Greetings, * Daniel Gustafsson (dan...@yesql.se) wrote: > > On 20 Nov 2020, at 22:13, Stephen Frost <sfr...@snowman.net> wrote: > > Attached is a patch to move from 'default role' terminology to > > 'predefined role' in the documentation. In the code, I figured it made > > more sense to avoid saying either one and instead opted for just > > 'ROLE_NAME_OF_ROLE' as the #define, which we were very close to (one > > removing the 'DEFAULT' prefix) but didn't actually entirely follow. > > Predefined is a much better terminology than default for these roles, makes > the > concept a lot clearer. +1 on this patch.
Alright, now that 3b0c647bbfc52894d979976f1e6d60e40649bba7 has gone in, we can come back to the topic of renaming default roles to predefined roles as of v14. Attached is a patch which does that and adds a section to the obsolete appendix which should result in the existing links to the default roles page continuing to work (but going to the page explaining that they've been renamed to predefined roles) once v14 is released with the update. Unless there's anything further on this, I'll plan to push in the next day or so. Thanks! Stephen
From 189758e7ff55f45cc6d9ec4427f6b1dd4b5391e6 Mon Sep 17 00:00:00 2001 From: Stephen Frost <sfr...@snowman.net> Date: Wed, 31 Mar 2021 16:58:27 -0400 Subject: [PATCH] Rename Default Roles to Predefined Roles The term 'default roles' wasn't quite apt as these roles aren't able to be modified or removed after installation, so rename them to be 'Predefined Roles' instead, adding an entry into the newly added Obsolete Appendix to help users of current releases find the new documentation. Bruce Momjian and Stephen Frost Discussion: https://postgr.es/m/157742545062.1149.11052653770497832538%40wrigleys.postgresql.org and https://www.postgresql.org/message-id/20201120211304.gg16...@tamriel.snowman.net --- contrib/adminpack/adminpack.c | 7 ++++-- contrib/file_fdw/file_fdw.c | 4 ++-- .../pg_stat_statements/pg_stat_statements.c | 2 +- contrib/pgrowlocks/pgrowlocks.c | 2 +- .../sgml/appendix-obsolete-default-roles.sgml | 22 +++++++++++++++++++ doc/src/sgml/appendix-obsolete.sgml | 1 + doc/src/sgml/file-fdw.sgml | 4 ++-- doc/src/sgml/filelist.sgml | 1 + doc/src/sgml/monitoring.sgml | 2 +- doc/src/sgml/ref/copy.sgml | 2 +- doc/src/sgml/user-manag.sgml | 18 +++++++-------- src/backend/commands/copy.c | 6 ++--- src/backend/commands/user.c | 6 ++--- src/backend/replication/walreceiver.c | 2 +- src/backend/replication/walsender.c | 2 +- src/backend/storage/ipc/procarray.c | 2 +- src/backend/storage/ipc/signalfuncs.c | 2 +- src/backend/utils/adt/acl.c | 4 ++-- src/backend/utils/adt/dbsize.c | 4 ++-- src/backend/utils/adt/genfile.c | 7 ++++-- src/backend/utils/adt/pgstatfuncs.c | 2 +- src/backend/utils/misc/guc.c | 14 ++++++------ src/include/catalog/pg_authid.dat | 18 +++++++-------- 23 files changed, 82 insertions(+), 52 deletions(-) create mode 100644 doc/src/sgml/appendix-obsolete-default-roles.sgml diff --git a/contrib/adminpack/adminpack.c b/contrib/adminpack/adminpack.c index c3c5e03945..48c1746910 100644 --- a/contrib/adminpack/adminpack.c +++ b/contrib/adminpack/adminpack.c @@ -79,10 +79,13 @@ convert_and_check_filename(text *arg) * files on the server as the PG user, so no need to do any further checks * here. */ - if (is_member_of_role(GetUserId(), DEFAULT_ROLE_WRITE_SERVER_FILES)) + if (is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES)) return filename; - /* User isn't a member of the default role, so check if it's allowable */ + /* + * User isn't a member of the pg_write_server_files role, so check if it's + * allowable + */ if (is_absolute_path(filename)) { /* Disallow '/a/b/data/..' */ diff --git a/contrib/file_fdw/file_fdw.c b/contrib/file_fdw/file_fdw.c index 2059c07349..2c2f149fb0 100644 --- a/contrib/file_fdw/file_fdw.c +++ b/contrib/file_fdw/file_fdw.c @@ -269,13 +269,13 @@ file_fdw_validator(PG_FUNCTION_ARGS) * otherwise there'd still be a security hole. */ if (strcmp(def->defname, "filename") == 0 && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES)) + !is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("only superuser or a member of the pg_read_server_files role may specify the filename option of a file_fdw foreign table"))); if (strcmp(def->defname, "program") == 0 && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM)) + !is_member_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("only superuser or a member of the pg_execute_server_program role may specify the program option of a file_fdw foreign table"))); diff --git a/contrib/pg_stat_statements/pg_stat_statements.c b/contrib/pg_stat_statements/pg_stat_statements.c index 62cccbfa44..6feea2ab4f 100644 --- a/contrib/pg_stat_statements/pg_stat_statements.c +++ b/contrib/pg_stat_statements/pg_stat_statements.c @@ -1587,7 +1587,7 @@ pg_stat_statements_internal(FunctionCallInfo fcinfo, pgssEntry *entry; /* Superusers or members of pg_read_all_stats members are allowed */ - is_allowed_role = is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS); + is_allowed_role = is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS); /* hash table must exist already */ if (!pgss || !pgss_hash) diff --git a/contrib/pgrowlocks/pgrowlocks.c b/contrib/pgrowlocks/pgrowlocks.c index 714398831b..669a7d7730 100644 --- a/contrib/pgrowlocks/pgrowlocks.c +++ b/contrib/pgrowlocks/pgrowlocks.c @@ -130,7 +130,7 @@ pgrowlocks(PG_FUNCTION_ARGS) aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ACL_SELECT); if (aclresult != ACLCHECK_OK) - aclresult = is_member_of_role(GetUserId(), DEFAULT_ROLE_STAT_SCAN_TABLES) ? ACLCHECK_OK : ACLCHECK_NO_PRIV; + aclresult = is_member_of_role(GetUserId(), ROLE_PG_STAT_SCAN_TABLES) ? ACLCHECK_OK : ACLCHECK_NO_PRIV; if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, get_relkind_objtype(rel->rd_rel->relkind), diff --git a/doc/src/sgml/appendix-obsolete-default-roles.sgml b/doc/src/sgml/appendix-obsolete-default-roles.sgml new file mode 100644 index 0000000000..ccd20a425d --- /dev/null +++ b/doc/src/sgml/appendix-obsolete-default-roles.sgml @@ -0,0 +1,22 @@ +<!-- doc/src/sgml/obsolete-default-roles.sgml --> +<!-- + See doc/src/sgml/obsolete.sgml for why this file exists. Do not change the id attribute. +--> + +<sect1 id="default-roles" xreflabel="default-roles"> + <title>Default Roles renamed to Predefined Roles</title> + + <indexterm> + <primary>default-roles</primary> + </indexterm> + + <para> + PostgreSQL 13 and below used the term 'Default Roles', however, as these + roles are not able to actually be changed and are installed as part of the + system at initialization time, the more appropriate term to use is "Predefined Roles". + See <xref linkend="predefined-roles"/> for current documentation regarding + Predefined Roles, and <link linkend="release-prior">the release notes for + PostgreSQL 14</link> for details on this change. + </para> + +</sect1> diff --git a/doc/src/sgml/appendix-obsolete.sgml b/doc/src/sgml/appendix-obsolete.sgml index ffd7d40263..d218de6c09 100644 --- a/doc/src/sgml/appendix-obsolete.sgml +++ b/doc/src/sgml/appendix-obsolete.sgml @@ -34,6 +34,7 @@ --> &obsolete-recovery-config; + &obsolete-default-roles; &obsolete-pgxlogdump; &obsolete-pgresetxlog; &obsolete-pgreceivexlog; diff --git a/doc/src/sgml/file-fdw.sgml b/doc/src/sgml/file-fdw.sgml index 8831f5911f..2e21806f48 100644 --- a/doc/src/sgml/file-fdw.sgml +++ b/doc/src/sgml/file-fdw.sgml @@ -187,8 +187,8 @@ <para> Changing table-level options requires being a superuser or having the privileges - of the default role <literal>pg_read_server_files</literal> (to use a filename) or - the default role <literal>pg_execute_server_program</literal> (to use a program), + of the role <literal>pg_read_server_files</literal> (to use a filename) or + the role <literal>pg_execute_server_program</literal> (to use a program), for security reasons: only certain users should be able to control which file is read or which program is run. In principle regular users could be allowed to change the other options, but that's not supported at present. diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml index 70ad6a4a4f..45b701426b 100644 --- a/doc/src/sgml/filelist.sgml +++ b/doc/src/sgml/filelist.sgml @@ -188,6 +188,7 @@ <!