summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/user-manag.sgml
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/src/sgml/user-manag.sgml785
1 files changed, 785 insertions, 0 deletions
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
new file mode 100644
index 0000000..1f7d7e7
--- /dev/null
+++ b/doc/src/sgml/user-manag.sgml
@@ -0,0 +1,785 @@
+<!-- doc/src/sgml/user-manag.sgml -->
+
+<chapter id="user-manag">
+ <title>Database Roles</title>
+
+ <para>
+ <productname>PostgreSQL</productname> manages database access permissions
+ using the concept of <firstterm>roles</firstterm>. A role can be thought of as
+ either a database user, or a group of database users, depending on how
+ the role is set up. Roles can own database objects (for example, tables
+ and functions) and can assign privileges on those objects to other roles to
+ control who has access to which objects. Furthermore, it is possible
+ to grant <firstterm>membership</firstterm> in a role to another role, thus
+ allowing the member role to use privileges assigned to another role.
+ </para>
+
+ <para>
+ The concept of roles subsumes the concepts of <quote>users</quote> and
+ <quote>groups</quote>. In <productname>PostgreSQL</productname> versions
+ before 8.1, users and groups were distinct kinds of entities, but now
+ there are only roles. Any role can act as a user, a group, or both.
+ </para>
+
+ <para>
+ This chapter describes how to create and manage roles.
+ More information about the effects of role privileges on various
+ database objects can be found in <xref linkend="ddl-priv"/>.
+ </para>
+
+ <sect1 id="database-roles">
+ <title>Database Roles</title>
+
+ <indexterm zone="database-roles">
+ <primary>role</primary>
+ </indexterm>
+
+ <indexterm zone="database-roles">
+ <primary>user</primary>
+ </indexterm>
+
+ <indexterm>
+ <primary>CREATE ROLE</primary>
+ </indexterm>
+
+ <indexterm>
+ <primary>DROP ROLE</primary>
+ </indexterm>
+
+ <para>
+ Database roles are conceptually completely separate from
+ operating system users. In practice it might be convenient to
+ maintain a correspondence, but this is not required. Database roles
+ are global across a database cluster installation (and not
+ per individual database). To create a role use the <link
+ linkend="sql-createrole"><command>CREATE ROLE</command></link> SQL command:
+<synopsis>
+CREATE ROLE <replaceable>name</replaceable>;
+</synopsis>
+ <replaceable>name</replaceable> follows the rules for SQL
+ identifiers: either unadorned without special characters, or
+ double-quoted. (In practice, you will usually want to add additional
+ options, such as <literal>LOGIN</literal>, to the command. More details appear
+ below.) To remove an existing role, use the analogous
+ <link linkend="sql-droprole"><command>DROP ROLE</command></link> command:
+<synopsis>
+DROP ROLE <replaceable>name</replaceable>;
+</synopsis>
+ </para>
+
+ <indexterm>
+ <primary>createuser</primary>
+ </indexterm>
+
+ <indexterm>
+ <primary>dropuser</primary>
+ </indexterm>
+
+ <para>
+ For convenience, the programs <xref linkend="app-createuser"/>
+ and <xref linkend="app-dropuser"/> are provided as wrappers
+ around these SQL commands that can be called from the shell command
+ line:
+<synopsis>
+createuser <replaceable>name</replaceable>
+dropuser <replaceable>name</replaceable>
+</synopsis>
+ </para>
+
+ <para>
+ To determine the set of existing roles, examine the <structname>pg_roles</structname>
+ system catalog, for example:
+<synopsis>
+SELECT rolname FROM pg_roles;
+</synopsis>
+ or to see just those capable of logging in:
+<synopsis>
+SELECT rolname FROM pg_roles WHERE rolcanlogin;
+</synopsis>
+ The <xref linkend="app-psql"/> program's <literal>\du</literal> meta-command
+ is also useful for listing the existing roles.
+ </para>
+
+ <para>
+ In order to bootstrap the database system, a freshly initialized
+ system always contains one predefined login-capable role. This role
+ is always a <quote>superuser</quote>, and it will have
+ the same name as the operating system user that initialized the
+ database cluster with <command>initdb</command> unless a different name
+ is specified. This role is often named
+ <literal>postgres</literal>. In order to create more roles you
+ first have to connect as this initial role.
+ </para>
+
+ <para>
+ Every connection to the database server is made using the name of some
+ particular role, and this role determines the initial access privileges for
+ commands issued in that connection.
