUPERUSER</literal> property for the
|
||||
<glossterm linkend="glossary-bootstrap-superuser">bootstrap superuser</glossterm>.
|
||||
Non-superuser roles having <literal>CREATEROLE</literal> privilege can
|
||||
change most of these properties, but only for non-superuser and
|
||||
non-replication roles for which they have been granted
|
||||
|
|
|
@ -350,7 +350,7 @@ ALTER ROLE myname SET enable_indexscan TO off;
|
|||
options. Thus, the fact that privileges are not inherited by default nor
|
||||
is <literal>SET ROLE</literal> granted by default is a safeguard against
|
||||
accidents, not a security feature. Also note that, because this automatic
|
||||
grant is granted by the bootstrap user, it cannot be removed or changed by
|
||||
grant is granted by the bootstrap superuser, it cannot be removed or changed by
|
||||
the <literal>CREATEROLE</literal> user; however, any superuser could
|
||||
revoke it, modify it, and/or issue additional such grants to other
|
||||
<literal>CREATEROLE</literal> users. Whichever <literal>CREATEROLE</literal>
|
||||
|
|
|
@ -868,7 +868,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
|
|||
ereport(ERROR,
|
||||
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
||||
errmsg("permission denied to alter role"),
|
||||
errdetail("The bootstrap user must have the %s attribute.",
|
||||
errdetail("The bootstrap superuser must have the %s attribute.",
|
||||
"SUPERUSER")));
|
||||
|
||||
new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(should_be_super);
|
||||
|
|
Loading…
Reference in New Issue