improve predefined roles documentation
IMHO there are a couple of opportunities for improving the predefined roles
documentation [0]https://www.postgresql.org/docs/devel/predefined-roles.html:
* Several of the roles in the table do not have corresponding descriptions
in the paragraphs below the table (e.g., pg_read_all_data,
pg_write_all_data, pg_checkpoint, pg_maintain,
pg_use_reserved_connections, and pg_create_subscription). Furthermore,
IMHO it is weird to have some of the information in the table and some
more in a paragraph down the page.
* The table has grown quite a bit over the years, but the entries are
basically unordered, requiring readers to perform a linear search (O(n))
to find information about a specific role.
* Documentation that refers to these roles cannot link to a specific one.
Currently, we just link to the page or the table.
I think we could improve matters by abandoning the table and instead
documenting these roles more like we document GUCs, i.e., each one has a
section below it where we can document it in as much detail as we want.
Some of these roles should probably be documented together (e.g.,
pg_read_all_data and pg_write_all_data), so the ordering is unlikely to be
perfect, but I'm hoping it would still be a net improvement.
Thoughts?
[0]: https://www.postgresql.org/docs/devel/predefined-roles.html
--
nathan
On Thu, Jun 13, 2024 at 12:48 PM Nathan Bossart <nathandbossart@gmail.com>
wrote:
I think we could improve matters by abandoning the table and instead
documenting these roles more like we document GUCs, i.e., each one has a
section below it where we can document it in as much detail as we want.
One of the main attributes for the GUCs is their category. If we want to
improve organization we'd need to assign categories first. We already
implicitly do so in the description section where we do group them together
and explain why - but it is all informal. But getting rid of those
groupings and descriptions and isolating each role so it can be linked to
more easily seems like a net loss in usability.
I'm against getting rid of the table. If we do add authoritative
subsection anchors we should just do like we do in System Catalogs and make
the existing table name values hyperlinks to those newly added anchors.
Breaking the one table up into multiple tables along category lines is
something to consider.
David J.
On Thu, Jun 13, 2024 at 01:05:33PM -0700, David G. Johnston wrote:
One of the main attributes for the GUCs is their category. If we want to
improve organization we'd need to assign categories first. We already
implicitly do so in the description section where we do group them together
and explain why - but it is all informal. But getting rid of those
groupings and descriptions and isolating each role so it can be linked to
more easily seems like a net loss in usability.
What I had in mind is that we would retain these groupings. I agree that
isolating roles like pg_read_all_data and pg_write_all_data would be no
good.
--
nathan
On Thu, Jun 13, 2024 at 3:48 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
I think we could improve matters by abandoning the table and instead
documenting these roles more like we document GUCs, i.e., each one has a
section below it where we can document it in as much detail as we want.
Some of these roles should probably be documented together (e.g.,
pg_read_all_data and pg_write_all_data), so the ordering is unlikely to be
perfect, but I'm hoping it would still be a net improvement.
+1. I'm not sure about all of the details, but I like the general idea.
--
Robert Haas
EDB: http://www.enterprisedb.com
On Mon, Jun 17, 2024 at 02:10:22PM -0400, Robert Haas wrote:
On Thu, Jun 13, 2024 at 3:48 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
I think we could improve matters by abandoning the table and instead
documenting these roles more like we document GUCs, i.e., each one has a
section below it where we can document it in as much detail as we want.
Some of these roles should probably be documented together (e.g.,
pg_read_all_data and pg_write_all_data), so the ordering is unlikely to be
perfect, but I'm hoping it would still be a net improvement.+1. I'm not sure about all of the details, but I like the general idea.
Here is a first try. I did pretty much exactly what I proposed in the
quoted text, so I don't have much else to say about it. I didn't see an
easy way to specify multiple ids and xreflabels for a given entry, so the
entries that describe multiple roles just use the name of the first role
listed. In practice, I think this just means you need to do a little extra
work when linking to one of the other roles from elsewhere in the docs,
which doesn't seem too terrible.
--
nathan
Attachments:
v1-0001-revamp-predefined-roles-documentation.patchtext/plain; charset=us-asciiDownload
From 89db4a562ddb07aa1215608fb116b511143b0e66 Mon Sep 17 00:00:00 2001
From: Nathan Bossart <nathan@postgresql.org>
Date: Tue, 18 Jun 2024 11:38:40 -0500
Subject: [PATCH v1 1/1] revamp predefined roles documentation
---
doc/src/sgml/config.sgml | 2 +-
doc/src/sgml/monitoring.sgml | 4 +-
doc/src/sgml/ref/checkpoint.sgml | 2 +-
doc/src/sgml/ref/reindex.sgml | 2 +-
doc/src/sgml/user-manag.sgml | 339 ++++++++++++++++---------------
5 files changed, 185 insertions(+), 164 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 698169afdb..b9fd3f3bd6 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -731,7 +731,7 @@ include_dir 'conf.d'
<para>
Determines the number of connection <quote>slots</quote> that are
reserved for connections by roles with privileges of the
- <link linkend="predefined-roles-table"><literal>pg_use_reserved_connections</literal></link>
+ <xref linkend="predefined-role-pg-use-reserved-connections"/>
role. Whenever the number of free connection slots is greater than
<xref linkend="guc-superuser-reserved-connections"/> but less than or
equal to the sum of <varname>superuser_reserved_connections</varname>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index b2ad9b446f..133ad462cb 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -286,8 +286,8 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
other sessions, many columns will be null. Note, however, that the
existence of a session and its general properties such as its sessions user
and database are visible to all users. Superusers and roles with privileges of
- built-in role <literal>pg_read_all_stats</literal> (see also <xref
- linkend="predefined-roles"/>) can see all the information about all sessions.
+ built-in role <link linkend="predefined-role-pg-read-all-settings"><literal>pg_read_all_stats</literal></link>
+ can see all the information about all sessions.
</para>
<table id="monitoring-stats-dynamic-views-table">
diff --git a/doc/src/sgml/ref/checkpoint.sgml b/doc/src/sgml/ref/checkpoint.sgml
index 28a1d717b8..db011a47d0 100644
--- a/doc/src/sgml/ref/checkpoint.sgml
+++ b/doc/src/sgml/ref/checkpoint.sgml
@@ -53,7 +53,7 @@ CHECKPOINT
<para>
Only superusers or users with the privileges of
- the <link linkend="predefined-roles-table"><literal>pg_checkpoint</literal></link>
+ the <xref linkend="predefined-role-pg-checkpoint"/>
role can call <command>CHECKPOINT</command>.
</para>
</refsect1>
diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml
index 2942dccf1e..dcf70d14bc 100644
--- a/doc/src/sgml/ref/reindex.sgml
+++ b/doc/src/sgml/ref/reindex.sgml
@@ -305,7 +305,7 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
partitioned table, such commands skip the privilege checks when processing
the individual partitions. Reindexing a schema or database requires being the
owner of that schema or database or having privileges of the
- <link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
+ <xref linkend="predefined-role-pg-maintain"/>
role. Note specifically that it's thus
possible for non-superusers to rebuild indexes of tables owned by
other users. However, as a special exception,
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 07a16247d7..1d3805d303 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -590,101 +590,71 @@ DROP ROLE doomed_role;
and information. Administrators (including roles that have the
<literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
roles to users and/or other roles in their environment, providing those
- users with access to the specified capabilities and information.
+ users with access to the specified capabilities and information. For
+ example:
+
+<programlisting>
+GRANT pg_signal_backend TO admin_user;
+</programlisting>
</para>
+ <warning>
+ <para>
+ Care should be taken when granting these roles to ensure they are only used
+ where needed and with the understanding that these roles grant access to
+ privileged information.
+ </para>
+ </warning>
+
<para>
- The predefined roles are described in <xref linkend="predefined-roles-table"/>.
+ The predefined roles are described below.
Note that the specific permissions for each of the roles may change in
the future as additional capabilities are added. Administrators
should monitor the release notes for changes.
- </para>
- <table tocentry="1" id="predefined-roles-table">
- <title>Predefined Roles</title>
- <tgroup cols="2">
- <colspec colname="col1" colwidth="1*"/>
- <colspec colname="col2" colwidth="2*"/>
- <thead>
- <row>
- <entry>Role</entry>
- <entry>Allowed Access</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>pg_read_all_data</entry>
- <entry>Read all data (tables, views, sequences), as if having
- <command>SELECT</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_write_all_data</entry>
- <entry>Write all data (tables, views, sequences), as if having
- <command>INSERT</command>, <command>UPDATE</command>, and
- <command>DELETE</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_read_all_settings</entry>
- <entry>Read all configuration variables, even those normally visible only to
- superusers.</entry>
- </row>
- <row>
- <entry>pg_read_all_stats</entry>
- <entry>Read all pg_stat_* views and use various statistics related extensions,
- even those normally visible only to superusers.</entry>
- </row>
- <row>
- <entry>pg_stat_scan_tables</entry>
- <entry>Execute monitoring functions that may take <literal>ACCESS SHARE</literal> locks on tables,
- potentially for a long time.</entry>
- </row>
- <row>
- <entry>pg_monitor</entry>
- <entry>Read/execute various monitoring views and functions.
- This role is a member of <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and
- <literal>pg_stat_scan_tables</literal>.</entry>
- </row>
- <row>
- <entry>pg_database_owner</entry>
- <entry>None. Membership consists, implicitly, of the current database owner.</entry>
- </row>
- <row>
- <entry>pg_signal_backend</entry>
- <entry>Signal another backend to cancel a query or terminate its session.</entry>
- </row>
- <row>
- <entry>pg_read_server_files</entry>
- <entry>Allow reading files from any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_write_server_files</entry>
- <entry>Allow writing to files in any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_execute_server_program</entry>
- <entry>Allow executing programs on the database server as the user the database runs as with
- COPY and other functions which allow executing a server-side program.</entry>
- </row>
- <row>
- <entry>pg_checkpoint</entry>
- <entry>Allow executing
- the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
- command.</entry>
- </row>
- <row>
- <entry>pg_maintain</entry>
- <entry>Allow executing
+ <variablelist>
+ <varlistentry id="predefined-role-pg-checkpoint" xreflabel="pg_checkpoint">
+ <term><varname>pg_checkpoint</varname></term>
+ <listitem>
+ <para>
+ Allows executing the
+ <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link> command.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-create-subscription" xreflabel="pg_create_subscription">
+ <term><varname>pg_create_subscription</varname></term>
+ <listitem>
+ <para>
+ Allows users with <literal>CREATE</literal> permission on the database to issue
+ <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-database-owner" xreflabel="pg_database_owner">
+ <term><varname>pg_database_owner</varname></term>
+ <listitem>
+ <para>
+ Membership consists, implicitly, of the current database owner. Like
+ any role, it can own objects or receive grants of access privileges.
+ Consequently, once <literal>pg_database_owner</literal> has rights
+ within a template database, each owner of a database instantiated from
+ that template will exercise those rights.