-- Stubs for removed entries to preserve public links --> <!ENTITY obsolete SYSTEM "appendix-obsolete.sgml"> <!ENTITY obsolete-recovery-config SYSTEM "appendix-obsolete-recovery-config.sgml"> +<!ENTITY obsolete-default-roles SYSTEM "appendix-obsolete-default-roles.sgml"> <!ENTITY obsolete-pgxlogdump SYSTEM "appendix-obsolete-pgxlogdump.sgml"> <!ENTITY obsolete-pgresetxlog SYSTEM "appendix-obsolete-pgresetxlog.sgml"> <!ENTITY obsolete-pgreceivexlog SYSTEM "appendix-obsolete-pgreceivexlog.sgml"> diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml index af540fb02f..56018745c8 100644 --- a/doc/src/sgml/monitoring.sgml +++ b/doc/src/sgml/monitoring.sgml @@ -282,7 +282,7 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser existence of a session and its general properties such as its sessions user and database are visible to all users. Superusers and members of the built-in role <literal>pg_read_all_stats</literal> (see also <xref - linkend="default-roles"/>) can see all the information about all sessions. + linkend="predefined-roles"/>) can see all the information about all sessions. </para> <table id="monitoring-stats-dynamic-views-table"> diff --git a/doc/src/sgml/ref/copy.sgml b/doc/src/sgml/ref/copy.sgml index aea2eb8386..14cd437da0 100644 --- a/doc/src/sgml/ref/copy.sgml +++ b/doc/src/sgml/ref/copy.sgml @@ -465,7 +465,7 @@ COPY <replaceable class="parameter">count</replaceable> by the server, not by the client application, must be executable by the <productname>PostgreSQL</productname> user. <command>COPY</command> naming a file or command is only allowed to - database superusers or users who are granted one of the default roles + database superusers or users who are granted one of the roles <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal>, or <literal>pg_execute_server_program</literal>, since it allows reading diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 6920f2db2b..d171b13236 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -483,15 +483,15 @@ DROP ROLE doomed_role; </para> </sect1> - <sect1 id="default-roles"> - <title>Default Roles</title> + <sect1 id="predefined-roles"> + <title>Predefined Roles</title> - <indexterm zone="default-roles"> + <indexterm zone="predefined-roles"> <primary>role</primary> </indexterm> <para> - <productname>PostgreSQL</productname> provides a set of default roles + <productname>PostgreSQL</productname> provides a set of predefined roles that provide access to certain, commonly needed, privileged capabilities and information. Administrators (including roles that have the <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these @@ -500,14 +500,14 @@ DROP ROLE doomed_role; </para> <para> - The default roles are described in <xref linkend="default-roles-table"/>. - Note that the specific permissions for each of the default roles may - change in the future as additional capabilities are added. Administrators + The predefined roles are described in <xref linkend="predefined-roles-table"/>. + Note that the specific permissions for each of the roles may change in + the future as additional capabilities are added. Administrators should monitor the release notes for changes. </para> - <table tocentry="1" id="default-roles-table"> - <title>Default Roles</title> + <table tocentry="1" id="predefined-roles-table"> + <title>Predefined Roles</title> <tgroup cols="2"> <colspec