On Thu, Apr 11, 2024 at 11:48:30AM -0500, Nathan Bossart wrote:
> On Thu, Apr 11, 2024 at 11:36:52AM -0400, Robert Haas wrote:
>> I suggest that we close the existing CF entry as committed and
>> somebody can start a new one for whatever remains. I think that will
>> be less confusing.
>
> Done: https://commitfest.postgresql.org/48/4923/.
While it's fresh on my mind, I very hastily hacked together a draft of what
I believe is the remaining work.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
>From bb3aa06b6e55b403489afafcc8b7608516fd7b40 Mon Sep 17 00:00:00 2001
From: Nathan Bossart <nat...@postgresql.org>
Date: Thu, 11 Apr 2024 12:01:21 -0500
Subject: [PATCH v3 1/1] further improvements to SET ROLE docs
---
doc/src/sgml/ref/set_role.sgml | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml
index 083e6dc6ea..9557bb77ab 100644
--- a/doc/src/sgml/ref/set_role.sgml
+++ b/doc/src/sgml/ref/set_role.sgml
@@ -37,7 +37,10 @@ RESET ROLE
written as either an identifier or a string literal.
After <command>SET ROLE</command>, permissions checking for SQL commands
is carried out as though the named role were the one that had logged
- in originally.
+ in originally. Note that <command>SET ROLE</command> and
+ <command>SET SESSION AUTHORIZATION</command> are exceptions; permissions
+ checks for those continue to use the current session user and the initial
+ session user (the <firstterm>authenticated user</firstterm>), respectively.
</para>
<para>
@@ -88,11 +91,6 @@ RESET ROLE
exercised either with or without <literal>SET ROLE</literal>.
</para>
- <para>
- Note that when a superuser chooses to <command>SET ROLE</command> to a
- non-superuser role, they lose their superuser privileges.
- </para>
-
<para>
<command>SET ROLE</command> has effects comparable to
<link linkend="sql-set-session-authorization"><command>SET SESSION AUTHORIZATION</command></link>, but the privilege
--
2.25.1