+ <literal>pg_database_owner</literal> cannot be a member of any role, and
+ it cannot have non-implicit members. Initially, this role owns the
+ <literal>public</literal> schema, so each database owner governs local
+ use of the schema.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-maintain" xreflabel="pg_maintain">
+ <term><varname>pg_maintain</varname></term>
+ <listitem>
+ <para>
+ Allows executing
<link linkend="sql-vacuum"><command>VACUUM</command></link>,
<link linkend="sql-analyze"><command>ANALYZE</command></link>,
<link linkend="sql-cluster"><command>CLUSTER</command></link>,
@@ -692,78 +662,129 @@ DROP ROLE doomed_role;
<link linkend="sql-reindex"><command>REINDEX</command></link>,
and <link linkend="sql-lock"><command>LOCK TABLE</command></link> on all
relations, as if having <literal>MAINTAIN</literal> rights on those
- objects, even without having it explicitly.</entry>
- </row>
- <row>
- <entry>pg_use_reserved_connections</entry>
- <entry>Allow use of connection slots reserved via
- <xref linkend="guc-reserved-connections"/>.</entry>
- </row>
- <row>
- <entry>pg_create_subscription</entry>
- <entry>Allow users with <literal>CREATE</literal> permission on the
- database to issue
- <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <para>
- The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>
- roles are intended to allow administrators to easily configure a role for the
- purpose of monitoring the database server. They grant a set of common privileges
- allowing the role to read various useful configuration settings, statistics and
- other system information normally restricted to superusers.
- </para>
-
- <para>
- The <literal>pg_database_owner</literal> role has one implicit,
- situation-dependent member, namely the owner of the current database. Like
- any role, it can own objects or receive grants of access privileges.
- Consequently, once <literal>pg_database_owner</literal> has rights within a
- template database, each owner of a database instantiated from that template
- will exercise those rights. <literal>pg_database_owner</literal> cannot be
- a member of any role, and it cannot have non-implicit members. Initially,
- this role owns the <literal>public</literal> schema, so each database owner
- governs local use of the schema.
- </para>
-
- <para>
- The <literal>pg_signal_backend</literal> role is intended to allow
- administrators to enable trusted, but non-superuser, roles to send signals
- to other backends. Currently this role enables sending of signals for
- canceling a query on another backend or terminating its session. A user
- granted this role cannot however send signals to a backend owned by a
- superuser. See <xref linkend="functions-admin-signal"/>.
- </para>
-
- <para>
- The <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal> and
- <literal>pg_execute_server_program</literal> roles are intended to allow administrators to have
- trusted, but non-superuser, roles which are able to access files and run programs on the
- database server as the user the database runs as. As these roles are able to access any file on
- the server file system, they bypass all database-level permission checks when accessing files
- directly and they could be used to gain superuser-level access, therefore
- great care should be taken when granting these roles to users.
- </para>
-
- <para>
- Care should be taken when granting these roles to ensure they are only used where
- needed and with the understanding that these roles grant access to privileged
- information.
- </para>
-
- <para>
- Administrators can grant access to these roles to users using the
- <link linkend="sql-grant"><command>GRANT</command></link> command, for example:
-
-<programlisting>
-GRANT pg_signal_backend TO admin_user;
-</programlisting>
+ objects, even without having it explicitly.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-all-data" xreflabel="pg_read_all_data">
+ <term><varname>pg_read_all_data</varname></term>
+ <term><varname>pg_write_all_data</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_read_all_data</literal> allows reading all data (tables,
+ views, sequences), as if having <command>SELECT</command> rights on
+ those objects, and USAGE rights on all schemas, even without having it
+ explicitly. This role does not have the role attribute
+ <literal>BYPASSRLS</literal> set. If RLS is being used, an
+ administrator may wish to set <literal>BYPASSRLS</literal> on roles
+ which this role is GRANTed to.
+ </para>
+ <para>
+ <literal>pg_write_all_data</literal> allows writing all data (tables,
+ views, sequences), as if having <command>INSERT</command>,
+ <command>UPDATE</command>, and <command>DELETE</command> rights on those
+ objects, and USAGE rights on all schemas, even without having it
+ explicitly. This role does not have the role attribute
+ <literal>BYPASSRLS</literal> set. If RLS is being used, an
+ administrator may wish to set <literal>BYPASSRLS</literal> on roles
+ which this role is GRANTed to.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-all-settings" xreflabel="pg_read_all_settings">
+ <term><varname>pg_read_all_settings</varname></term>
+ <term><varname>pg_read_all_stats</varname></term>
+ <term><varname>pg_stat_scan_tables</varname></term>
+ <term><varname>pg_monitor</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to easily configure a
+ role for the purpose of monitoring the database server. They grant a
+ set of common privileges allowing the role to read various useful
+ configuration settings, statistics, and other system information
+ normally restricted to superusers.
+ </para>
+ <para>
+ <literal>pg_read_all_settings</literal> allows reading all configuration
+ variables, even those normally visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_read_all_stats</literal> allows reading all pg_stat_* views
+ and use various statistics related extensions, even those normally
+ visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_stat_scan_tables</literal> allows executing monitoring
+ functions that may take <literal>ACCESS SHARE</literal> locks on tables,
+ potentially for a long time.
+ </para>
+ <para>
+ <literal>pg_monitor</literal> allows reading/executing various
+ monitoring views and functions. This role is a member of
+ <literal>pg_read_all_settings</literal>,
+ <literal>pg_read_all_stats</literal> and
+ <literal>pg_stat_scan_tables</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-server-files" xreflabel="pg_read_server_files">
+ <term><varname>pg_read_server_files</varname></term>
+ <term><varname>pg_write_server_files</varname></term>
+ <term><varname>pg_execute_server_program</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to have trusted, but
+ non-superuser, roles which are able to access files and run programs on
+ the database server as the user the database runs as. As these roles
+ are able to access any file on the server file system, they bypass all
+ database-level permission checks when accessing files directly and they
+ could be used to gain superuser-level access, therefore great care
+ should be taken when granting these roles to users.
+ </para>
+ <para>
+ <literal>pg_read_server_files</literal> allows reading files from any
+ location the database can access on the server with COPY and other
+ file-access functions.
+ </para>
+ <para>
+ <literal>pg_write_server_files</literal> allows writing to files in any
+ location the database can access on the server with COPY any other
+ file-access functions.
+ </para>
+ <para>
+ <literal>pg_execute_server_program</literal> allows executing programs
+ on the database server as the user the database runs as with COPY and
+ other functions which allow executing a server-side program.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-signal-backend" xreflabel="pg_signal_backend">
+ <term><varname>pg_signal_backend</varname></term>
+ <listitem>
+ <para>
+ Allows signaling another backend to cancel a query or terminate its
+ session. A user granted this role cannot however send signals to a
+ backend owned by a superuser. See
+ <xref linkend="functions-admin-signal"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-use-reserved-connections" xreflabel="pg_use_reserved_connections">
+ <term><varname>pg_use_reserved_connections</varname></term>
+ <listitem>
+ <para>
+ Allows use of connection slots reserved via
+ <xref linkend="guc-reserved-connections"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</para>
-
</sect1>
<sect1 id="perm-functions">
--
2.39.3 (Apple Git-146)
On Tue, Jun 18, 2024 at 9:52 AM Nathan Bossart <nathandbossart@gmail.com>
wrote:
On Mon, Jun 17, 2024 at 02:10:22PM -0400, Robert Haas wrote:
On Thu, Jun 13, 2024 at 3:48 PM Nathan Bossart <nathandbossart@gmail.com>
wrote:
I think we could improve matters by abandoning the table and instead
documenting these roles more like we document GUCs, i.e., each one has a
section below it where we can document it in as much detail as we want.
Some of these roles should probably be documented together (e.g.,
pg_read_all_data and pg_write_all_data), so the ordering is unlikely tobe
perfect, but I'm hoping it would still be a net improvement.
+1. I'm not sure about all of the details, but I like the general idea.
Here is a first try. I did pretty much exactly what I proposed in the
quoted text, so I don't have much else to say about it. I didn't see an
easy way to specify multiple ids and xreflabels for a given entry, so the
entries that describe multiple roles just use the name of the first role
listed. In practice, I think this just means you need to do a little extra
work when linking to one of the other roles from elsewhere in the docs,
which doesn't seem too terrible.
I like this. Losing the table turned out to be ok. Thank you.
I would probably put pg_monitor first in the list.
+ A user granted this role cannot however send signals to a backend owned
by a superuser.
Remove "however", or put commas around it. I prefer the first option.
Do we really need to repeat "even without having it explicitly" everywhere?
+ This role does not have the role attribute BYPASSRLS set.
Even if it did, that attribute isn't inherited anyway...
"This role is still governed by any row level security policies that may be
in force. Consider setting the BYPASSRLS attribute on member roles."
(assuming they intend it to be ALL data then doing the bypassrls even if
they are not today using it doesn't hurt)
pg_stat_scan_tables - This explanation leaves me wanting more. Maybe give
an example of such a function? I think the bar is set a bit too high just
talking about a specific lock level.
"As these roles are able to access any file on the server file system,"
We forbid running under root so this isn't really true. They do have
operating system level access logged in as the database process owner.
They are able to access all PostgreSQL files on the server file system and
usually can run a wide-variety of commands on the server.
"access, therefore great care should be taken"
I would go with:
"access. Great care should be taken"
Seems more impactful as its own sentence then at the end of a long
multi-part sentence.
"server with COPY any other file-access functions." - s/with/using/
David J.
On Thu, Jun 20, 2024 at 07:57:16PM -0700, David G. Johnston wrote:
I like this. Losing the table turned out to be ok. Thank you.
Awesome.
I would probably put pg_monitor first in the list.
Done.
+ A user granted this role cannot however send signals to a backend owned
by a superuser.Remove "however", or put commas around it. I prefer the first option.
This sentence caught my eye earlier, too, because it seems to imply that a
superuser granted this role cannot signal superuser-owned backends. I
changed it to the following:
Note that this role does not permit signaling backends owned by a
superuser.
How does that sound?
Do we really need to repeat "even without having it explicitly" everywhere?
Removed.
+ This role does not have the role attribute BYPASSRLS set.
Even if it did, that attribute isn't inherited anyway...
"This role is still governed by any row level security policies that may be
in force. Consider setting the BYPASSRLS attribute on member roles."(assuming they intend it to be ALL data then doing the bypassrls even if
they are not today using it doesn't hurt)
How does something like the following sound?
This role does not bypass row-level security (RLS) policies. If RLS is
being used, an administrator may wish to set BYPASSRLS on roles which
this role is granted to.
pg_stat_scan_tables - This explanation leaves me wanting more. Maybe give
an example of such a function? I think the bar is set a bit too high just
talking about a specific lock level.
I was surprised to learn that this role only provides privileges for
functions in contrib/ modules. Anyway, added an example.
"As these roles are able to access any file on the server file system,"
We forbid running under root so this isn't really true. They do have
operating system level access logged in as the database process owner.
They are able to access all PostgreSQL files on the server file system and
usually can run a wide-variety of commands on the server.
I just deleted this clause.
"access, therefore great care should be taken"
I would go with:
"access. Great care should be taken"
Seems more impactful as its own sentence then at the end of a long
multi-part sentence.
Done.
"server with COPY any other file-access functions." - s/with/using/
Done.