+ The role name to use for a particular database
+ connection is indicated by the client that is initiating the
+ connection request in an application-specific fashion. For example,
+ the <command>psql</command> program uses the
+ <option>-U</option> command line option to indicate the role to
+ connect as. Many applications assume the name of the current
+ operating system user by default (including
+ <command>createuser</command> and <command>psql</command>). Therefore it
+ is often convenient to maintain a naming correspondence between
+ roles and operating system users.
+ </para>
+
+ <para>
+ The set of database roles a given client connection can connect as
+ is determined by the client authentication setup, as explained in
+ <xref linkend="client-authentication"/>. (Thus, a client is not
+ limited to connect as the role matching
+ its operating system user, just as a person's login name
+ need not match his or her real name.) Since the role
+ identity determines the set of privileges available to a connected
+ client, it is important to carefully configure privileges when setting up
+ a multiuser environment.
+ </para>
+ </sect1>
+
+ <sect1 id="role-attributes">
+ <title>Role Attributes</title>
+
+ <para>
+ A database role can have a number of attributes that define its
+ privileges and interact with the client authentication system.
+
+ <variablelist>
+ <varlistentry>
+ <term>login privilege<indexterm><primary>login privilege</primary></indexterm></term>
+ <listitem>
+ <para>
+ Only roles that have the <literal>LOGIN</literal> attribute can be used
+ as the initial role name for a database connection. A role with
+ the <literal>LOGIN</literal> attribute can be considered the same
+ as a <quote>database user</quote>. To create a role with login privilege,
+ use either:
+<programlisting>
+CREATE ROLE <replaceable>name</replaceable> LOGIN;
+CREATE USER <replaceable>name</replaceable>;
+</programlisting>
+ (<command>CREATE USER</command> is equivalent to <command>CREATE ROLE</command>
+ except that <command>CREATE USER</command> includes <literal>LOGIN</literal> by
+ default, while <command>CREATE ROLE</command> does not.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>superuser status<indexterm><primary>superuser</primary></indexterm></term>
+ <listitem>
+ <para>
+ A database superuser bypasses all permission checks, except the right
+ to log in. This is a dangerous privilege and should not be used
+ carelessly; it is best to do most of your work as a role that is not a
+ superuser. To create a new database superuser, use <literal>CREATE
+ ROLE <replaceable>name</replaceable> SUPERUSER</literal>. You must do
+ this as a role that is already a superuser.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>database creation<indexterm><primary>database</primary><secondary>privilege to create</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role must be explicitly given permission to create databases
+ (except for superusers, since those bypass all permission
+ checks). To create such a role, use <literal>CREATE ROLE
+ <replaceable>name</replaceable> CREATEDB</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term id="role-creation">role creation<indexterm><primary>role</primary><secondary>privilege to create</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role must be explicitly given permission to create more roles
+ (except for superusers, since those bypass all permission
+ checks). To create such a role, use <literal>CREATE ROLE
+ <replaceable>name</replaceable> CREATEROLE</literal>.
+ A role with <literal>CREATEROLE</literal> privilege can alter and drop
+ roles which have been granted to the <literal>CREATEROLE</literal>
+ user with the <literal>ADMIN</literal> option. Such a grant occurs
+ automatically when a <literal>CREATEROLE</literal> user that is not
+ a superuser creates a new role, so that by default, a
+ <literal>CREATEROLE</literal> user can alter and drop the roles
+ which they have created.
+ Altering a role includes most changes that can be made using
+ <literal>ALTER ROLE</literal>, including, for example, changing
+ passwords. It also includes modifications to a role that can
+ be made using the <literal>COMMENT</literal> and
+ <literal>SECURITY LABEL</literal> commands.
+ </para>
+ <para>
+ However, <literal>CREATEROLE</literal> does not convey the ability to
+ create <literal>SUPERUSER</literal> roles, nor does it convey any
+ power over <literal>SUPERUSER</literal> roles that already exist.
+ Furthermore, <literal>CREATEROLE</literal> does not convey the power
+ to create <literal>REPLICATION</literal> users, nor the ability to
+ grant or revoke the <literal>REPLICATION</literal> privilege, nor the
+ ability to modify the role properties of such users. However, it does
+ allow <literal>ALTER ROLE ... SET</literal> and
+ <literal>ALTER ROLE ... RENAME</literal> to be used on
+ <literal>REPLICATION</literal> roles, as well as the use of
+ <literal>COMMENT ON ROLE</literal>,
+ <literal>SECURITY LABEL ON ROLE</literal>,
+ and <literal>DROP ROLE</literal>.
