Hi hackers,
I noticed some interesting role behavior that seems to be either a bug
or a miss in the documentation. The documentation for SET ROLE claims
that RESET ROLE resets "the current user identifier to be the current
session user identifier" [0], but this doesn't seem to hold true when
"role" has been set via pg_db_role_setting. Here is an example:
setup:
postgres=# CREATE ROLE test2;
CREATE ROLE
postgres=# CREATE ROLE test1 LOGIN CREATEROLE IN ROLE test2;
CREATE ROLE
postgres=# ALTER ROLE test1 SET ROLE test2;
ALTER ROLE
after logging in as test1:
postgres=> SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
test1 | test2
(1 row)
postgres=> RESET ROLE;
RESET
postgres=> SELECT SESSION_USER, CURRENT_USER;
session_user | current_user
--------------+--------------
test1 | test2
(1 row)
I believe this behavior is caused by the "role" getting set at
PGC_S_GLOBAL, which sets the default used by RESET [1]. IMO this just
requires a small documentation fix. Here is my first attempt:
diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml
index 739f2c5cdf..a69bfeae24 100644
--- a/doc/src/sgml/ref/set_role.sgml
+++ b/doc/src/sgml/ref/set_role.sgml
@@ -54,7 +54,12 @@ RESET ROLE
<para>
The <literal>NONE</literal> and <literal>RESET</literal> forms reset the
current
- user identifier to be the current session user identifier.
+ user identifier to the default value. The default value is whatever value
it
+ would be if no <command>SET</command> had been executed in the current
+ session. This can be the command-line option value, the per-database
default
+ setting, or the per-user default setting for the role, if any such settings
+ exist. Otherwise, the default value will be the current session user
+ identifier.
These forms can be executed by any user.
</para>
</refsect1>
Nathan
[0] https://www.postgresql.org/docs/devel/sql-set-role.html
[1]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/include/utils/guc.h;h=5004ee41;hb=HEAD#l79