--
nathan
Attachments:
v2-0001-revamp-predefined-roles-documentation.patchtext/plain; charset=us-asciiDownload
From 70ae4e75e59fb369bb46fccb579b9dedc6c24b11 Mon Sep 17 00:00:00 2001
From: Nathan Bossart <nathan@postgresql.org>
Date: Tue, 18 Jun 2024 11:38:40 -0500
Subject: [PATCH v2 1/1] revamp predefined roles documentation
---
doc/src/sgml/config.sgml | 2 +-
doc/src/sgml/monitoring.sgml | 4 +-
doc/src/sgml/ref/checkpoint.sgml | 2 +-
doc/src/sgml/ref/reindex.sgml | 2 +-
doc/src/sgml/user-manag.sgml | 337 ++++++++++++++++---------------
5 files changed, 183 insertions(+), 164 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 0c7a9082c5..03e37209e6 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -731,7 +731,7 @@ include_dir 'conf.d'
<para>
Determines the number of connection <quote>slots</quote> that are
reserved for connections by roles with privileges of the
- <link linkend="predefined-roles-table"><literal>pg_use_reserved_connections</literal></link>
+ <xref linkend="predefined-role-pg-use-reserved-connections"/>
role. Whenever the number of free connection slots is greater than
<xref linkend="guc-superuser-reserved-connections"/> but less than or
equal to the sum of <varname>superuser_reserved_connections</varname>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index b2ad9b446f..f30c1e53fa 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -286,8 +286,8 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
other sessions, many columns will be null. Note, however, that the
existence of a session and its general properties such as its sessions user
and database are visible to all users. Superusers and roles with privileges of
- built-in role <literal>pg_read_all_stats</literal> (see also <xref
- linkend="predefined-roles"/>) can see all the information about all sessions.
+ built-in role <link linkend="predefined-role-pg-monitor"><literal>pg_read_all_stats</literal></link>
+ can see all the information about all sessions.
</para>
<table id="monitoring-stats-dynamic-views-table">
diff --git a/doc/src/sgml/ref/checkpoint.sgml b/doc/src/sgml/ref/checkpoint.sgml
index 28a1d717b8..db011a47d0 100644
--- a/doc/src/sgml/ref/checkpoint.sgml
+++ b/doc/src/sgml/ref/checkpoint.sgml
@@ -53,7 +53,7 @@ CHECKPOINT
<para>
Only superusers or users with the privileges of
- the <link linkend="predefined-roles-table"><literal>pg_checkpoint</literal></link>
+ the <xref linkend="predefined-role-pg-checkpoint"/>
role can call <command>CHECKPOINT</command>.
</para>
</refsect1>
diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml
index 2942dccf1e..dcf70d14bc 100644
--- a/doc/src/sgml/ref/reindex.sgml
+++ b/doc/src/sgml/ref/reindex.sgml
@@ -305,7 +305,7 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
partitioned table, such commands skip the privilege checks when processing
the individual partitions. Reindexing a schema or database requires being the
owner of that schema or database or having privileges of the
- <link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
+ <xref linkend="predefined-role-pg-maintain"/>
role. Note specifically that it's thus
possible for non-superusers to rebuild indexes of tables owned by
other users. However, as a special exception,
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 07a16247d7..aa37823be2 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -590,101 +590,71 @@ DROP ROLE doomed_role;
and information. Administrators (including roles that have the
<literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
roles to users and/or other roles in their environment, providing those
- users with access to the specified capabilities and information.
+ users with access to the specified capabilities and information. For
+ example:
+
+<programlisting>
+GRANT pg_signal_backend TO admin_user;
+</programlisting>
</para>
+ <warning>
+ <para>
+ Care should be taken when granting these roles to ensure they are only used
+ where needed and with the understanding that these roles grant access to
+ privileged information.
+ </para>
+ </warning>
+
<para>
- The predefined roles are described in <xref linkend="predefined-roles-table"/>.
+ The predefined roles are described below.
Note that the specific permissions for each of the roles may change in
the future as additional capabilities are added. Administrators
should monitor the release notes for changes.
- </para>
- <table tocentry="1" id="predefined-roles-table">
- <title>Predefined Roles</title>
- <tgroup cols="2">
- <colspec colname="col1" colwidth="1*"/>
- <colspec colname="col2" colwidth="2*"/>
- <thead>
- <row>
- <entry>Role</entry>
- <entry>Allowed Access</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>pg_read_all_data</entry>
- <entry>Read all data (tables, views, sequences), as if having
- <command>SELECT</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_write_all_data</entry>
- <entry>Write all data (tables, views, sequences), as if having
- <command>INSERT</command>, <command>UPDATE</command>, and
- <command>DELETE</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_read_all_settings</entry>
- <entry>Read all configuration variables, even those normally visible only to
- superusers.</entry>
- </row>
- <row>
- <entry>pg_read_all_stats</entry>
- <entry>Read all pg_stat_* views and use various statistics related extensions,
- even those normally visible only to superusers.</entry>
- </row>
- <row>
- <entry>pg_stat_scan_tables</entry>
- <entry>Execute monitoring functions that may take <literal>ACCESS SHARE</literal> locks on tables,
- potentially for a long time.</entry>
- </row>
- <row>
- <entry>pg_monitor</entry>
- <entry>Read/execute various monitoring views and functions.
- This role is a member of <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and
- <literal>pg_stat_scan_tables</literal>.</entry>
- </row>
- <row>
- <entry>pg_database_owner</entry>
- <entry>None. Membership consists, implicitly, of the current database owner.</entry>
- </row>
- <row>
- <entry>pg_signal_backend</entry>
- <entry>Signal another backend to cancel a query or terminate its session.</entry>
- </row>
- <row>
- <entry>pg_read_server_files</entry>
- <entry>Allow reading files from any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_write_server_files</entry>
- <entry>Allow writing to files in any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_execute_server_program</entry>
- <entry>Allow executing programs on the database server as the user the database runs as with
- COPY and other functions which allow executing a server-side program.</entry>
- </row>
- <row>
- <entry>pg_checkpoint</entry>
- <entry>Allow executing
- the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
- command.</entry>
- </row>
- <row>
- <entry>pg_maintain</entry>
- <entry>Allow executing
+ <variablelist>
+ <varlistentry id="predefined-role-pg-checkpoint" xreflabel="pg_checkpoint">
+ <term><varname>pg_checkpoint</varname></term>
+ <listitem>
+ <para>
+ Allows executing the
+ <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link> command.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-create-subscription" xreflabel="pg_create_subscription">
+ <term><varname>pg_create_subscription</varname></term>
+ <listitem>
+ <para>
+ Allows users with <literal>CREATE</literal> permission on the database to issue
+ <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-database-owner" xreflabel="pg_database_owner">
+ <term><varname>pg_database_owner</varname></term>
+ <listitem>
+ <para>
+ Membership consists, implicitly, of the current database owner. Like
+ any role, it can own objects or receive grants of access privileges.
+ Consequently, once <literal>pg_database_owner</literal> has rights
+ within a template database, each owner of a database instantiated from
+ that template will exercise those rights.
+ <literal>pg_database_owner</literal> cannot be a member of any role, and
+ it cannot have non-implicit members. Initially, this role owns the
+ <literal>public</literal> schema, so each database owner governs local
+ use of the schema.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-maintain" xreflabel="pg_maintain">
+ <term><varname>pg_maintain</varname></term>
+ <listitem>
+ <para>
+ Allows executing
<link linkend="sql-vacuum"><command>VACUUM</command></link>,
<link linkend="sql-analyze"><command>ANALYZE</command></link>,
<link linkend="sql-cluster"><command>CLUSTER</command></link>,
@@ -692,78 +662,127 @@ DROP ROLE doomed_role;
<link linkend="sql-reindex"><command>REINDEX</command></link>,
and <link linkend="sql-lock"><command>LOCK TABLE</command></link> on all
relations, as if having <literal>MAINTAIN</literal> rights on those
- objects, even without having it explicitly.</entry>
- </row>
- <row>
- <entry>pg_use_reserved_connections</entry>
- <entry>Allow use of connection slots reserved via
- <xref linkend="guc-reserved-connections"/>.</entry>
- </row>
- <row>
- <entry>pg_create_subscription</entry>
- <entry>Allow users with <literal>CREATE</literal> permission on the
- database to issue
- <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <para>
- The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>
- roles are intended to allow administrators to easily configure a role for the
- purpose of monitoring the database server. They grant a set of common privileges
- allowing the role to read various useful configuration settings, statistics and
- other system information normally restricted to superusers.
- </para>
-
- <para>
- The <literal>pg_database_owner</literal> role has one implicit,
- situation-dependent member, namely the owner of the current database. Like
- any role, it can own objects or receive grants of access privileges.
- Consequently, once <literal>pg_database_owner</literal> has rights within a
- template database, each owner of a database instantiated from that template
- will exercise those rights. <literal>pg_database_owner</literal> cannot be
- a member of any role, and it cannot have non-implicit members. Initially,
- this role owns the <literal>public</literal> schema, so each database owner
- governs local use of the schema.
- </para>
-
- <para>
- The <literal>pg_signal_backend</literal> role is intended to allow
- administrators to enable trusted, but non-superuser, roles to send signals
- to other backends. Currently this role enables sending of signals for
- canceling a query on another backend or terminating its session. A user
- granted this role cannot however send signals to a backend owned by a
- superuser. See <xref linkend="functions-admin-signal"/>.
- </para>
-
- <para>
- The <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal> and
- <literal>pg_execute_server_program</literal> roles are intended to allow administrators to have
- trusted, but non-superuser, roles which are able to access files and run programs on the
- database server as the user the database runs as. As these roles are able to access any file on
- the server file system, they bypass all database-level permission checks when accessing files
- directly and they could be used to gain superuser-level access, therefore
- great care should be taken when granting these roles to users.
- </para>
-
- <para>
- Care should be taken when granting these roles to ensure they are only used where
- needed and with the understanding that these roles grant access to privileged
- information.
- </para>
-
- <para>
- Administrators can grant access to these roles to users using the
- <link linkend="sql-grant"><command>GRANT</command></link> command, for example:
-
-<programlisting>
-GRANT pg_signal_backend TO admin_user;
-</programlisting>
+ objects.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-monitor" xreflabel="pg_monitor">
+ <term><varname>pg_monitor</varname></term>
+ <term><varname>pg_read_all_settings</varname></term>
+ <term><varname>pg_read_all_stats</varname></term>
+ <term><varname>pg_stat_scan_tables</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to easily configure a
+ role for the purpose of monitoring the database server. They grant a
+ set of common privileges allowing the role to read various useful
+ configuration settings, statistics, and other system information
+ normally restricted to superusers.
+ </para>
+ <para>
+ <literal>pg_monitor</literal> allows reading/executing various
+ monitoring views and functions. This role is a member of
+ <literal>pg_read_all_settings</literal>,
+ <literal>pg_read_all_stats</literal> and
+ <literal>pg_stat_scan_tables</literal>.