+ Finally, <literal>CREATEROLE</literal> does not
+ confer the ability to grant or revoke the <literal>BYPASSRLS</literal>
+ privilege.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>initiating replication<indexterm><primary>role</primary><secondary>privilege to initiate replication</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role must explicitly be given permission to initiate streaming
+ replication (except for superusers, since those bypass all permission
+ checks). A role used for streaming replication must
+ have <literal>LOGIN</literal> permission as well. To create such a role, use
+ <literal>CREATE ROLE <replaceable>name</replaceable> REPLICATION
+ LOGIN</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>password<indexterm><primary>password</primary></indexterm></term>
+ <listitem>
+ <para>
+ A password is only significant if the client authentication
+ method requires the user to supply a password when connecting
+ to the database. The <option>password</option> and
+ <option>md5</option> authentication methods
+ make use of passwords. Database passwords are separate from
+ operating system passwords. Specify a password upon role
+ creation with <literal>CREATE ROLE
+ <replaceable>name</replaceable> PASSWORD '<replaceable>string</replaceable>'</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>inheritance of privileges<indexterm><primary>role</primary><secondary>privilege to inherit</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role inherits the privileges of roles it is a member of, by default.
+ However, to create a role which does not inherit privileges by
+ default, use <literal>CREATE ROLE <replaceable>name</replaceable>
+ NOINHERIT</literal>. Alternatively, inheritance can be overridden
+ for individual grants by using <literal>WITH INHERIT TRUE</literal>
+ or <literal>WITH INHERIT FALSE</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>bypassing row-level security<indexterm><primary>role</primary><secondary>privilege to bypass</secondary></indexterm></term>
+ <listitem>
+ <para>
+ A role must be explicitly given permission to bypass every row-level security (RLS) policy
+ (except for superusers, since those bypass all permission checks).
+ To create such a role, use <literal>CREATE ROLE <replaceable>name</replaceable> BYPASSRLS</literal> as a superuser.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>connection limit<indexterm><primary>role</primary><secondary>privilege to limit connection</secondary></indexterm></term>
+ <listitem>
+ <para>
+ Connection limit can specify how many concurrent connections a role can make.
+ -1 (the default) means no limit. Specify connection limit upon role creation with
+ <literal>CREATE ROLE <replaceable>name</replaceable> CONNECTION LIMIT '<replaceable>integer</replaceable>'</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ A role's attributes can be modified after creation with
+ <command>ALTER ROLE</command>.<indexterm><primary>ALTER ROLE</primary></indexterm>
+ See the reference pages for the <xref linkend="sql-createrole"/>
+ and <xref linkend="sql-alterrole"/> commands for details.
+ </para>
+
+ <para>
+ A role can also have role-specific defaults for many of the run-time
+ configuration settings described in <xref
+ linkend="runtime-config"/>. For example, if for some reason you
+ want to disable index scans (hint: not a good idea) anytime you
+ connect, you can use:
+<programlisting>
+ALTER ROLE myname SET enable_indexscan TO off;
+</programlisting>
+ This will save the setting (but not set it immediately). In
+ subsequent connections by this role it will appear as though
+ <literal>SET enable_indexscan TO off</literal> had been executed
+ just before the session started.
+ You can still alter this setting during the session; it will only
+ be the default. To remove a role-specific default setting, use
+ <literal>ALTER ROLE <replaceable>rolename</replaceable> RESET <replaceable>varname</replaceable></literal>.
+ Note that role-specific defaults attached to roles without
+ <literal>LOGIN</literal> privilege are fairly useless, since they will never
+ be invoked.
