summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/app-createuser.html
blob: 850b6b35d64b6a19fd6407b5cd44f58d6be52912 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>createuser</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="app-createdb.html" title="createdb" /><link rel="next" href="app-dropdb.html" title="dropdb" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center"><span class="application">createuser</span></th></tr><tr><td width="10%" align="left"><a accesskey="p" href="app-createdb.html" title="createdb">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="reference-client.html" title="PostgreSQL Client Applications">Up</a></td><th width="60%" align="center">PostgreSQL Client Applications</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="app-dropdb.html" title="dropdb">Next</a></td></tr></table><hr /></div><div class="refentry" id="APP-CREATEUSER"><div class="titlepage"></div><a id="id-1.9.4.5.1" class="indexterm"></a><div class="refnamediv"><h2><span class="refentrytitle"><span class="application">createuser</span></span></h2><p>createuser — define a new <span class="productname">PostgreSQL</span> user account</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p id="id-1.9.4.5.4.1"><code class="command">createuser</code> [<em class="replaceable"><code>connection-option</code></em>...] [<em class="replaceable"><code>option</code></em>...] [<em class="replaceable"><code>username</code></em>]</p></div></div><div class="refsect1" id="id-1.9.4.5.5"><h2>Description</h2><p>
   <span class="application">createuser</span> creates a
   new <span class="productname">PostgreSQL</span> user (or more precisely, a role).
   Only superusers and users with <code class="literal">CREATEROLE</code> privilege can create
   new users, so <span class="application">createuser</span> must be
   invoked by someone who can connect as a superuser or a user with
   <code class="literal">CREATEROLE</code> privilege.
  </p><p>
   If you wish to create a role with the <code class="literal">SUPERUSER</code>,
   <code class="literal">REPLICATION</code>, or <code class="literal">BYPASSRLS</code> privilege,
   you must connect as a superuser, not merely with
   <code class="literal">CREATEROLE</code> privilege.
   Being a superuser implies the ability to bypass all access permission
   checks within the database, so superuser access should not be granted
   lightly. <code class="literal">CREATEROLE</code> also conveys
   <a class="link" href="role-attributes.html#ROLE-CREATION">very extensive privileges</a>.
  </p><p>
   <span class="application">createuser</span> is a wrapper around the
   <acronym class="acronym">SQL</acronym> command <a class="link" href="sql-createrole.html" title="CREATE ROLE"><code class="command">CREATE ROLE</code></a>.
   There is no effective difference between creating users via
   this utility and via other methods for accessing the server.
  </p></div><div class="refsect1" id="id-1.9.4.5.6"><h2>Options</h2><p>
   <span class="application">createuser</span> accepts the following command-line arguments:

    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><em class="replaceable"><code>username</code></em></span></dt><dd><p>
        Specifies the name of the <span class="productname">PostgreSQL</span> user
        to be created.
        This name must be different from all existing roles in this
        <span class="productname">PostgreSQL</span> installation.
       </p></dd><dt><span class="term"><code class="option">-a <em class="replaceable"><code>role</code></em></code><br /></span><span class="term"><code class="option">--with-admin=<em class="replaceable"><code>role</code></em></code></span></dt><dd><p>
        Specifies an existing role that will be automatically added as a member of the new
        role with admin option, giving it the right to grant membership in the
        new role to others.  Multiple existing roles can be specified by
        writing multiple <code class="option">-a</code> switches.
       </p></dd><dt><span class="term"><code class="option">-c <em class="replaceable"><code>number</code></em></code><br /></span><span class="term"><code class="option">--connection-limit=<em class="replaceable"><code>number</code></em></code></span></dt><dd><p>
        Set a maximum number of connections for the new user.
        The default is to set no limit.
       </p></dd><dt><span class="term"><code class="option">-d</code><br /></span><span class="term"><code class="option">--createdb</code></span></dt><dd><p>
        The new user will be allowed to create databases.
       </p></dd><dt><span class="term"><code class="option">-D</code><br /></span><span class="term"><code class="option">--no-createdb</code></span></dt><dd><p>
        The new user will not be allowed to create databases.  This is the
        default.