+ </para>
+ <para>
+ <literal>pg_read_all_settings</literal> allows reading all configuration
+ variables, even those normally visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_read_all_stats</literal> allows reading all pg_stat_* views
+ and use various statistics related extensions, even those normally
+ visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_stat_scan_tables</literal> allows executing monitoring
+ functions that may take <literal>ACCESS SHARE</literal> locks on tables,
+ potentially for a long time (e.g., <function>pgrowlocks(text)</function>
+ in the <xref linkend="pgrowlocks"/> extension).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-all-data" xreflabel="pg_read_all_data">
+ <term><varname>pg_read_all_data</varname></term>
+ <term><varname>pg_write_all_data</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_read_all_data</literal> allows reading all data (tables,
+ views, sequences), as if having <command>SELECT</command> rights on
+ those objects and <literal>USAGE</literal> rights on all schemas. This
+ role does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ <para>
+ <literal>pg_write_all_data</literal> allows writing all data (tables,
+ views, sequences), as if having <command>INSERT</command>,
+ <command>UPDATE</command>, and <command>DELETE</command> rights on those
+ objects and <literal>USAGE</literal> rights on all schemas. This role
+ does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-server-files" xreflabel="pg_read_server_files">
+ <term><varname>pg_read_server_files</varname></term>
+ <term><varname>pg_write_server_files</varname></term>
+ <term><varname>pg_execute_server_program</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to have trusted, but
+ non-superuser, roles which are able to access files and run programs on
+ the database server as the user the database runs as. They bypass all
+ database-level permission checks when accessing files directly and they
+ could be used to gain superuser-level access. Therefore, great care
+ should be taken when granting these roles to users.
+ </para>
+ <para>
+ <literal>pg_read_server_files</literal> allows reading files from any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_write_server_files</literal> allows writing to files in any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_execute_server_program</literal> allows executing programs
+ on the database server as the user the database runs as using
+ <command>COPY</command> and other functions which allow executing a
+ server-side program.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-signal-backend" xreflabel="pg_signal_backend">
+ <term><varname>pg_signal_backend</varname></term>
+ <listitem>
+ <para>
+ Allows signaling another backend to cancel a query or terminate its
+ session. Note that this role does not permit signaling backends owned
+ by a superuser. See <xref linkend="functions-admin-signal"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-use-reserved-connections" xreflabel="pg_use_reserved_connections">
+ <term><varname>pg_use_reserved_connections</varname></term>
+ <listitem>
+ <para>
+ Allows use of connection slots reserved via
+ <xref linkend="guc-reserved-connections"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</para>
-
</sect1>
<sect1 id="perm-functions">
--
2.39.3 (Apple Git-146)
On Fri, Jun 21, 2024 at 11:40 AM Nathan Bossart
<nathandbossart@gmail.com> wrote:
Done.
If you look at how the varlistentries begin, there are three separate patterns:
* Some document a single role and start with "Allow doing blah blah blah".
* Some document a couple of rolls so there are several paragraphs,
each beginning with "<literal>name_of_role</literal allows doing blah
blah blah". This is sometimes preceded by an introductory paragraph
explaining why this group of roles exists and what it's intended to
do.
* pg_database_owner is completely different from the rest, focusing on
explaining who is in the role rather than what the role gets to do.
I think the first two cases could be made more like each other by
changing the varlistentires that are just about one setting to use the
second format instead of the first, e.g. pg_checkpoint allows
executing the CHECKPOINT command.
I don't know what to do about pg_database_owner. I almost wonder if
that should be moved out of the table and documented as a special
case. Or maybe some more wordsmithing would add clarity. Or maybe it's
fine as-is.
--
Robert Haas
EDB: http://www.enterprisedb.com
On Mon, Jun 24, 2024 at 02:44:33PM -0400, Robert Haas wrote:
I think the first two cases could be made more like each other by
changing the varlistentires that are just about one setting to use the
second format instead of the first, e.g. pg_checkpoint allows
executing the CHECKPOINT command.
Done.
I don't know what to do about pg_database_owner. I almost wonder if
that should be moved out of the table and documented as a special
case. Or maybe some more wordsmithing would add clarity. Or maybe it's
fine as-is.
I've left it alone for now. I thought about adding something like
"pg_database_owner does not provide any special capabilities or access
out-of-the-box" to the beginning of the entry, but I don't have time at the
moment to properly wordsmith the rest. If anyone else wants to give it a
try before I get to it (probably tomorrow), please be my guest. TBH I
think the existing content is pretty good, so I'm not opposed to leaving it
alone, even if the style is different than the other entries.
--
nathan
Attachments:
v3-0001-revamp-predefined-roles-documentation.patchtext/plain; charset=us-asciiDownload
From d76a09646bd9458450a4f5c051c36050fefbbf29 Mon Sep 17 00:00:00 2001
From: Nathan Bossart <nathan@postgresql.org>
Date: Tue, 18 Jun 2024 11:38:40 -0500
Subject: [PATCH v3 1/1] revamp predefined roles documentation
---
doc/src/sgml/config.sgml | 2 +-
doc/src/sgml/monitoring.sgml | 4 +-
doc/src/sgml/ref/checkpoint.sgml | 2 +-
doc/src/sgml/ref/reindex.sgml | 2 +-
doc/src/sgml/user-manag.sgml | 339 ++++++++++++++++---------------
5 files changed, 185 insertions(+), 164 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 0c7a9082c5..03e37209e6 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -731,7 +731,7 @@ include_dir 'conf.d'
<para>
Determines the number of connection <quote>slots</quote> that are
reserved for connections by roles with privileges of the
- <link linkend="predefined-roles-table"><literal>pg_use_reserved_connections</literal></link>
+ <xref linkend="predefined-role-pg-use-reserved-connections"/>
role. Whenever the number of free connection slots is greater than
<xref linkend="guc-superuser-reserved-connections"/> but less than or
equal to the sum of <varname>superuser_reserved_connections</varname>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index b2ad9b446f..f30c1e53fa 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -286,8 +286,8 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
other sessions, many columns will be null. Note, however, that the
existence of a session and its general properties such as its sessions user
and database are visible to all users. Superusers and roles with privileges of
- built-in role <literal>pg_read_all_stats</literal> (see also <xref
- linkend="predefined-roles"/>) can see all the information about all sessions.
+ built-in role <link linkend="predefined-role-pg-monitor"><literal>pg_read_all_stats</literal></link>
+ can see all the information about all sessions.
</para>
<table id="monitoring-stats-dynamic-views-table">
diff --git a/doc/src/sgml/ref/checkpoint.sgml b/doc/src/sgml/ref/checkpoint.sgml
index 28a1d717b8..db011a47d0 100644
--- a/doc/src/sgml/ref/checkpoint.sgml
+++ b/doc/src/sgml/ref/checkpoint.sgml
@@ -53,7 +53,7 @@ CHECKPOINT
<para>
Only superusers or users with the privileges of
- the <link linkend="predefined-roles-table"><literal>pg_checkpoint</literal></link>
+ the <xref linkend="predefined-role-pg-checkpoint"/>
role can call <command>CHECKPOINT</command>.
</para>
</refsect1>
diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml
index 2942dccf1e..dcf70d14bc 100644
--- a/doc/src/sgml/ref/reindex.sgml
+++ b/doc/src/sgml/ref/reindex.sgml
@@ -305,7 +305,7 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
partitioned table, such commands skip the privilege checks when processing
the individual partitions. Reindexing a schema or database requires being the
owner of that schema or database or having privileges of the
- <link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
+ <xref linkend="predefined-role-pg-maintain"/>
role. Note specifically that it's thus
possible for non-superusers to rebuild indexes of tables owned by
other users. However, as a special exception,
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 07a16247d7..8b55216631 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -590,101 +590,72 @@ DROP ROLE doomed_role;
and information. Administrators (including roles that have the
<literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
roles to users and/or other roles in their environment, providing those
- users with access to the specified capabilities and information.
+ users with access to the specified capabilities and information. For
+ example:
+
+<programlisting>
+GRANT pg_signal_backend TO admin_user;
+</programlisting>
</para>
+ <warning>
+ <para>
+ Care should be taken when granting these roles to ensure they are only used
+ where needed and with the understanding that these roles grant access to
+ privileged information.
+ </para>
+ </warning>
+
<para>
- The predefined roles are described in <xref linkend="predefined-roles-table"/>.
+ The predefined roles are described below.
Note that the specific permissions for each of the roles may change in
the future as additional capabilities are added. Administrators
should monitor the release notes for changes.
- </para>
- <table tocentry="1" id="predefined-roles-table">
- <title>Predefined Roles</title>
- <tgroup cols="2">
- <colspec colname="col1" colwidth="1*"/>
- <colspec colname="col2" colwidth="2*"/>
- <thead>
- <row>
- <entry>Role</entry>
- <entry>Allowed Access</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>pg_read_all_data</entry>
- <entry>Read all data (tables, views, sequences), as if having
- <command>SELECT</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_write_all_data</entry>
- <entry>Write all data (tables, views, sequences), as if having
- <command>INSERT</command>, <command>UPDATE</command>, and
- <command>DELETE</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_read_all_settings</entry>
- <entry>Read all configuration variables, even those normally visible only to
- superusers.</entry>
- </row>
- <row>
- <entry>pg_read_all_stats</entry>
- <entry>Read all pg_stat_* views and use various statistics related extensions,
- even those normally visible only to superusers.</entry>
- </row>
- <row>
- <entry>pg_stat_scan_tables</entry>
- <entry>Execute monitoring functions that may take <literal>ACCESS SHARE</literal> locks on tables,
- potentially for a long time.</entry>
- </row>
- <row>
- <entry>pg_monitor</entry>
- <entry>Read/execute various monitoring views and functions.
- This role is a member of <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and
- <literal>pg_stat_scan_tables</literal>.</entry>
- </row>
- <row>
- <entry>pg_database_owner</entry>
- <entry>None. Membership consists, implicitly, of the current database owner.</entry>
- </row>
- <row>
- <entry>pg_signal_backend</entry>
- <entry>Signal another backend to cancel a query or terminate its session.</entry>
- </row>
- <row>
- <entry>pg_read_server_files</entry>
- <entry>Allow reading files from any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_write_server_files</entry>
- <entry>Allow writing to files in any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_execute_server_program</entry>
- <entry>Allow executing programs on the database server as the user the database runs as with
- COPY and other functions which allow executing a server-side program.</entry>
- </row>
- <row>
- <entry>pg_checkpoint</entry>
- <entry>Allow executing
- the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
- command.</entry>
- </row>
- <row>
- <entry>pg_maintain</entry>
- <entry>Allow executing
+ <variablelist>
+ <varlistentry id="predefined-role-pg-checkpoint" xreflabel="pg_checkpoint">
+ <term><varname>pg_checkpoint</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_checkpoint</literal> allows executing the
+ <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link> command.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-create-subscription" xreflabel="pg_create_subscription">
+ <term><varname>pg_create_subscription</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_create_subscription</literal> allows users with
+ <literal>CREATE</literal> permission on the database to issue
+ <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-database-owner" xreflabel="pg_database_owner">
+ <term><varname>pg_database_owner</varname></term>
+ <listitem>
+ <para>
+ Membership consists, implicitly, of the current database owner. Like
+ any role, it can own objects or receive grants of access privileges.
+ Consequently, once <literal>pg_database_owner</literal> has rights
+ within a template database, each owner of a database instantiated from
+ that template will exercise those rights.