+ </para>
+
+ <para>
+ When a non-superuser creates a role using the <literal>CREATEROLE</literal>
+ privilege, the created role is automatically granted back to the creating
+ user, just as if the bootstrap superuser had executed the command
+ <literal>GRANT created_user TO creating_user WITH ADMIN TRUE, SET FALSE,
+ INHERIT FALSE</literal>. Since a <literal>CREATEROLE</literal> user can
+ only exercise special privileges with regard to an existing role if they
+ have <literal>ADMIN OPTION</literal> on it, this grant is just sufficient
+ to allow a <literal>CREATEROLE</literal> user to administer the roles they
+ created. However, because it is created with <literal>INHERIT FALSE, SET
+ FALSE</literal>, the <literal>CREATEROLE</literal> user doesn't inherit the
+ privileges of the created role, nor can it access the privileges of that
+ role using <literal>SET ROLE</literal>. However, since any user who has
+ <literal>ADMIN OPTION</literal> on a role can grant membership in that
+ role to any other user, the <literal>CREATEROLE</literal> user can gain
+ access to the created role by simply granting that role back to
+ themselves with the <literal>INHERIT</literal> and/or <literal>SET</literal>
+ options. Thus, the fact that privileges are not inherited by default nor
+ is <literal>SET ROLE</literal> granted by default is a safeguard against
+ accidents, not a security feature. Also note that, because this automatic
+ grant is granted by the bootstrap user, it cannot be removed or changed by
+ the <literal>CREATEROLE</literal> user; however, any superuser could
+ revoke it, modify it, and/or issue additional such grants to other
+ <literal>CREATEROLE</literal> users. Whichever <literal>CREATEROLE</literal>
+ users have <literal>ADMIN OPTION</literal> on a role at any given time
+ can administer it.
+ </para>
+ </sect1>
+
+ <sect1 id="role-membership">
+ <title>Role Membership</title>
+
+ <indexterm zone="role-membership">
+ <primary>role</primary><secondary>membership in</secondary>
+ </indexterm>
+
+ <para>
+ It is frequently convenient to group users together to ease
+ management of privileges: that way, privileges can be granted to, or
+ revoked from, a group as a whole. In <productname>PostgreSQL</productname>
+ this is done by creating a role that represents the group, and then
+ granting <firstterm>membership</firstterm> in the group role to individual user
+ roles.
+ </para>
+
+ <para>
+ To set up a group role, first create the role:
+<synopsis>
+CREATE ROLE <replaceable>name</replaceable>;
+</synopsis>
+ Typically a role being used as a group would not have the <literal>LOGIN</literal>
+ attribute, though you can set it if you wish.
+ </para>
+
+ <para>
+ Once the group role exists, you can add and remove members using the
+ <link linkend="sql-grant"><command>GRANT</command></link> and
+ <link linkend="sql-revoke"><command>REVOKE</command></link> commands:
+<synopsis>
+GRANT <replaceable>group_role</replaceable> TO <replaceable>role1</replaceable>, ... ;
+REVOKE <replaceable>group_role</replaceable> FROM <replaceable>role1</replaceable>, ... ;
+</synopsis>
+ You can grant membership to other group roles, too (since there isn't
+ really any distinction between group roles and non-group roles). The
+ database will not let you set up circular membership loops. Also,
+ it is not permitted to grant membership in a role to
+ <literal>PUBLIC</literal>.
+ </para>
+
+ <para>
+ The members of a group role can use the privileges of the role in two
+ ways. First, member roles that have been granted membership with the
+ <literal>SET</literal> option can do
+ <link linkend="sql-set-role"><command>SET ROLE</command></link> to
+ temporarily <quote>become</quote> the group role. In this state, the
+ database session has access to the privileges of the group role rather
+ than the original login role, and any database objects created are
+ considered owned by the group role not the login role. Second, member
+ roles that have been granted membership with the
+ <literal>INHERIT</literal> option automatically have use of the
+ privileges of those directly or indirectly a member of, though the
+ chain stops at memberships lacking the inherit option. As an example,
+ suppose we have done:
+<programlisting>
+CREATE ROLE joe LOGIN;
+CREATE ROLE admin;
+CREATE ROLE wheel;
+CREATE ROLE island;
+GRANT admin TO joe WITH INHERIT TRUE;
+GRANT wheel TO admin WITH INHERIT FALSE;
+GRANT island TO joe WITH INHERIT TRUE, SET FALSE;
+</programlisting>
+ Immediately after connecting as role <literal>joe</literal>, a database
+ session will have use of privileges granted directly to <literal>joe</literal>
+ plus any privileges granted to <literal>admin</literal> and
+ <literal>island</literal>, because <literal>joe</literal>
+ <quote>inherits</quote> those privileges. However, privileges
+ granted to <literal>wheel</literal> are not available, because even though
+ <literal>joe</literal> is indirectly a member of <literal>wheel</literal>, the
+ membership is via <literal>admin</literal> which was granted using
+ <literal>WITH INHERIT FALSE</literal>. After:
+<programlisting>
+SET ROLE admin;
+</programlisting>
+ the session would have use of only those privileges granted to
+ <literal>admin</literal>, and not those granted to <literal>joe</literal> or
+ <literal>island</literal>. After:
+<programlisting>
+SET ROLE wheel;
+</programlisting>
+ the session would have use of only those privileges granted to
+ <literal>wheel</literal>, and not those granted to either <literal>joe</literal>
+ or <literal>admin</literal>. The original privilege state can be restored
+ with any of:
+<programlisting>
+SET ROLE joe;
+SET ROLE NONE;
+RESET ROLE;
+</programlisting>
+ </para>
+
+ <note>
+ <para>
+ The <command>SET ROLE</command> command always allows selecting any role
+ that the original login role is directly or indirectly a member of,
+ provided that there is a chain of membership grants each of which has
+ <literal>SET TRUE</literal> (which is the default).