colname="col1" colwidth="1*"/> <colspec colname="col2" colwidth="2*"/> diff --git a/src/backend/commands/copy.c b/src/backend/commands/copy.c index 8c712c8737..8265b981eb 100644 --- a/src/backend/commands/copy.c +++ b/src/backend/commands/copy.c @@ -80,7 +80,7 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt, { if (stmt->is_program) { - if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM)) + if (!is_member_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or a member of the pg_execute_server_program role to COPY to or from an external program"), @@ -89,14 +89,14 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt, } else { - if (is_from && !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES)) + if (is_from && !is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or a member of the pg_read_server_files role to COPY from a file"), errhint("Anyone can COPY to stdout or from stdin. " "psql's \\copy command also works for anyone."))); - if (!is_from && !is_member_of_role(GetUserId(), DEFAULT_ROLE_WRITE_SERVER_FILES)) + if (!is_from && !is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or a member of the pg_write_server_files role to COPY to a file"), diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index e91fa4c78c..a8c5188ebc 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -1501,10 +1501,10 @@ AddRoleMems(const char *rolename, Oid roleid, * situation-dependent member. There's no technical need for this * restriction. (One could lift it and take the further step of making * pg_database_ownercheck() equivalent to has_privs_of_role(roleid, - * DEFAULT_ROLE_DATABASE_OWNER), in which case explicit, + * ROLE_DATABASE_OWNER), in which case explicit, * situation-independent members could act as the owner of any database.) */ - if (roleid == DEFAULT_ROLE_DATABASE_OWNER) + if (roleid == ROLE_DATABASE_OWNER) ereport(ERROR, errmsg("role \"%s\" cannot have explicit members", rolename)); @@ -1555,7 +1555,7 @@ AddRoleMems(const char *rolename, Oid roleid, * shared object. (The effect of such ownership is that any owner of * another database can act as the owner of affected shared objects.) */ - if (memberid == DEFAULT_ROLE_DATABASE_OWNER) + if (memberid == ROLE_DATABASE_OWNER) ereport(ERROR, errmsg("role \"%s\" cannot be a member of any role", get_rolespec_name(memberRole))); diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c index 8532296f26..2b6fa4019b 100644 --- a/src/backend/replication/walreceiver.c +++ b/src/backend/replication/walreceiver.c @@ -1361,7 +1361,7 @@ pg_stat_get_wal_receiver(PG_FUNCTION_ARGS) /* Fetch values */ values[0] = Int32GetDatum(pid); - if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) + if (!is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { /* * Only superusers and members of pg_read_all_stats can see details. diff --git a/src/backend/replication/walsender.c b/src/backend/replication/walsender.c index 23baa4498a..4bf8a18e01 100644 --- a/src/backend/replication/walsender.c +++ b/src/backend/replication/walsender.c @@ -3355,7 +3355,7 @@ pg_stat_get_wal_senders(PG_FUNCTION_ARGS) memset(nulls, 0, sizeof(nulls)); values[0] = Int32GetDatum(pid); - if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) + if (!is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { /* * Only superusers and members of pg_read_all_stats can see diff --git a/src/backend/storage/ipc/procarray.c b/src/backend/storage/ipc/procarray.c index 4fc6ffb917..e113a85aed 100644 --- a/src/backend/storage/ipc/procarray.c +++ b/src/backend/storage/ipc/procarray.c @@ -3752,7 +3752,7 @@ TerminateOtherDBBackends(Oid databaseId) /* Users can signal backends they have role membership in. */ if (!has_privs_of_role(GetUserId(), proc->roleId) && - !has_privs_of_role(GetUserId(), DEFAULT_ROLE_SIGNAL_BACKENDID)) + !