       </p></dd><dt><span class="term"><code class="option">-e</code><br /></span><span class="term"><code class="option">--echo</code></span></dt><dd><p>
        Echo the commands that <span class="application">createuser</span> generates
        and sends to the server.
       </p></dd><dt><span class="term"><code class="option">-E</code><br /></span><span class="term"><code class="option">--encrypted</code></span></dt><dd><p>
        This option is obsolete but still accepted for backward
        compatibility.
       </p></dd><dt><span class="term"><code class="option">-g <em class="replaceable"><code>role</code></em></code><br /></span><span class="term"><code class="option">--member-of=<em class="replaceable"><code>role</code></em></code><br /></span><span class="term"><code class="option">--role=<em class="replaceable"><code>role</code></em></code> (deprecated)</span></dt><dd><p>
        Specifies the new role should be automatically added as a member
        of the specified existing role. Multiple existing roles can be
        specified by writing multiple <code class="option">-g</code> switches.
       </p></dd><dt><span class="term"><code class="option">-i</code><br /></span><span class="term"><code class="option">--inherit</code></span></dt><dd><p>
        The new role will automatically inherit privileges of roles
        it is a member of.
        This is the default.
       </p></dd><dt><span class="term"><code class="option">-I</code><br /></span><span class="term"><code class="option">--no-inherit</code></span></dt><dd><p>
        The new role will not automatically inherit privileges of roles
        it is a member of.
       </p></dd><dt><span class="term"><code class="option">--interactive</code></span></dt><dd><p>
        Prompt for the user name if none is specified on the command line, and
        also prompt for whichever of the options
        <code class="option">-d</code>/<code class="option">-D</code>,
        <code class="option">-r</code>/<code class="option">-R</code>,
        <code class="option">-s</code>/<code class="option">-S</code> is not specified on the command
        line.  (This was the default behavior up to PostgreSQL 9.1.)
       </p></dd><dt><span class="term"><code class="option">-l</code><br /></span><span class="term"><code class="option">--login</code></span></dt><dd><p>
        The new user will be allowed to log in (that is, the user name
        can be used as the initial session user identifier).
        This is the default.
       </p></dd><dt><span class="term"><code class="option">-L</code><br /></span><span class="term"><code class="option">--no-login</code></span></dt><dd><p>
        The new user will not be allowed to log in.
        (A role without login privilege is still useful as a means of
        managing database permissions.)
       </p></dd><dt><span class="term"><code class="option">-m <em class="replaceable"><code>role</code></em></code><br /></span><span class="term"><code class="option">--with-member=<em class="replaceable"><code>role</code></em></code></span></dt><dd><p>
        Specifies an existing role that will be automatically
        added as a member of the new role. Multiple existing roles can
        be specified by writing multiple <code class="option">-m</code> switches.
       </p></dd><dt><span class="term"><code class="option">-P</code><br /></span><span class="term"><code class="option">--pwprompt</code></span></dt><dd><p>
       If given, <span class="application">createuser</span> will issue a prompt for
       the password of the new user. This is not necessary if you do not plan
       on using password authentication.
       </p></dd><dt><span class="term"><code class="option">-r</code><br /></span><span class="term"><code class="option">--createrole</code></span></dt><dd><p>
        The new user will be allowed to create, alter, drop, comment on,
        change the security label for other roles; that is,
        this user will have <code class="literal">CREATEROLE</code> privilege.
        See <a class="xref" href="role-attributes.html#ROLE-CREATION">role creation</a> for more details about what
        capabilities are conferred by this privilege.
       </p></dd><dt><span class="term"><code class="option">-R</code><br /></span><span class="term"><code class="option">--no-createrole</code></span></dt><dd><p>
        The new user will not be allowed to create new roles.  This is the
        default.
       </p></dd><dt><span class="term"><code class="option">-s</code><br /></span><span class="term"><code class="option">--superuser</code></span></dt><dd><p>
        The new user will be a superuser.