+ <literal>pg_database_owner</literal> cannot be a member of any role, and
+ it cannot have non-implicit members. Initially, this role owns the
+ <literal>public</literal> schema, so each database owner governs local
+ use of the schema.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-maintain" xreflabel="pg_maintain">
+ <term><varname>pg_maintain</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_maintain</literal> allows executing
<link linkend="sql-vacuum"><command>VACUUM</command></link>,
<link linkend="sql-analyze"><command>ANALYZE</command></link>,
<link linkend="sql-cluster"><command>CLUSTER</command></link>,
@@ -692,78 +663,128 @@ DROP ROLE doomed_role;
<link linkend="sql-reindex"><command>REINDEX</command></link>,
and <link linkend="sql-lock"><command>LOCK TABLE</command></link> on all
relations, as if having <literal>MAINTAIN</literal> rights on those
- objects, even without having it explicitly.</entry>
- </row>
- <row>
- <entry>pg_use_reserved_connections</entry>
- <entry>Allow use of connection slots reserved via
- <xref linkend="guc-reserved-connections"/>.</entry>
- </row>
- <row>
- <entry>pg_create_subscription</entry>
- <entry>Allow users with <literal>CREATE</literal> permission on the
- database to issue
- <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <para>
- The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>
- roles are intended to allow administrators to easily configure a role for the
- purpose of monitoring the database server. They grant a set of common privileges
- allowing the role to read various useful configuration settings, statistics and
- other system information normally restricted to superusers.
- </para>
-
- <para>
- The <literal>pg_database_owner</literal> role has one implicit,
- situation-dependent member, namely the owner of the current database. Like
- any role, it can own objects or receive grants of access privileges.
- Consequently, once <literal>pg_database_owner</literal> has rights within a
- template database, each owner of a database instantiated from that template
- will exercise those rights. <literal>pg_database_owner</literal> cannot be
- a member of any role, and it cannot have non-implicit members. Initially,
- this role owns the <literal>public</literal> schema, so each database owner
- governs local use of the schema.
- </para>
-
- <para>
- The <literal>pg_signal_backend</literal> role is intended to allow
- administrators to enable trusted, but non-superuser, roles to send signals
- to other backends. Currently this role enables sending of signals for
- canceling a query on another backend or terminating its session. A user
- granted this role cannot however send signals to a backend owned by a
- superuser. See <xref linkend="functions-admin-signal"/>.
- </para>
-
- <para>
- The <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal> and
- <literal>pg_execute_server_program</literal> roles are intended to allow administrators to have
- trusted, but non-superuser, roles which are able to access files and run programs on the
- database server as the user the database runs as. As these roles are able to access any file on
- the server file system, they bypass all database-level permission checks when accessing files
- directly and they could be used to gain superuser-level access, therefore
- great care should be taken when granting these roles to users.
- </para>
-
- <para>
- Care should be taken when granting these roles to ensure they are only used where
- needed and with the understanding that these roles grant access to privileged
- information.
- </para>
-
- <para>
- Administrators can grant access to these roles to users using the
- <link linkend="sql-grant"><command>GRANT</command></link> command, for example:
-
-<programlisting>
-GRANT pg_signal_backend TO admin_user;
-</programlisting>
+ objects.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-monitor" xreflabel="pg_monitor">
+ <term><varname>pg_monitor</varname></term>
+ <term><varname>pg_read_all_settings</varname></term>
+ <term><varname>pg_read_all_stats</varname></term>
+ <term><varname>pg_stat_scan_tables</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to easily configure a
+ role for the purpose of monitoring the database server. They grant a
+ set of common privileges allowing the role to read various useful
+ configuration settings, statistics, and other system information
+ normally restricted to superusers.
+ </para>
+ <para>
+ <literal>pg_monitor</literal> allows reading/executing various
+ monitoring views and functions. This role is a member of
+ <literal>pg_read_all_settings</literal>,
+ <literal>pg_read_all_stats</literal> and
+ <literal>pg_stat_scan_tables</literal>.
+ </para>
+ <para>
+ <literal>pg_read_all_settings</literal> allows reading all configuration
+ variables, even those normally visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_read_all_stats</literal> allows reading all pg_stat_* views
+ and use various statistics related extensions, even those normally
+ visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_stat_scan_tables</literal> allows executing monitoring
+ functions that may take <literal>ACCESS SHARE</literal> locks on tables,
+ potentially for a long time (e.g., <function>pgrowlocks(text)</function>
+ in the <xref linkend="pgrowlocks"/> extension).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-all-data" xreflabel="pg_read_all_data">
+ <term><varname>pg_read_all_data</varname></term>
+ <term><varname>pg_write_all_data</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_read_all_data</literal> allows reading all data (tables,
+ views, sequences), as if having <command>SELECT</command> rights on
+ those objects and <literal>USAGE</literal> rights on all schemas. This
+ role does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ <para>
+ <literal>pg_write_all_data</literal> allows writing all data (tables,
+ views, sequences), as if having <command>INSERT</command>,
+ <command>UPDATE</command>, and <command>DELETE</command> rights on those
+ objects and <literal>USAGE</literal> rights on all schemas. This role
+ does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-server-files" xreflabel="pg_read_server_files">
+ <term><varname>pg_read_server_files</varname></term>
+ <term><varname>pg_write_server_files</varname></term>
+ <term><varname>pg_execute_server_program</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to have trusted, but
+ non-superuser, roles which are able to access files and run programs on
+ the database server as the user the database runs as. They bypass all
+ database-level permission checks when accessing files directly and they
+ could be used to gain superuser-level access. Therefore, great care
+ should be taken when granting these roles to users.
+ </para>
+ <para>
+ <literal>pg_read_server_files</literal> allows reading files from any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_write_server_files</literal> allows writing to files in any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_execute_server_program</literal> allows executing programs
+ on the database server as the user the database runs as using
+ <command>COPY</command> and other functions which allow executing a
+ server-side program.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-signal-backend" xreflabel="pg_signal_backend">
+ <term><varname>pg_signal_backend</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_signal_backend</literal> allows signaling another backend to
+ cancel a query or terminate its session. Note that this role does not
+ permit signaling backends owned by a superuser. See
+ <xref linkend="functions-admin-signal"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-use-reserved-connections" xreflabel="pg_use_reserved_connections">
+ <term><varname>pg_use_reserved_connections</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_use_reserved_connections</literal> allows use of connection
+ slots reserved via <xref linkend="guc-reserved-connections"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</para>
-
</sect1>
<sect1 id="perm-functions">
--
2.39.3 (Apple Git-146)
On Mon, Jun 24, 2024 at 2:53 PM Nathan Bossart <nathandbossart@gmail.com>
wrote:
On Mon, Jun 24, 2024 at 02:44:33PM -0400, Robert Haas wrote:
I don't know what to do about pg_database_owner. I almost wonder if
that should be moved out of the table and documented as a special
case. Or maybe some more wordsmithing would add clarity. Or maybe it's
fine as-is.I've left it alone for now. I thought about adding something like
"pg_database_owner does not provide any special capabilities or access
out-of-the-box" to the beginning of the entry, but I don't have time at the
moment to properly wordsmith the rest. If anyone else wants to give it a
try before I get to it (probably tomorrow), please be my guest.
This feels like a case where why is more important than what, so here's my
first draft suggestion.
pg_database_owner owns the initially created public schema and has an
implicit membership list of one - the role owning the connected-to database.
It exists to encourage and facilitate best practices regarding database
administration. The primary rule being to avoid using superuser to own or
do things. The bootstrap superuser thus should connect to the postgres
database and create a login role, with the createdb attribute, and then use
that role to create and administer additional databases. In that context,
this feature allows the creator of the new database to log into it and
immediately begin working in the public schema.
As a result, in version 14, PostgreSQL no longer initially grants create
and usage privileges, on the public schema, to the public pseudo-role.
For technical reasons, pg_database_owner may not participate in explicitly
granted role memberships. This is an easily mitigated limitation since the
role that owns the database may be a group and any inheriting members of
that group will be considered owners as well.
David J.
On Mon, Jun 24, 2024 at 03:53:46PM -0700, David G. Johnston wrote:
pg_database_owner owns the initially created public schema and has an
implicit membership list of one - the role owning the connected-to database.
It exists to encourage and facilitate best practices regarding database
administration. The primary rule being to avoid using superuser to own or
do things.
This part restates much of the existing text in a slightly different order,
but I'm not sure it's an improvement. I like that it emphasizes the intent
of the role, but the basic description of the role is kind-of buried in the
first sentence. IMO the way this role works is confusing enough that we
ought to keep the basic facts at the very top. I might even add a bit of
fluff in an attempt to make things clearer:
The pg_database_owner role always has exactly one implicit,
situation-dependent member, namely the owner of the current database.
One other thing I like about your proposal is that it moves the bit about
the role initially owning the public schema much earlier. That seems like
possibly the most important practical piece of information to convey to
administrators. Perhaps that could be the very next thing after the basic
description of the role.
The bootstrap superuser thus should connect to the postgres
database and create a login role, with the createdb attribute, and then use
that role to create and administer additional databases. In that context,
this feature allows the creator of the new database to log into it and
immediately begin working in the public schema.
IMHO the majority of this is too prescriptive, even if it's generally good
advice.
As a result, in version 14, PostgreSQL no longer initially grants create
and usage privileges, on the public schema, to the public pseudo-role.
IME we tend to shy away from adding too many historical details in the
documentation, and I'm not sure this information is directly related enough
to the role to include here.
For technical reasons, pg_database_owner may not participate in explicitly
granted role memberships. This is an easily mitigated limitation since the
role that owns the database may be a group and any inheriting members of
that group will be considered owners as well.
IIUC the intent of this is to expand on the following sentence in the
existing docs:
pg_database_owner cannot be a member of any role, and it cannot have
non-implicit members.
My instinct would be to do something like this:
pg_database_owner cannot be granted membership in any role, and no role
may be granted non-implicit membership in pg_database_owner.
IMHO the part about mitigating this limitation via groups is again too
prescriptive.
--
nathan
On Tue, Jun 25, 2024 at 11:35 AM Nathan Bossart
<nathandbossart@gmail.com> wrote:
IIUC the intent of this is to expand on the following sentence in the
existing docs:pg_database_owner cannot be a member of any role, and it cannot have
non-implicit members.My instinct would be to do something like this:
pg_database_owner cannot be granted membership in any role, and no role
may be granted non-implicit membership in pg_database_owner.
But you couldn't grant someone implicit membership either, because
then it wouldn't be implicit. So maybe something like this:
pg_database_owner is a predefined role for which membership consists,
implicitly, of the current database owner. It cannot be granted
membership in any role, and no role can be granted membership in
pg_database_owner. However, like any role, it can own objects or
receive grants of access privileges. Consequently, once
pg_database_owner has rights within a template database, each owner of
a database instantiated from that template will exercise those rights.
Initially, this role owns the public schema, so each database owner
governs local use of the schema.
--
Robert Haas
EDB: http://www.enterprisedb.com
On Tue, Jun 25, 2024 at 12:16:30PM -0400, Robert Haas wrote:
pg_database_owner is a predefined role for which membership consists,
implicitly, of the current database owner. It cannot be granted
membership in any role, and no role can be granted membership in
pg_database_owner. However, like any role, it can own objects or
receive grants of access privileges. Consequently, once
pg_database_owner has rights within a template database, each owner of
a database instantiated from that template will exercise those rights.