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be a member of the role whose process is being terminated or member of pg_signal_backend"))); diff --git a/src/backend/storage/ipc/signalfuncs.c b/src/backend/storage/ipc/signalfuncs.c index 69fe23a256..8b55ff6e76 100644 --- a/src/backend/storage/ipc/signalfuncs.c +++ b/src/backend/storage/ipc/signalfuncs.c @@ -74,7 +74,7 @@ pg_signal_backend(int pid, int sig) /* Users can signal backends they have role membership in. */ if (!has_privs_of_role(GetUserId(), proc->roleId) && - !has_privs_of_role(GetUserId(), DEFAULT_ROLE_SIGNAL_BACKENDID)) + !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND)) return SIGNAL_BACKEND_NOPERMISSION; /* diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 6a8c6a20ee..ebf113074a 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -4741,7 +4741,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, /* * Role expansion happens in a non-database backend when guc.c checks - * DEFAULT_ROLE_READ_ALL_SETTINGS for a physical walsender SHOW command. + * ROLE_READ_ALL_SETTINGS for a physical walsender SHOW command. * In that case, no role gets pg_database_owner. */ if (!OidIsValid(MyDatabaseId)) @@ -4808,7 +4808,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, /* implement pg_database_owner implicit membership */ if (memberid == dba && OidIsValid(dba)) roles_list = list_append_unique_oid(roles_list, - DEFAULT_ROLE_DATABASE_OWNER); + ROLE_DATABASE_OWNER); } /* diff --git a/src/backend/utils/adt/dbsize.c b/src/backend/utils/adt/dbsize.c index 64cdaa4134..da1a879f1f 100644 --- a/src/backend/utils/adt/dbsize.c +++ b/src/backend/utils/adt/dbsize.c @@ -95,7 +95,7 @@ calculate_database_size(Oid dbOid) */ aclresult = pg_database_aclcheck(dbOid, GetUserId(), ACL_CONNECT); if (aclresult != ACLCHECK_OK && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { aclcheck_error(aclresult, OBJECT_DATABASE, get_database_name(dbOid)); @@ -179,7 +179,7 @@ calculate_tablespace_size(Oid tblspcOid) * is default for current database. */ if (tblspcOid != MyDatabaseTableSpace && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { aclresult = pg_tablespace_aclcheck(tblspcOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) diff --git a/src/backend/utils/adt/genfile.c b/src/backend/utils/adt/genfile.c index 7cf9a0efbe..322152ebd9 100644 --- a/src/backend/utils/adt/genfile.c +++ b/src/backend/utils/adt/genfile.c @@ -62,10 +62,13 @@ convert_and_check_filename(text *arg) * files on the server as the PG user, so no need to do any further checks * here. */ - if (is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES)) + if (is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) return filename; - /* User isn't a member of the default role, so check if it's allowable */ + /* + * User isn't a member of the pg_read_server_files role, so check if it's + * allowable + */ if (is_absolute_path(filename)) { /* Disallow '/a/b/data/..' */ diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index 5102227a60..9ffbca685c 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -33,7 +33,7 @@ #define UINT32_ACCESS_ONCE(var) ((uint32)(*((volatile uint32 *)&(var)))) -#define HAS_PGSTAT_PERMISSIONS(role) (is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS) || has_privs_of_role(GetUserId(), role)) +#define HAS_PGSTAT_PERMISSIONS(role) (is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS) || has_privs_of_role(GetUserId(), role)) /* Global bgwriter statistics, from bgwriter.c */ extern PgStat_MsgBgWriter bgwriterStats; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 03daec9a08..130374789e 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -7985,7 +7985,7 @@ GetConfigOption(const char *name, bool missing_ok, bool restrict_privileged) } if (restrict_privileged && (record->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", @@ -8035,7 +8035,7 @@ GetConfigOptionResetString(const char *name) (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("unrecognized