+ Thus, in the above example, it is not necessary to become
+ <literal>admin</literal> before becoming <literal>wheel</literal>.
+ On the other hand, it is not possible to become <literal>island</literal>
+ at all; <literal>joe</literal> can only access those privileges via
+ inheritance.
+ </para>
+ </note>
+
+ <note>
+ <para>
+ In the SQL standard, there is a clear distinction between users and roles,
+ and users do not automatically inherit privileges while roles do. This
+ behavior can be obtained in <productname>PostgreSQL</productname> by giving
+ roles being used as SQL roles the <literal>INHERIT</literal> attribute, while
+ giving roles being used as SQL users the <literal>NOINHERIT</literal> attribute.
+ However, <productname>PostgreSQL</productname> defaults to giving all roles
+ the <literal>INHERIT</literal> attribute, for backward compatibility with pre-8.1
+ releases in which users always had use of permissions granted to groups
+ they were members of.
+ </para>
+ </note>
+
+ <para>
+ The role attributes <literal>LOGIN</literal>, <literal>SUPERUSER</literal>,
+ <literal>CREATEDB</literal>, and <literal>CREATEROLE</literal> can be thought of as
+ special privileges, but they are never inherited as ordinary privileges
+ on database objects are. You must actually <command>SET ROLE</command> to a
+ specific role having one of these attributes in order to make use of
+ the attribute. Continuing the above example, we might choose to
+ grant <literal>CREATEDB</literal> and <literal>CREATEROLE</literal> to the
+ <literal>admin</literal> role. Then a session connecting as role <literal>joe</literal>
+ would not have these privileges immediately, only after doing
+ <command>SET ROLE admin</command>.
+ </para>
+
+ <para>
+ </para>
+
+ <para>
+ To destroy a group role, use <link
+ linkend="sql-droprole"><command>DROP ROLE</command></link>:
+<synopsis>
+DROP ROLE <replaceable>name</replaceable>;
+</synopsis>
+ Any memberships in the group role are automatically revoked (but the
+ member roles are not otherwise affected).
+ </para>
+ </sect1>
+
+ <sect1 id="role-removal">
+ <title>Dropping Roles</title>
+
+ <para>
+ Because roles can own database objects and can hold privileges
+ to access other objects, dropping a role is often not just a matter of a
+ quick <link linkend="sql-droprole"><command>DROP ROLE</command></link>. Any objects owned by the role must
+ first be dropped or reassigned to other owners; and any permissions
+ granted to the role must be revoked.
+ </para>
+
+ <para>
+ Ownership of objects can be transferred one at a time
+ using <command>ALTER</command> commands, for example:
+<programlisting>
+ALTER TABLE bobs_table OWNER TO alice;
+</programlisting>
+ Alternatively, the <link linkend="sql-reassign-owned"><command>REASSIGN OWNED</command></link> command can be
+ used to reassign ownership of all objects owned by the role-to-be-dropped
+ to a single other role. Because <command>REASSIGN OWNED</command> cannot access
+ objects in other databases, it is necessary to run it in each database
+ that contains objects owned by the role. (Note that the first
+ such <command>REASSIGN OWNED</command> will change the ownership of any
+ shared-across-databases objects, that is databases or tablespaces, that
+ are owned by the role-to-be-dropped.)