       </p></dd><dt><span class="term"><code class="option">-S</code><br /></span><span class="term"><code class="option">--no-superuser</code></span></dt><dd><p>
        The new user will not be a superuser.  This is the default.
       </p></dd><dt><span class="term"><code class="option">-v <em class="replaceable"><code>timestamp</code></em></code><br /></span><span class="term"><code class="option">--valid-until=<em class="replaceable"><code>timestamp</code></em></code></span></dt><dd><p>
        Set a date and time after which the role's password is no longer valid.
        The default is to set no password expiry date.
       </p></dd><dt><span class="term"><code class="option">-V</code><br /></span><span class="term"><code class="option">--version</code></span></dt><dd><p>
       Print the <span class="application">createuser</span> version and exit.
       </p></dd><dt><span class="term"><code class="option">--bypassrls</code></span></dt><dd><p>
        The new user will bypass every row-level security (RLS) policy.
       </p></dd><dt><span class="term"><code class="option">--no-bypassrls</code></span></dt><dd><p>
        The new user will not bypass row-level security (RLS) policies.  This is
        the default.
       </p></dd><dt><span class="term"><code class="option">--replication</code></span></dt><dd><p>
        The new user will have the <code class="literal">REPLICATION</code> privilege,
        which is described more fully in the documentation for <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a>.
       </p></dd><dt><span class="term"><code class="option">--no-replication</code></span></dt><dd><p>
        The new user will not have the <code class="literal">REPLICATION</code>
        privilege, which is described more fully in the documentation for <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a>.  This is the default.
       </p></dd><dt><span class="term"><code class="option">-?</code><br /></span><span class="term"><code class="option">--help</code></span></dt><dd><p>
       Show help about <span class="application">createuser</span> command line
       arguments, and exit.
       </p></dd></dl></div><p>
  </p><p>
   <span class="application">createuser</span> also accepts the following
   command-line arguments for connection parameters:

   </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-h <em class="replaceable"><code>host</code></em></code><br /></span><span class="term"><code class="option">--host=<em class="replaceable"><code>host</code></em></code></span></dt><dd><p>
        Specifies the host name of the machine on which the
        server
        is running.  If the value begins with a slash, it is used
        as the directory for the Unix domain socket.
       </p></dd><dt><span class="term"><code class="option">-p <em class="replaceable"><code>port</code></em></code><br /></span><span class="term"><code class="option">--port=<em class="replaceable"><code>port</code></em></code></span></dt><dd><p>
        Specifies the TCP port or local Unix domain socket file
        extension on which the server
        is listening for connections.
       </p></dd><dt><span class="term"><code class="option">-U <em class="replaceable"><code>username</code></em></code><br /></span><span class="term"><code class="option">--username=<em class="replaceable"><code>username</code></em></code></span></dt><dd><p>
        User name to connect as (not the user name to create).
       </p></dd><dt><span class="term"><code class="option">-w</code><br /></span><span class="term"><code class="option">--no-password</code></span></dt><dd><p>
        Never issue a password prompt.  If the server requires
        password authentication and a password is not available by
        other means such as a <code class="filename">.pgpass</code> file, the
        connection attempt will fail.  This option can be useful in
        batch jobs and scripts where no user is present to enter a
        password.
       </p></dd><dt><span class="term"><code class="option">-W</code><br /></span><span class="term"><code class="option">--password</code></span></dt><dd><p>
        Force <span class="application">createuser</span> to prompt for a
        password (for connecting to the server, not for the
        password of the new user).
       </p><p>
        This option is never essential, since
        <span class="application">createuser</span> will automatically prompt
        for a password if the server demands password authentication.
        However, <span class="application">createuser</span> will waste a
        connection attempt finding out that the server wants a password.
        In some cases it is worth typing <code class="option">-W</code> to avoid the extra
        connection attempt.