Initially, this role owns the public schema, so each database owner
governs local use of the schema.
The main difference between this and the existing documentation is that the
sentence on membership has been rephrased and moved to earlier in the
paragraph. I think this helps the logical flow a bit. We first talk about
implicit membership, then explicit membership, then we talk about
privileges and the consequences of those privileges, and finally we talk
about the default privileges. So, WFM.
--
nathan
On Tue, Jun 25, 2024 at 11:28:18AM -0500, Nathan Bossart wrote:
On Tue, Jun 25, 2024 at 12:16:30PM -0400, Robert Haas wrote:
pg_database_owner is a predefined role for which membership consists,
implicitly, of the current database owner. It cannot be granted
membership in any role, and no role can be granted membership in
pg_database_owner. However, like any role, it can own objects or
receive grants of access privileges. Consequently, once
pg_database_owner has rights within a template database, each owner of
a database instantiated from that template will exercise those rights.
Initially, this role owns the public schema, so each database owner
governs local use of the schema.The main difference between this and the existing documentation is that the
sentence on membership has been rephrased and moved to earlier in the
paragraph. I think this helps the logical flow a bit. We first talk about
implicit membership, then explicit membership, then we talk about
privileges and the consequences of those privileges, and finally we talk
about the default privileges. So, WFM.
I used this in v4 (with some minor changes). I've copied it here to ease
review.
pg_database_owner always has exactly one implicit member: the current
database owner. It cannot be granted membership in any role, and no
role can be granted membership in pg_database_owner. However, like any
other role, it can own objects and receive grants of access privileges.
Consequently, once pg_database_owner has rights within a template
database, each owner of a database instantiated from that template will
possess those rights. Initially, this role owns the public schema, so
each database owner governs local use of that schema.
--
nathan
Attachments:
v4-0001-revamp-predefined-roles-documentation.patchtext/plain; charset=us-asciiDownload
From 515d8b8f17c9cc6b5fe53e2dedcac2c282537315 Mon Sep 17 00:00:00 2001
From: Nathan Bossart <nathan@postgresql.org>
Date: Tue, 18 Jun 2024 11:38:40 -0500
Subject: [PATCH v4 1/1] revamp predefined roles documentation
---
doc/src/sgml/config.sgml | 2 +-
doc/src/sgml/monitoring.sgml | 4 +-
doc/src/sgml/ref/checkpoint.sgml | 2 +-
doc/src/sgml/ref/reindex.sgml | 2 +-
doc/src/sgml/user-manag.sgml | 340 ++++++++++++++++---------------
5 files changed, 186 insertions(+), 164 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 0c7a9082c5..03e37209e6 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -731,7 +731,7 @@ include_dir 'conf.d'
<para>
Determines the number of connection <quote>slots</quote> that are
reserved for connections by roles with privileges of the
- <link linkend="predefined-roles-table"><literal>pg_use_reserved_connections</literal></link>
+ <xref linkend="predefined-role-pg-use-reserved-connections"/>
role. Whenever the number of free connection slots is greater than
<xref linkend="guc-superuser-reserved-connections"/> but less than or
equal to the sum of <varname>superuser_reserved_connections</varname>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index b2ad9b446f..f30c1e53fa 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -286,8 +286,8 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
other sessions, many columns will be null. Note, however, that the
existence of a session and its general properties such as its sessions user
and database are visible to all users. Superusers and roles with privileges of
- built-in role <literal>pg_read_all_stats</literal> (see also <xref
- linkend="predefined-roles"/>) can see all the information about all sessions.
+ built-in role <link linkend="predefined-role-pg-monitor"><literal>pg_read_all_stats</literal></link>
+ can see all the information about all sessions.
</para>
<table id="monitoring-stats-dynamic-views-table">
diff --git a/doc/src/sgml/ref/checkpoint.sgml b/doc/src/sgml/ref/checkpoint.sgml
index 28a1d717b8..db011a47d0 100644
--- a/doc/src/sgml/ref/checkpoint.sgml
+++ b/doc/src/sgml/ref/checkpoint.sgml
@@ -53,7 +53,7 @@ CHECKPOINT
<para>
Only superusers or users with the privileges of
- the <link linkend="predefined-roles-table"><literal>pg_checkpoint</literal></link>
+ the <xref linkend="predefined-role-pg-checkpoint"/>
role can call <command>CHECKPOINT</command>.
</para>
</refsect1>
diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml
index 2942dccf1e..dcf70d14bc 100644
--- a/doc/src/sgml/ref/reindex.sgml
+++ b/doc/src/sgml/ref/reindex.sgml
@@ -305,7 +305,7 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
partitioned table, such commands skip the privilege checks when processing
the individual partitions. Reindexing a schema or database requires being the
owner of that schema or database or having privileges of the
- <link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
+ <xref linkend="predefined-role-pg-maintain"/>
role. Note specifically that it's thus
possible for non-superusers to rebuild indexes of tables owned by
other users. However, as a special exception,
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 07a16247d7..6fc4464519 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -590,101 +590,73 @@ DROP ROLE doomed_role;
and information. Administrators (including roles that have the
<literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
roles to users and/or other roles in their environment, providing those
- users with access to the specified capabilities and information.
+ users with access to the specified capabilities and information. For
+ example:
+
+<programlisting>
+GRANT pg_signal_backend TO admin_user;
+</programlisting>
</para>
+ <warning>
+ <para>
+ Care should be taken when granting these roles to ensure they are only used
+ where needed and with the understanding that these roles grant access to
+ privileged information.
+ </para>
+ </warning>
+
<para>
- The predefined roles are described in <xref linkend="predefined-roles-table"/>.
+ The predefined roles are described below.
Note that the specific permissions for each of the roles may change in
the future as additional capabilities are added. Administrators
should monitor the release notes for changes.
- </para>
- <table tocentry="1" id="predefined-roles-table">
- <title>Predefined Roles</title>
- <tgroup cols="2">
- <colspec colname="col1" colwidth="1*"/>
- <colspec colname="col2" colwidth="2*"/>
- <thead>
- <row>
- <entry>Role</entry>
- <entry>Allowed Access</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>pg_read_all_data</entry>
- <entry>Read all data (tables, views, sequences), as if having
- <command>SELECT</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_write_all_data</entry>
- <entry>Write all data (tables, views, sequences), as if having
- <command>INSERT</command>, <command>UPDATE</command>, and
- <command>DELETE</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_read_all_settings</entry>
- <entry>Read all configuration variables, even those normally visible only to
- superusers.</entry>
- </row>
- <row>
- <entry>pg_read_all_stats</entry>
- <entry>Read all pg_stat_* views and use various statistics related extensions,
- even those normally visible only to superusers.</entry>
- </row>
- <row>
- <entry>pg_stat_scan_tables</entry>
- <entry>Execute monitoring functions that may take <literal>ACCESS SHARE</literal> locks on tables,
- potentially for a long time.</entry>
- </row>
- <row>
- <entry>pg_monitor</entry>
- <entry>Read/execute various monitoring views and functions.
- This role is a member of <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and
- <literal>pg_stat_scan_tables</literal>.</entry>
- </row>
- <row>
- <entry>pg_database_owner</entry>
- <entry>None. Membership consists, implicitly, of the current database owner.</entry>
- </row>
- <row>
- <entry>pg_signal_backend</entry>
- <entry>Signal another backend to cancel a query or terminate its session.</entry>
- </row>
- <row>
- <entry>pg_read_server_files</entry>
- <entry>Allow reading files from any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_write_server_files</entry>
- <entry>Allow writing to files in any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_execute_server_program</entry>
- <entry>Allow executing programs on the database server as the user the database runs as with
- COPY and other functions which allow executing a server-side program.</entry>
- </row>
- <row>
- <entry>pg_checkpoint</entry>
- <entry>Allow executing
- the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
- command.</entry>
- </row>
- <row>
- <entry>pg_maintain</entry>
- <entry>Allow executing
+ <variablelist>
+ <varlistentry id="predefined-role-pg-checkpoint" xreflabel="pg_checkpoint">
+ <term><varname>pg_checkpoint</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_checkpoint</literal> allows executing the
+ <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link> command.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-create-subscription" xreflabel="pg_create_subscription">
+ <term><varname>pg_create_subscription</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_create_subscription</literal> allows users with
+ <literal>CREATE</literal> permission on the database to issue
+ <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-database-owner" xreflabel="pg_database_owner">
+ <term><varname>pg_database_owner</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_database_owner</literal> always has exactly one implicit
+ member: the current database owner. It cannot be granted membership in
+ any role, and no role can be granted membership in
+ <literal>pg_database_owner</literal>. However, like any other role, it
+ can own objects and receive grants of access privileges. Consequently,
+ once <literal>pg_database_owner</literal> has rights within a template
+ database, each owner of a database instantiated from that template will
+ possess those rights. Initially, this role owns the
+ <literal>public</literal> schema, so each database owner governs local
+ use of that schema.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-maintain" xreflabel="pg_maintain">
+ <term><varname>pg_maintain</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_maintain</literal> allows executing
<link linkend="sql-vacuum"><command>VACUUM</command></link>,
<link linkend="sql-analyze"><command>ANALYZE</command></link>,
<link linkend="sql-cluster"><command>CLUSTER</command></link>,
@@ -692,78 +664,128 @@ DROP ROLE doomed_role;
<link linkend="sql-reindex"><command>REINDEX</command></link>,
and <link linkend="sql-lock"><command>LOCK TABLE</command></link> on all
relations, as if having <literal>MAINTAIN</literal> rights on those
- objects, even without having it explicitly.</entry>
- </row>
- <row>
- <entry>pg_use_reserved_connections</entry>
- <entry>Allow use of connection slots reserved via
- <xref linkend="guc-reserved-connections"/>.</entry>
- </row>
- <row>
- <entry>pg_create_subscription</entry>
- <entry>Allow users with <literal>CREATE</literal> permission on the
- database to issue
- <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <para>
- The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>
- roles are intended to allow administrators to easily configure a role for the
- purpose of monitoring the database server. They grant a set of common privileges
- allowing the role to read various useful configuration settings, statistics and
- other system information normally restricted to superusers.
- </para>
-
- <para>
- The <literal>pg_database_owner</literal> role has one implicit,
- situation-dependent member, namely the owner of the current database. Like
- any role, it can own objects or receive grants of access privileges.
- Consequently, once <literal>pg_database_owner</literal> has rights within a
- template database, each owner of a database instantiated from that template
- will exercise those rights. <literal>pg_database_owner</literal> cannot be
- a member of any role, and it cannot have non-implicit members. Initially,
- this role owns the <literal>public</literal> schema, so each database owner
- governs local use of the schema.
- </para>
-
- <para>
- The <literal>pg_signal_backend</literal> role is intended to allow
- administrators to enable trusted, but non-superuser, roles to send signals
- to other backends. Currently this role enables sending of signals for
- canceling a query on another backend or terminating its session. A user
- granted this role cannot however send signals to a backend owned by a
- superuser. See <xref linkend="functions-admin-signal"/>.