configuration parameter \"%s\"", name))); if ((record->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", @@ -9294,7 +9294,7 @@ ShowAllGUCConfig(DestReceiver *dest) if ((conf->flags & GUC_NO_SHOW_ALL) || ((conf->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS))) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) continue; /* assign to the values array */ @@ -9361,7 +9361,7 @@ get_explain_guc_options(int *num) /* return only options visible to the current user */ if ((conf->flags & GUC_NO_SHOW_ALL) || ((conf->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS))) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) continue; /* return only options that are different from their boot values */ @@ -9450,7 +9450,7 @@ GetConfigOptionByName(const char *name, const char **varname, bool missing_ok) } if ((record->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", @@ -9481,7 +9481,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow) { if ((conf->flags & GUC_NO_SHOW_ALL) || ((conf->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS))) + !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) *noshow = true; else *noshow = false; @@ -9676,7 +9676,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow) * insufficiently-privileged users. */ if (conf->source == PGC_S_FILE && - is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_SETTINGS)) + is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) { values[14] = conf->sourcefile; snprintf(buffer, sizeof(buffer), "%d", conf->sourceline); diff --git a/src/include/catalog/pg_authid.dat b/src/include/catalog/pg_authid.dat index 4c2bf972ec..65795a965b 100644 --- a/src/include/catalog/pg_authid.dat +++ b/src/include/catalog/pg_authid.dat @@ -24,47 +24,47 @@ rolcreaterole => 't', rolcreatedb => 't', rolcanlogin => 't', rolreplication => 't', rolbypassrls => 't', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '8778', oid_symbol => 'DEFAULT_ROLE_DATABASE_OWNER', +{ oid => '8778', oid_symbol => 'ROLE_DATABASE_OWNER', rolname => 'pg_database_owner', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '3373', oid_symbol => 'DEFAULT_ROLE_MONITOR', +{ oid => '3373', oid_symbol => 'ROLE_PG_MONITOR', rolname => 'pg_monitor', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '3374', oid_symbol => 'DEFAULT_ROLE_READ_ALL_SETTINGS', +{ oid => '3374', oid_symbol => 'ROLE_PG_READ_ALL_SETTINGS', rolname => 'pg_read_all_settings', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '3375', oid_symbol => 'DEFAULT_ROLE_READ_ALL_STATS', +{ oid => '3375', oid_symbol => 'ROLE_PG_READ_ALL_STATS', rolname => 'pg_read_all_stats', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '3377', oid_symbol => 'DEFAULT_ROLE_STAT_SCAN_TABLES', +{ oid => '3377', oid_symbol => 'ROLE_PG_STAT_SCAN_TABLES', rolname => 'pg_stat_scan_tables', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '4569', oid_symbol => 'DEFAULT_ROLE_READ_SERVER_FILES', +{ oid => '4569', oid_symbol => 'ROLE_PG_READ_SERVER_FILES', rolname => 'pg_read_server_files', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '4570', oid_symbol => 'DEFAULT_ROLE_WRITE_SERVER_FILES', +{ oid => '4570', oid_symbol => 'ROLE_PG_WRITE_SERVER_FILES', rolname => 'pg_write_server_files', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '4571', oid_symbol => 'DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM', +{ oid => '4571', oid_symbol => 'ROLE_PG_EXECUTE_SERVER_PROGRAM', rolname => 'pg_execute_server_program', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolpassword => '_null_', rolvaliduntil => '_null_' }, -{ oid => '4200', oid_symbol => 'DEFAULT_ROLE_SIGNAL_BACKENDID', +{ oid => '4200', oid_symbol => 'ROLE_PG_SIGNAL_BACKEND', rolname => 'pg_signal_backend', rolsuper => 'f', rolinherit => 't', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', -- 2.27.0
signature.asc
Description: PGP signature
