diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2005-07-26 16:38:29 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2005-07-26 16:38:29 +0000 |
| commit | af019fb9aec0274875a10a89c68c8fecb949349f (patch) | |
| tree | 21f9b389c49ef4386bc8faf9adcd26199417a806 /doc/src | |
| parent | f9fd1764615ed5d85fab703b0ffb0c323fe7dfd5 (diff) | |
| download | postgresql-af019fb9aec0274875a10a89c68c8fecb949349f.tar.gz postgresql-af019fb9aec0274875a10a89c68c8fecb949349f.zip | |
Add a role property 'rolinherit' which, when false, denotes that the role
doesn't automatically inherit the privileges of roles it is a member of;
for such a role, membership in another role can be exploited only by doing
explicit SET ROLE. The default inherit setting is TRUE, so by default
the behavior doesn't change, but creating a user with NOINHERIT gives closer
adherence to our current reading of SQL99. Documentation still lacking,
and I think the information schema needs another look.
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/catalogs.sgml | 30 | ||||
| -rw-r--r-- | doc/src/sgml/func.sgml | 9 |
2 files changed, 36 insertions, 3 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index fa0abca950c..0c8ed68195d 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -1,6 +1,6 @@ <!-- Documentation of the system catalogs, directed toward PostgreSQL developers - $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.108 2005/07/14 05:13:38 tgl Exp $ + $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.109 2005/07/26 16:38:25 tgl Exp $ --> <chapter id="catalogs"> @@ -977,6 +977,14 @@ </row> <row> + <entry><structfield>rolinherit</structfield></entry> + <entry><type>bool</type></entry> + <entry></entry> + <entry>Role automatically inherits privileges of roles it is a + member of</entry> + </row> + + <row> <entry><structfield>rolcreaterole</structfield></entry> <entry><type>bool</type></entry> <entry></entry> @@ -4728,6 +4736,11 @@ that blanks out the password field. </para> + <para> + This view explicitly exposes the OID column of the underlying table, + since that is needed to do joins to other catalogs. + </para> + <table> <title><structname>pg_roles</> Columns</title> @@ -4757,6 +4770,14 @@ </row> <row> + <entry><structfield>rolinherit</structfield></entry> + <entry><type>bool</type></entry> + <entry></entry> + <entry>Role automatically inherits privileges of roles it is a + member of</entry> + </row> + + <row> <entry><structfield>rolcreaterole</structfield></entry> <entry><type>bool</type></entry> <entry></entry> @@ -4811,6 +4832,13 @@ <entry></entry> <entry>Session defaults for run-time configuration variables</entry> </row> + + <row> + <entry><structfield>oid</structfield></entry> + <entry><type>oid</type></entry> + <entry><literal><link linkend="catalog-pg-authid"><structname>pg_authid</structname></link>.oid</literal></entry> + <entry>ID of role</entry> + </row> </tbody> </tgroup> </table> diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index b5ce30105bc..0fdcb1d0df1 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.271 2005/07/26 00:04:17 tgl Exp $ +$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.272 2005/07/26 16:38:25 tgl Exp $ PostgreSQL documentation --> @@ -8559,7 +8559,12 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute'); can access a role in a particular way. The possibilities for its arguments are analogous to <function>has_table_privilege</function>. The desired access privilege type must evaluate to - <literal>MEMBER</literal>. + <literal>MEMBER</literal> or + <literal>USAGE</literal>. + <literal>MEMBER</literal> denotes direct or indirect membership in + the role (that is, the right to do <literal>SET ROLE</>), while + <literal>USAGE</literal> denotes whether the privileges of the role + are immediately available without doing <literal>SET ROLE</>. </para> <para> |