- </para>
-
- <para>
- The <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal> and
- <literal>pg_execute_server_program</literal> roles are intended to allow administrators to have
- trusted, but non-superuser, roles which are able to access files and run programs on the
- database server as the user the database runs as. As these roles are able to access any file on
- the server file system, they bypass all database-level permission checks when accessing files
- directly and they could be used to gain superuser-level access, therefore
- great care should be taken when granting these roles to users.
- </para>
-
- <para>
- Care should be taken when granting these roles to ensure they are only used where
- needed and with the understanding that these roles grant access to privileged
- information.
- </para>
-
- <para>
- Administrators can grant access to these roles to users using the
- <link linkend="sql-grant"><command>GRANT</command></link> command, for example:
-
-<programlisting>
-GRANT pg_signal_backend TO admin_user;
-</programlisting>
+ objects.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-monitor" xreflabel="pg_monitor">
+ <term><varname>pg_monitor</varname></term>
+ <term><varname>pg_read_all_settings</varname></term>
+ <term><varname>pg_read_all_stats</varname></term>
+ <term><varname>pg_stat_scan_tables</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to easily configure a
+ role for the purpose of monitoring the database server. They grant a
+ set of common privileges allowing the role to read various useful
+ configuration settings, statistics, and other system information
+ normally restricted to superusers.
+ </para>
+ <para>
+ <literal>pg_monitor</literal> allows reading/executing various
+ monitoring views and functions. This role is a member of
+ <literal>pg_read_all_settings</literal>,
+ <literal>pg_read_all_stats</literal> and
+ <literal>pg_stat_scan_tables</literal>.
+ </para>
+ <para>
+ <literal>pg_read_all_settings</literal> allows reading all configuration
+ variables, even those normally visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_read_all_stats</literal> allows reading all pg_stat_* views
+ and use various statistics related extensions, even those normally
+ visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_stat_scan_tables</literal> allows executing monitoring
+ functions that may take <literal>ACCESS SHARE</literal> locks on tables,
+ potentially for a long time (e.g., <function>pgrowlocks(text)</function>
+ in the <xref linkend="pgrowlocks"/> extension).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-all-data" xreflabel="pg_read_all_data">
+ <term><varname>pg_read_all_data</varname></term>
+ <term><varname>pg_write_all_data</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_read_all_data</literal> allows reading all data (tables,
+ views, sequences), as if having <command>SELECT</command> rights on
+ those objects and <literal>USAGE</literal> rights on all schemas. This
+ role does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ <para>
+ <literal>pg_write_all_data</literal> allows writing all data (tables,
+ views, sequences), as if having <command>INSERT</command>,
+ <command>UPDATE</command>, and <command>DELETE</command> rights on those
+ objects and <literal>USAGE</literal> rights on all schemas. This role
+ does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-server-files" xreflabel="pg_read_server_files">
+ <term><varname>pg_read_server_files</varname></term>
+ <term><varname>pg_write_server_files</varname></term>
+ <term><varname>pg_execute_server_program</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to have trusted, but
+ non-superuser, roles which are able to access files and run programs on
+ the database server as the user the database runs as. They bypass all
+ database-level permission checks when accessing files directly and they
+ could be used to gain superuser-level access. Therefore, great care
+ should be taken when granting these roles to users.
+ </para>
+ <para>
+ <literal>pg_read_server_files</literal> allows reading files from any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_write_server_files</literal> allows writing to files in any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_execute_server_program</literal> allows executing programs
+ on the database server as the user the database runs as using
+ <command>COPY</command> and other functions which allow executing a
+ server-side program.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-signal-backend" xreflabel="pg_signal_backend">
+ <term><varname>pg_signal_backend</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_signal_backend</literal> allows signaling another backend to
+ cancel a query or terminate its session. Note that this role does not
+ permit signaling backends owned by a superuser. See
+ <xref linkend="functions-admin-signal"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-use-reserved-connections" xreflabel="pg_use_reserved_connections">
+ <term><varname>pg_use_reserved_connections</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_use_reserved_connections</literal> allows use of connection
+ slots reserved via <xref linkend="guc-reserved-connections"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</para>
-
</sect1>
<sect1 id="perm-functions">
--
2.39.3 (Apple Git-146)
On Tue, Jun 25, 2024 at 3:26 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
I used this in v4 (with some minor changes).
Looking at this again, how happy are you with the way you've got
several roles per <varlistentry> instead of one for each? I realize
that was probably part of the intent of the change, to move the data
from below the table into the table, and I see the merit of that. But
one of your other complaints was the entries in the table were
unordered, and it's hard for them to really be ordered if you have
groups like this, since you can't alphabetize, for example, unless you
have just a single entry per <varlistentry>.
I don't have a problem with doing it the way you have here if you
think that's good. I'm just asking.
--
Robert Haas
EDB: http://www.enterprisedb.com
On Tue, Jun 25, 2024 at 04:04:03PM -0400, Robert Haas wrote:
Looking at this again, how happy are you with the way you've got
several roles per <varlistentry> instead of one for each? I realize
that was probably part of the intent of the change, to move the data
from below the table into the table, and I see the merit of that. But
one of your other complaints was the entries in the table were
unordered, and it's hard for them to really be ordered if you have
groups like this, since you can't alphabetize, for example, unless you
have just a single entry per <varlistentry>.
Yeah, my options were to either separate the roles or to weaken the
ordering, and I guess I felt like the weaker ordering was slightly less
bad. The extra context in some of the groups seemed worth keeping, and
this probably isn't the only page of our docs that might require ctrl+f.
But I'll yield to the majority opinion here.
--
nathan
On Tue, Jun 25, 2024 at 1:19 PM Nathan Bossart <nathandbossart@gmail.com>
wrote:
On Tue, Jun 25, 2024 at 04:04:03PM -0400, Robert Haas wrote:
Looking at this again, how happy are you with the way you've got
several roles per <varlistentry> instead of one for each? I realize
that was probably part of the intent of the change, to move the data
from below the table into the table, and I see the merit of that. But
one of your other complaints was the entries in the table were
unordered, and it's hard for them to really be ordered if you have
groups like this, since you can't alphabetize, for example, unless you
have just a single entry per <varlistentry>.Yeah, my options were to either separate the roles or to weaken the
ordering, and I guess I felt like the weaker ordering was slightly less
bad. The extra context in some of the groups seemed worth keeping, and
this probably isn't the only page of our docs that might require ctrl+f.
But I'll yield to the majority opinion here.
There are few enough that logical grouping instead of strict alphabetical
makes sense.
v4 WFM
David J.
On Tue, Jun 25, 2024 at 4:19 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
Yeah, my options were to either separate the roles or to weaken the
ordering, and I guess I felt like the weaker ordering was slightly less
bad. The extra context in some of the groups seemed worth keeping, and
this probably isn't the only page of our docs that might require ctrl+f.
But I'll yield to the majority opinion here.
I'm not objecting. I'm just asking.
--
Robert Haas
EDB: http://www.enterprisedb.com
On Wed, Jun 26, 2024 at 10:40:10AM -0400, Robert Haas wrote:
On Tue, Jun 25, 2024 at 4:19 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
Yeah, my options were to either separate the roles or to weaken the
ordering, and I guess I felt like the weaker ordering was slightly less
bad. The extra context in some of the groups seemed worth keeping, and
this probably isn't the only page of our docs that might require ctrl+f.
But I'll yield to the majority opinion here.I'm not objecting. I'm just asking.
Cool. I'll plan on committing this latest version once v18devel hacking
begins.
--
nathan
rebased (due to commit ccd3802, which introduced
pg_signal_autovacuum_worker)
--
nathan
Attachments:
v5-0001-revamp-predefined-roles-documentation.patchtext/plain; charset=us-asciiDownload
From c9e9c04c8edf3aaedc683c1c4e6811feb2c2c267 Mon Sep 17 00:00:00 2001
From: Nathan Bossart <nathan@postgresql.org>
Date: Tue, 18 Jun 2024 11:38:40 -0500
Subject: [PATCH v5 1/1] revamp predefined roles documentation
---
doc/src/sgml/config.sgml | 2 +-
doc/src/sgml/monitoring.sgml | 4 +-
doc/src/sgml/ref/checkpoint.sgml | 2 +-
doc/src/sgml/ref/reindex.sgml | 2 +-
doc/src/sgml/user-manag.sgml | 355 +++++++++++++++++--------------
5 files changed, 197 insertions(+), 168 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index f627a3e63c..00962d3451 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -731,7 +731,7 @@ include_dir 'conf.d'
<para>
Determines the number of connection <quote>slots</quote> that are
reserved for connections by roles with privileges of the
- <link linkend="predefined-roles-table"><literal>pg_use_reserved_connections</literal></link>
+ <xref linkend="predefined-role-pg-use-reserved-connections"/>
role. Whenever the number of free connection slots is greater than
<xref linkend="guc-superuser-reserved-connections"/> but less than or
equal to the sum of <varname>superuser_reserved_connections</varname>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index 991f629907..28f1484a4d 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -286,8 +286,8 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
other sessions, many columns will be null. Note, however, that the
existence of a session and its general properties such as its sessions user
and database are visible to all users. Superusers and roles with privileges of
- built-in role <literal>pg_read_all_stats</literal> (see also <xref
- linkend="predefined-roles"/>) can see all the information about all sessions.
+ built-in role <link linkend="predefined-role-pg-monitor"><literal>pg_read_all_stats</literal></link>
+ can see all the information about all sessions.
</para>
<table id="monitoring-stats-dynamic-views-table">
diff --git a/doc/src/sgml/ref/checkpoint.sgml b/doc/src/sgml/ref/checkpoint.sgml
index 28a1d717b8..db011a47d0 100644
--- a/doc/src/sgml/ref/checkpoint.sgml
+++ b/doc/src/sgml/ref/checkpoint.sgml
@@ -53,7 +53,7 @@ CHECKPOINT
<para>
Only superusers or users with the privileges of
- the <link linkend="predefined-roles-table"><literal>pg_checkpoint</literal></link>
+ the <xref linkend="predefined-role-pg-checkpoint"/>
role can call <command>CHECKPOINT</command>.
</para>
</refsect1>
diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml
index 2942dccf1e..dcf70d14bc 100644
--- a/doc/src/sgml/ref/reindex.sgml
+++ b/doc/src/sgml/ref/reindex.sgml
@@ -305,7 +305,7 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
partitioned table, such commands skip the privilege checks when processing
the individual partitions. Reindexing a schema or database requires being the
owner of that schema or database or having privileges of the
- <link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
+ <xref linkend="predefined-role-pg-maintain"/>
role. Note specifically that it's thus
possible for non-superusers to rebuild indexes of tables owned by
other users. However, as a special exception,
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 340cefff70..0a005481d1 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -590,106 +590,73 @@ DROP ROLE doomed_role;
and information. Administrators (including roles that have the
<literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
roles to users and/or other roles in their environment, providing those
- users with access to the specified capabilities and information.
+ users with access to the specified capabilities and information. For
+ example:
+
+<programlisting>
+GRANT pg_signal_backend TO admin_user;
+</programlisting>
</para>
+ <warning>
+ <para>
+ Care should be taken when granting these roles to ensure they are only used
+ where needed and with the understanding that these roles grant access to
+ privileged information.
+ </para>
+ </warning>
+
<para>
- The predefined roles are described in <xref linkend="predefined-roles-table"/>.