+ </para>
+
+ <para>
+ Once any valuable objects have been transferred to new owners, any
+ remaining objects owned by the role-to-be-dropped can be dropped with
+ the <link linkend="sql-drop-owned"><command>DROP OWNED</command></link> command. Again, this command cannot
+ access objects in other databases, so it is necessary to run it in each
+ database that contains objects owned by the role. Also, <command>DROP
+ OWNED</command> will not drop entire databases or tablespaces, so it is
+ necessary to do that manually if the role owns any databases or
+ tablespaces that have not been transferred to new owners.
+ </para>
+
+ <para>
+ <command>DROP OWNED</command> also takes care of removing any privileges granted
+ to the target role for objects that do not belong to it.
+ Because <command>REASSIGN OWNED</command> does not touch such objects, it's
+ typically necessary to run both <command>REASSIGN OWNED</command>
+ and <command>DROP OWNED</command> (in that order!) to fully remove the
+ dependencies of a role to be dropped.
+ </para>
+
+ <para>
+ In short then, the most general recipe for removing a role that has been
+ used to own objects is:
+ </para>
+<programlisting>
+REASSIGN OWNED BY doomed_role TO successor_role;
+DROP OWNED BY doomed_role;
+-- repeat the above commands in each database of the cluster
+DROP ROLE doomed_role;
+</programlisting>
+
+ <para>
+ When not all owned objects are to be transferred to the same successor
+ owner, it's best to handle the exceptions manually and then perform
+ the above steps to mop up.
+ </para>
+
+ <para>
+ If <command>DROP ROLE</command> is attempted while dependent objects still
+ remain, it will issue messages identifying which objects need to be
+ reassigned or dropped.
+ </para>
+ </sect1>
+
+ <sect1 id="predefined-roles">
+ <title>Predefined Roles</title>
+
+ <indexterm zone="predefined-roles">
+ <primary>role</primary>
+ </indexterm>
+
+ <para>
+ <productname>PostgreSQL</productname> provides a set of predefined roles
+ that provide access to certain, commonly needed, privileged capabilities
+ and information. Administrators (including roles that have the
+ <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
+ roles to users and/or other roles in their environment, providing those
+ users with access to the specified capabilities and information.
+ </para>
+
+ <para>
+ The predefined roles are described in <xref linkend="predefined-roles-table"/>.
+ Note that the specific permissions for each of the roles may change in
+ the future as additional capabilities are added. Administrators
+ should monitor the release notes for changes.
+ </para>
+
+ <table tocentry="1" id="predefined-roles-table">
+ <title>Predefined Roles</title>
+ <tgroup cols="2">
+ <colspec colname="col1" colwidth="1*"/>
+ <colspec colname="col2" colwidth="2*"/>
+ <thead>
+ <row>
+ <entry>Role</entry>
+ <entry>Allowed Access</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>pg_read_all_data</entry>
+ <entry>Read all data (tables, views, sequences), as if having
+ <command>SELECT</command> rights on those objects, and USAGE rights on
+ all schemas, even without having it explicitly. This role does not have
+ the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is GRANTed to.</entry>
+ </row>
+ <row>
+ <entry>pg_write_all_data</entry>
+ <entry>Write all data (tables, views, sequences), as if having
+ <command>INSERT</command>, <command>UPDATE</command>, and
+ <command>DELETE</command> rights on those objects, and USAGE rights on
+ all schemas, even without having it explicitly. This role does not have
+ the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is GRANTed to.</entry>
+ </row>
+ <row>
+ <entry>pg_read_all_settings</entry>
+ <entry>Read all configuration variables, even those normally visible only to
+ superusers.</entry>
+ </row>
+ <row>
+ <entry>pg_read_all_stats</entry>
+ <entry>Read all pg_stat_* views and use various statistics related extensions,
+ even those normally visible only to superusers.</entry>
+ </row>
+ <row>
+ <entry>pg_stat_scan_tables</entry>
+ <entry>Execute monitoring functions that may take <literal>ACCESS SHARE</literal> locks on tables,
+ potentially for a long time.</entry>
+ </row>
+ <row>
+ <entry>pg_monitor</entry>
+ <entry>Read/execute various monitoring views and functions.
