On Thu, Apr 11, 2024 at 11:48:30AM -0500, Nathan Bossart wrote: > On Thu, Apr 11, 2024 at 11:36:52AM -0400, Robert Haas wrote: >> I suggest that we close the existing CF entry as committed and >> somebody can start a new one for whatever remains. I think that will >> be less confusing. > > Done: https://commitfest.postgresql.org/48/4923/.
While it's fresh on my mind, I very hastily hacked together a draft of what I believe is the remaining work. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
>From bb3aa06b6e55b403489afafcc8b7608516fd7b40 Mon Sep 17 00:00:00 2001 From: Nathan Bossart <nat...@postgresql.org> Date: Thu, 11 Apr 2024 12:01:21 -0500 Subject: [PATCH v3 1/1] further improvements to SET ROLE docs --- doc/src/sgml/ref/set_role.sgml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml index 083e6dc6ea..9557bb77ab 100644 --- a/doc/src/sgml/ref/set_role.sgml +++ b/doc/src/sgml/ref/set_role.sgml @@ -37,7 +37,10 @@ RESET ROLE written as either an identifier or a string literal. After <command>SET ROLE</command>, permissions checking for SQL commands is carried out as though the named role were the one that had logged - in originally. + in originally. Note that <command>SET ROLE</command> and + <command>SET SESSION AUTHORIZATION</command> are exceptions; permissions + checks for those continue to use the current session user and the initial + session user (the <firstterm>authenticated user</firstterm>), respectively. </para> <para> @@ -88,11 +91,6 @@ RESET ROLE exercised either with or without <literal>SET ROLE</literal>. </para> - <para> - Note that when a superuser chooses to <command>SET ROLE</command> to a - non-superuser role, they lose their superuser privileges. - </para> - <para> <command>SET ROLE</command> has effects comparable to <link linkend="sql-set-session-authorization"><command>SET SESSION AUTHORIZATION</command></link>, but the privilege -- 2.25.1