+ The predefined roles are described below.
Note that the specific permissions for each of the roles may change in
the future as additional capabilities are added. Administrators
should monitor the release notes for changes.
- </para>
- <table tocentry="1" id="predefined-roles-table">
- <title>Predefined Roles</title>
- <tgroup cols="2">
- <colspec colname="col1" colwidth="1*"/>
- <colspec colname="col2" colwidth="2*"/>
- <thead>
- <row>
- <entry>Role</entry>
- <entry>Allowed Access</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>pg_read_all_data</entry>
- <entry>Read all data (tables, views, sequences), as if having
- <command>SELECT</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_write_all_data</entry>
- <entry>Write all data (tables, views, sequences), as if having
- <command>INSERT</command>, <command>UPDATE</command>, and
- <command>DELETE</command> rights on those objects, and USAGE rights on
- all schemas, even without having it explicitly. This role does not have
- the role attribute <literal>BYPASSRLS</literal> set. If RLS is being
- used, an administrator may wish to set <literal>BYPASSRLS</literal> on
- roles which this role is GRANTed to.</entry>
- </row>
- <row>
- <entry>pg_read_all_settings</entry>
- <entry>Read all configuration variables, even those normally visible only to
- superusers.</entry>
- </row>
- <row>
- <entry>pg_read_all_stats</entry>
- <entry>Read all pg_stat_* views and use various statistics related extensions,
- even those normally visible only to superusers.</entry>
- </row>
- <row>
- <entry>pg_stat_scan_tables</entry>
- <entry>Execute monitoring functions that may take <literal>ACCESS SHARE</literal> locks on tables,
- potentially for a long time.</entry>
- </row>
- <row>
- <entry>pg_monitor</entry>
- <entry>Read/execute various monitoring views and functions.
- This role is a member of <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and
- <literal>pg_stat_scan_tables</literal>.</entry>
- </row>
- <row>
- <entry>pg_database_owner</entry>
- <entry>None. Membership consists, implicitly, of the current database owner.</entry>
- </row>
- <row>
- <entry>pg_signal_backend</entry>
- <entry>Signal another backend to cancel a query or terminate its session.</entry>
- </row>
- <row>
- <entry>pg_signal_autovacuum_worker</entry>
- <entry>Signal an autovacuum worker to cancel the current table's vacuum
- or terminate its session.</entry>
- </row>
- <row>
- <entry>pg_read_server_files</entry>
- <entry>Allow reading files from any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_write_server_files</entry>
- <entry>Allow writing to files in any location the database can access on the server with COPY and
- other file-access functions.</entry>
- </row>
- <row>
- <entry>pg_execute_server_program</entry>
- <entry>Allow executing programs on the database server as the user the database runs as with
- COPY and other functions which allow executing a server-side program.</entry>
- </row>
- <row>
- <entry>pg_checkpoint</entry>
- <entry>Allow executing
- the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
- command.</entry>
- </row>
- <row>
- <entry>pg_maintain</entry>
- <entry>Allow executing
+ <variablelist>
+ <varlistentry id="predefined-role-pg-checkpoint" xreflabel="pg_checkpoint">
+ <term><varname>pg_checkpoint</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_checkpoint</literal> allows executing the
+ <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link> command.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-create-subscription" xreflabel="pg_create_subscription">
+ <term><varname>pg_create_subscription</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_create_subscription</literal> allows users with
+ <literal>CREATE</literal> permission on the database to issue
+ <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-database-owner" xreflabel="pg_database_owner">
+ <term><varname>pg_database_owner</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_database_owner</literal> always has exactly one implicit
+ member: the current database owner. It cannot be granted membership in
+ any role, and no role can be granted membership in
+ <literal>pg_database_owner</literal>. However, like any other role, it
+ can own objects and receive grants of access privileges. Consequently,
+ once <literal>pg_database_owner</literal> has rights within a template
+ database, each owner of a database instantiated from that template will
+ possess those rights. Initially, this role owns the
+ <literal>public</literal> schema, so each database owner governs local
+ use of that schema.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-maintain" xreflabel="pg_maintain">
+ <term><varname>pg_maintain</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_maintain</literal> allows executing
<link linkend="sql-vacuum"><command>VACUUM</command></link>,
<link linkend="sql-analyze"><command>ANALYZE</command></link>,
<link linkend="sql-cluster"><command>CLUSTER</command></link>,
@@ -697,76 +664,138 @@ DROP ROLE doomed_role;
<link linkend="sql-reindex"><command>REINDEX</command></link>,
and <link linkend="sql-lock"><command>LOCK TABLE</command></link> on all
relations, as if having <literal>MAINTAIN</literal> rights on those
- objects, even without having it explicitly.</entry>
- </row>
- <row>
- <entry>pg_use_reserved_connections</entry>
- <entry>Allow use of connection slots reserved via
- <xref linkend="guc-reserved-connections"/>.</entry>
- </row>
- <row>
- <entry>pg_create_subscription</entry>
- <entry>Allow users with <literal>CREATE</literal> permission on the
- database to issue
- <link linkend="sql-createsubscription"><command>CREATE SUBSCRIPTION</command></link>.</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <para>
- The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,
- <literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>
- roles are intended to allow administrators to easily configure a role for the
- purpose of monitoring the database server. They grant a set of common privileges
- allowing the role to read various useful configuration settings, statistics and
- other system information normally restricted to superusers.
- </para>
-
- <para>
- The <literal>pg_database_owner</literal> role has one implicit,
- situation-dependent member, namely the owner of the current database. Like
- any role, it can own objects or receive grants of access privileges.
- Consequently, once <literal>pg_database_owner</literal> has rights within a
- template database, each owner of a database instantiated from that template
- will exercise those rights. <literal>pg_database_owner</literal> cannot be
- a member of any role, and it cannot have non-implicit members. Initially,
- this role owns the <literal>public</literal> schema, so each database owner
- governs local use of the schema.
- </para>
-
- <para>
- The <literal>pg_signal_backend</literal> role is intended to allow
- administrators to enable trusted, but non-superuser, roles to send signals
- to other backends. Currently this role enables sending of signals for
- canceling a query on another backend or terminating its session. A user
- granted this role cannot however send signals to a backend owned by a
- superuser. See <xref linkend="functions-admin-signal"/>.
- </para>
-
- <para>
- The <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal> and
- <literal>pg_execute_server_program</literal> roles are intended to allow administrators to have
- trusted, but non-superuser, roles which are able to access files and run programs on the
- database server as the user the database runs as. As these roles are able to access any file on
- the server file system, they bypass all database-level permission checks when accessing files
- directly and they could be used to gain superuser-level access, therefore
- great care should be taken when granting these roles to users.
- </para>
-
- <para>
- Care should be taken when granting these roles to ensure they are only used where
- needed and with the understanding that these roles grant access to privileged
- information.
- </para>
-
- <para>
- Administrators can grant access to these roles to users using the
- <link linkend="sql-grant"><command>GRANT</command></link> command, for example:
-
-<programlisting>
-GRANT pg_signal_backend TO admin_user;
-</programlisting>
+ objects.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-monitor" xreflabel="pg_monitor">
+ <term><varname>pg_monitor</varname></term>
+ <term><varname>pg_read_all_settings</varname></term>
+ <term><varname>pg_read_all_stats</varname></term>
+ <term><varname>pg_stat_scan_tables</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to easily configure a
+ role for the purpose of monitoring the database server. They grant a
+ set of common privileges allowing the role to read various useful
+ configuration settings, statistics, and other system information
+ normally restricted to superusers.
+ </para>
+ <para>
+ <literal>pg_monitor</literal> allows reading/executing various
+ monitoring views and functions. This role is a member of
+ <literal>pg_read_all_settings</literal>,
+ <literal>pg_read_all_stats</literal> and
+ <literal>pg_stat_scan_tables</literal>.
+ </para>
+ <para>
+ <literal>pg_read_all_settings</literal> allows reading all configuration
+ variables, even those normally visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_read_all_stats</literal> allows reading all pg_stat_* views
+ and use various statistics related extensions, even those normally
+ visible only to superusers.
+ </para>
+ <para>
+ <literal>pg_stat_scan_tables</literal> allows executing monitoring
+ functions that may take <literal>ACCESS SHARE</literal> locks on tables,
+ potentially for a long time (e.g., <function>pgrowlocks(text)</function>
+ in the <xref linkend="pgrowlocks"/> extension).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-all-data" xreflabel="pg_read_all_data">
+ <term><varname>pg_read_all_data</varname></term>
+ <term><varname>pg_write_all_data</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_read_all_data</literal> allows reading all data (tables,
+ views, sequences), as if having <command>SELECT</command> rights on
+ those objects and <literal>USAGE</literal> rights on all schemas. This
+ role does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ <para>
+ <literal>pg_write_all_data</literal> allows writing all data (tables,
+ views, sequences), as if having <command>INSERT</command>,
+ <command>UPDATE</command>, and <command>DELETE</command> rights on those
+ objects and <literal>USAGE</literal> rights on all schemas. This role
+ does not bypass row-level security (RLS) policies. If RLS is being
+ used, an administrator may wish to set <literal>BYPASSRLS</literal> on
+ roles which this role is granted to.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-read-server-files" xreflabel="pg_read_server_files">
+ <term><varname>pg_read_server_files</varname></term>
+ <term><varname>pg_write_server_files</varname></term>
+ <term><varname>pg_execute_server_program</varname></term>
+ <listitem>
+ <para>
+ These roles are intended to allow administrators to have trusted, but
+ non-superuser, roles which are able to access files and run programs on
+ the database server as the user the database runs as. They bypass all
+ database-level permission checks when accessing files directly and they
+ could be used to gain superuser-level access. Therefore, great care
+ should be taken when granting these roles to users.
+ </para>
+ <para>
+ <literal>pg_read_server_files</literal> allows reading files from any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_write_server_files</literal> allows writing to files in any
+ location the database can access on the server using
+ <command>COPY</command> and other file-access functions.
+ </para>
+ <para>
+ <literal>pg_execute_server_program</literal> allows executing programs
+ on the database server as the user the database runs as using
+ <command>COPY</command> and other functions which allow executing a
+ server-side program.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-signal-autovacuum-worker" xreflabel="pg_signal_autovacuum_worker">
+ <term><varname>pg_signal_autovacuum_worker</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_signal_autovacuum_worker</literal> allows signaling
+ autovacuum workers to cancel the current table's vacuum or terminate its
+ session. See <xref linkend="functions-admin-signal"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-signal-backend" xreflabel="pg_signal_backend">
+ <term><varname>pg_signal_backend</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_signal_backend</literal> allows signaling another backend to
+ cancel a query or terminate its session. Note that this role does not
+ permit signaling backends owned by a superuser. See
+ <xref linkend="functions-admin-signal"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="predefined-role-pg-use-reserved-connections" xreflabel="pg_use_reserved_connections">
+ <term><varname>pg_use_reserved_connections</varname></term>
+ <listitem>
+ <para>
+ <literal>pg_use_reserved_connections</literal> allows use of connection
+ slots reserved via <xref linkend="guc-reserved-connections"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</para>
</sect1>
--
2.39.3 (Apple Git-146)