       </p></dd></dl></div><p>
  </p></div><div class="refsect1" id="id-1.9.4.5.7"><h2>Environment</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="envar">PGHOST</code><br /></span><span class="term"><code class="envar">PGPORT</code><br /></span><span class="term"><code class="envar">PGUSER</code></span></dt><dd><p>
      Default connection parameters
     </p></dd><dt><span class="term"><code class="envar">PG_COLOR</code></span></dt><dd><p>
      Specifies whether to use color in diagnostic messages. Possible values
      are <code class="literal">always</code>, <code class="literal">auto</code> and
      <code class="literal">never</code>.
     </p></dd></dl></div><p>
   This utility, like most other <span class="productname">PostgreSQL</span> utilities,
   also uses the environment variables supported by <span class="application">libpq</span>
   (see <a class="xref" href="libpq-envars.html" title="34.15. Environment Variables">Section 34.15</a>).
  </p></div><div class="refsect1" id="id-1.9.4.5.8"><h2>Diagnostics</h2><p>
   In case of difficulty, see <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a>
   and <a class="xref" href="app-psql.html" title="psql"><span class="refentrytitle"><span class="application">psql</span></span></a> for
   discussions of potential problems and error messages.
   The database server must be running at the
   targeted host.  Also, any default connection settings and environment
   variables used by the <span class="application">libpq</span> front-end
   library will apply.
  </p></div><div class="refsect1" id="id-1.9.4.5.9"><h2>Examples</h2><p>
    To create a user <code class="literal">joe</code> on the default database
    server:
</p><pre class="screen">
<code class="prompt">$ </code><strong class="userinput"><code>createuser joe</code></strong>
</pre><p>
   </p><p>
    To create a user <code class="literal">joe</code> on the default database
    server with prompting for some additional attributes:
</p><pre class="screen">
<code class="prompt">$ </code><strong class="userinput"><code>createuser --interactive joe</code></strong>
<code class="computeroutput">Shall the new role be a superuser? (y/n) </code><strong class="userinput"><code>n</code></strong>
<code class="computeroutput">Shall the new role be allowed to create databases? (y/n) </code><strong class="userinput"><code>n</code></strong>
<code class="computeroutput">Shall the new role be allowed to create more new roles? (y/n) </code><strong class="userinput"><code>n</code></strong>
</pre><p>
   </p><p>
    To create the same user <code class="literal">joe</code> using the
    server on host <code class="literal">eden</code>, port 5000, with attributes explicitly specified,
    taking a look at the underlying command:
</p><pre class="screen">
<code class="prompt">$ </code><strong class="userinput"><code>createuser -h eden -p 5000 -S -D -R -e joe</code></strong>
<code class="computeroutput">CREATE ROLE joe NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;</code>
</pre><p>
   </p><p>
    To create the user <code class="literal">joe</code> as a superuser,
    and assign a password immediately:
</p><pre class="screen">
<code class="prompt">$ </code><strong class="userinput"><code>createuser -P -s -e joe</code></strong>
<code class="computeroutput">Enter password for new role: </code><strong class="userinput"><code>xyzzy</code></strong>
<code class="computeroutput">Enter it again: </code><strong class="userinput"><code>xyzzy</code></strong>
<code class="computeroutput">CREATE ROLE joe PASSWORD 'md5b5f5ba1a423792b526f799ae4eb3d59e' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</code>
</pre><p>
    In the above example, the new password isn't actually echoed when typed,
    but we show what was typed for clarity.  As you see, the password is
    encrypted before it is sent to the client.
   </p></div><div class="refsect1" id="id-1.9.4.5.10"><h2>See Also</h2><span class="simplelist"><a class="xref" href="app-dropuser.html" title="dropuser"><span class="refentrytitle"><span class="application">dropuser</span></span></a>, <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a>, <a class="xref" href="runtime-config-client.html#GUC-CREATEROLE-SELF-GRANT">createrole_self_grant</a></span></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="app-createdb.html" title="createdb">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="reference-client.html" title="PostgreSQL Client Applications">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="app-dropdb.html" title="dropdb">Next</a></td></tr><tr><td width="40%" align="left" valign="top"><span class="application">createdb</span> </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="40%" align="right" valign="top"> <span class="application">dropdb</span></td></tr></table></div></body></html>