diff options
| -rw-r--r-- | doc/src/sgml/ref/alter_role.sgml | 6 | ||||
| -rw-r--r-- | doc/src/sgml/ref/create_role.sgml | 11 | ||||
| -rw-r--r-- | src/backend/commands/user.c | 10 |
3 files changed, 19 insertions, 8 deletions
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index 7b368b53770..d2d437c7258 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -70,8 +70,10 @@ ALTER ROLE { <replaceable class="PARAMETER">role_specification</replaceable> | A <xref linkend="SQL-REVOKE"> for that.) Attributes not mentioned in the command retain their previous settings. Database superusers can change any of these settings for any role. - Roles having <literal>CREATEROLE</> privilege can change any of these - settings, but only for non-superuser and non-replication roles. + Roles having <literal>CREATEROLE</literal> privilege can change any of these + settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>, + and <literal>BYPASSRLS</literal>; but only for non-superuser and + non-replication roles. Ordinary roles can only change their own password. </para> diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index c23cffa53e7..28ba2cbb2b2 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -187,6 +187,8 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac highly privileged role, and should only be used on roles actually used for replication. If not specified, <literal>NOREPLICATION</literal> is the default. + You must be a superuser to create a new role having the + <literal>REPLICATION</literal> attribute. </para> </listitem> </varlistentry> @@ -198,11 +200,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac <para> These clauses determine whether a role bypasses every row-level security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default. + You must be a superuser to create a new role having + the <literal>BYPASSRLS</literal> attribute. + </para> + + <para> Note that pg_dump will set <literal>row_security</literal> to <literal>OFF</literal> by default, to ensure all contents of a table are dumped out. If the user running pg_dump does not have appropriate - permissions, an error will be returned. The superuser and owner of the - table being dumped always bypass RLS. + permissions, an error will be returned. However, superusers and the + owner of the table being dumped always bypass RLS. </para> </listitem> </varlistentry> diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index ccacf2d0d1f..7567e2f17e7 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -665,8 +665,10 @@ AlterRole(AlterRoleStmt *stmt) roleid = HeapTupleGetOid(tuple); /* - * To mess with a superuser you gotta be superuser; else you need - * createrole, or just want to change your own password + * To mess with a superuser or replication role in any way you gotta be + * superuser. We also insist on superuser to change the BYPASSRLS + * property. Otherwise, if you don't have createrole, you're only allowed + * to change your own password. */ if (authform->rolsuper || issuper >= 0) { @@ -682,7 +684,7 @@ AlterRole(AlterRoleStmt *stmt) (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser to alter replication users"))); } - else if (authform->rolbypassrls || bypassrls >= 0) + else if (bypassrls >= 0) { if (!superuser()) ereport(ERROR, @@ -691,11 +693,11 @@ AlterRole(AlterRoleStmt *stmt) } else if (!have_createrole_privilege()) { + /* We already checked issuper, isreplication, and bypassrls */ if (!(inherit < 0 && createrole < 0 && createdb < 0 && canlogin < 0 && - isreplication < 0 && !dconnlimit && !rolemembers && !validUntil && |