+ This role is a member of <literal>pg_read_all_settings</literal>,
+ <literal>pg_read_all_stats</literal> and
+ <literal>pg_stat_scan_tables</literal>.</entry>
+ </row>
+ <row>
+ <entry>pg_database_owner</entry>
+ <entry>None. Membership consists, implicitly, of the current database owner.</entry>
+ </row>
+ <row>
+ <entry>pg_signal_backend</entry>
+ <entry>Signal another backend to cancel a query or terminate its session.</entry>
+ </row>
+ <row>
+ <entry>pg_read_server_files</entry>
+ <entry>Allow reading files from any location the database can access on the server with COPY and
+ other file-access functions.</entry>
+ </row>
+ <row>
+ <entry>pg_write_server_files</entry>
+ <entry>Allow writing to files in any location the database can access on the server with COPY and
+ other file-access functions.</entry>
+ </row>
+ <row>
+ <entry>pg_execute_server_program</entry>
+ <entry>Allow executing programs on the database server as the user the database runs as with
+ COPY and other functions which allow executing a server-side program.</entry>
+ </row>
+ <row>
+ <entry>pg_checkpoint</entry>
+ <entry>Allow executing
+ the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
+ command.</entry>
+ </row>
+ <row>
+ <entry>pg_use_reserved_connections</entry>
+ <entry>Allow use of connection slots reserved via
+ <xref linkend="guc-reserved-connections"/>.</entry>
+ </row>
+ <row>
+ <entry>pg_create_subscription</entry>
+ <entry>Allow users with <literal>CREATE</literal> permission on the
+ database to issue
+ <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>
+ The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,
+ <literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>
+ roles are intended to allow administrators to easily configure a role for the
+ purpose of monitoring the database server. They grant a set of common privileges
+ allowing the role to read various useful configuration settings, statistics and
+ other system information normally restricted to superusers.
+ </para>
+
+ <para>
+ The <literal>pg_database_owner</literal> role has one implicit,
+ situation-dependent member, namely the owner of the current database. Like
+ any role, it can own objects or receive grants of access privileges.
+ Consequently, once <literal>pg_database_owner</literal> has rights within a
+ template database, each owner of a database instantiated from that template
+ will exercise those rights. <literal>pg_database_owner</literal> cannot be
+ a member of any role, and it cannot have non-implicit members. Initially,
+ this role owns the <literal>public</literal> schema, so each database owner
+ governs local use of the schema.
+ </para>
+
+ <para>
+ The <literal>pg_signal_backend</literal> role is intended to allow
+ administrators to enable trusted, but non-superuser, roles to send signals
+ to other backends. Currently this role enables sending of signals for
+ canceling a query on another backend or terminating its session. A user
+ granted this role cannot however send signals to a backend owned by a
+ superuser. See <xref linkend="functions-admin-signal"/>.
+ </para>
+
+ <para>
+ The <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal> and
+ <literal>pg_execute_server_program</literal> roles are intended to allow administrators to have
+ trusted, but non-superuser, roles which are able to access files and run programs on the
+ database server as the user the database runs as. As these roles are able to access any file on
+ the server file system, they bypass all database-level permission checks when accessing files
+ directly and they could be used to gain superuser-level access, therefore
+ great care should be taken when granting these roles to users.
+ </para>
+
+ <para>
+ Care should be taken when granting these roles to ensure they are only used where
+ needed and with the understanding that these roles grant access to privileged
+ information.
+ </para>
+
+ <para>
+ Administrators can grant access to these roles to users using the
+ <link linkend="sql-grant"><command>GRANT</command></link> command, for example:
+
+<programlisting>
+GRANT pg_signal_backend TO admin_user;
+</programlisting>
+ </para>
+
+ </sect1>
+
+ <sect1 id="perm-functions">
+ <title>Function Security</title>
+
+ <para>
+ Functions, triggers and row-level security policies allow users to insert
+ code into the backend server that other users might execute
+ unintentionally. Hence, these mechanisms permit users to <quote>Trojan
+ horse</quote> others with relative ease. The strongest protection is tight
+ control over who can define objects. Where that is infeasible, write
+ queries referring only to objects having trusted owners. Remove
+ from <varname>search_path</varname> any schemas that permit untrusted users
+ to create objects.
+ </para>
+
+ <para>
+ Functions run inside the backend
+ server process with the operating system permissions of the
+ database server daemon. If the programming language
+ used for the function allows unchecked memory accesses, it is
+ possible to change the server's internal data structures.
+ Hence, among many other things, such functions can circumvent any
+ system access controls. Function languages that allow such access
+ are considered <quote>untrusted</quote>, and
+ <productname>PostgreSQL</productname> allows only superusers to
+ create functions written in those languages.
+ </para>
+ </sect1>
+
+</chapter>