mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve documentation of the CREATEROLE attibute.

Browse Source 
In user-manag.sgml, document precisely what privileges are conveyed
by CREATEROLE. Make particular note of the fact that it allows
changing passwords and granting access to high-privilege roles.
Also remove the suggestion of using a user with CREATEROLE and
CREATEDB instead of a superuser, as there is no real security
advantage to this approach.

Elsewhere in the documentation, adjust text that suggests that
<literal>CREATEROLE</literal> only allows for role creation, and
refer to the documentation in user-manag.sgml as appropriate.

Patch by me, reviewed by Álvaro Herrera

Discussion: http://postgr.es/m/CA+TgmoZBsPL8nPhvYecx7iGo5qpDRqa9k_AcaW1SbOjugAY1Ag@mail.gmail.com
This commit is contained in:
Robert Haas 2023-01-03 14:50:40 -05:00
parent 54afdcd618
commit 1c77873727
4 changed files with 52 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/src/sgml/ref/alter_role.sgml
View File

@ -320,7 +320,7 @@ ALTER ROLE fred VALID UNTIL 'infinity';
</para> </para>
<para> <para>
Give a role the ability to create other roles and new databases: Give a role the ability to manage other roles and create new databases:
<programlisting> <programlisting>
ALTER ROLE miriam CREATEROLE CREATEDB; ALTER ROLE miriam CREATEROLE CREATEDB;

10
doc/src/sgml/ref/create_role.sgml
View File

@ -119,11 +119,11 @@ in sync when changing the above synopsis!
<listitem> <listitem>
<para> <para>
These clauses determine whether a role will be permitted to These clauses determine whether a role will be permitted to
create new roles (that is, execute <command>CREATE ROLE</command>). create, alter, drop, comment on, change the security label for,
A role with <literal>CREATEROLE</literal> privilege can also alter and grant or revoke membership in other roles.
and drop other roles. See <xref linkend='role-creation' /> for more details about what
If not specified, capabilities are conferred by this privilege.
<literal>NOCREATEROLE</literal> is the default. If not specified, <literal>NOCREATEROLE</literal> is the default.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

18
doc/src/sgml/ref/createuser.sgml
View File

@ -41,10 +41,14 @@ PostgreSQL documentation
</para> </para>
<para> <para>
If you wish to create a new superuser, you must connect as a If you wish to create a role with the <literal>SUPERUSER</literal>,
superuser, not merely with <literal>CREATEROLE</literal> privilege. <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> privilege,
you must connect as a superuser, not merely with
<literal>CREATEROLE</literal> privilege.
Being a superuser implies the ability to bypass all access permission Being a superuser implies the ability to bypass all access permission
checks within the database, so superuser access should not be granted lightly. checks within the database, so superuser access should not be granted
lightly. <literal>CREATEROLE</literal> also conveys
<link linkend='role-creation'>very extensive privileges</link>.
</para> </para>
<para> <para>
@ -247,8 +251,12 @@ PostgreSQL documentation
<term><option>--createrole</option></term> <term><option>--createrole</option></term>
<listitem> <listitem>
<para> <para>
The new user will be allowed to create new roles (that is, The new user will be allowed to create, alter, drop, comment on,
this user will have <literal>CREATEROLE</literal> privilege). change the security label for, and grant or revoke membership in
other roles; that is,
this user will have <literal>CREATEROLE</literal> privilege.
See <xref linkend='role-creation' /> for more details about what
capabilities are conferred by this privilege.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

47
doc/src/sgml/user-manag.sgml
View File

@ -191,7 +191,7 @@ CREATE USER <replaceable>name</replaceable>;
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>role creation<indexterm><primary>role</primary><secondary>privilege to create</secondary></indexterm></term> <term id='role-creation'>role creation<indexterm><primary>role</primary><secondary>privilege to create</secondary></indexterm></term>
<listitem> <listitem>
<para> <para>
A role must be explicitly given permission to create more roles A role must be explicitly given permission to create more roles
@ -200,9 +200,38 @@ CREATE USER <replaceable>name</replaceable>;
<replaceable>name</replaceable> CREATEROLE</literal>. <replaceable>name</replaceable> CREATEROLE</literal>.
A role with <literal>CREATEROLE</literal> privilege can alter and drop A role with <literal>CREATEROLE</literal> privilege can alter and drop
other roles, too, as well as grant or revoke membership in them. other roles, too, as well as grant or revoke membership in them.
However, to create, alter, drop, or change membership of a Altering a role includes most changes that can be made using
superuser role, superuser status is required; <literal>ALTER ROLE</literal>, including, for example, changing
<literal>CREATEROLE</literal> is insufficient for that. passwords. It also includes modifications to a role that can
be made using the <literal>COMMENT</literal> and
<literal>SECURITY LABEL</literal> commands.
</para>
<para>
However, <literal>CREATEROLE</literal> does not convey the ability to
create <literal>SUPERUSER</literal> roles, nor does it convey any
power over <literal>SUPERUSER</literal> roles that already exist.
Furthermore, <literal>CREATEROLE</literal> does not convey the power
to create <literal>REPLICATION</literal> users, nor the ability to
grant or revoke the <literal>REPLICATION</literal> privilege, nor the
ability to modify the role properties of such users. However, it does
allow <literal>ALTER ROLE ... SET</literal> and
<literal>ALTER ROLE ... RENAME</literal> to be used on
<literal>REPLICATION</literal> roles, as well as the use of
<literal>COMMENT ON ROLE</literal>,
<literal>SECURITY LABEL ON ROLE</literal>,
and <literal>DROP ROLE</literal>.
Finally, <literal>CREATEROLE</literal> does not
confer the ability to grant or revoke the <literal>BYPASSRLS</literal>
privilege.
</para>
<para>
Because the <literal>CREATEROLE</literal> privilege allows a user
to grant or revoke membership even in roles to which it does not (yet)
have any access, a <literal>CREATEROLE</literal> user can obtain access
to the capabilities of every predefined role in the system, including
highly privileged roles such as
<literal>pg_execute_server_program</literal> and
<literal>pg_write_server_files</literal>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -280,16 +309,6 @@ CREATE USER <replaceable>name</replaceable>;
and <xref linkend="sql-alterrole"/> commands for details. and <xref linkend="sql-alterrole"/> commands for details.
</para> </para>
<tip>
<para>
It is good practice to create a role that has the <literal>CREATEDB</literal>
and <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
use this role for all routine management of databases and roles. This
approach avoids the dangers of operating as a superuser for tasks that
do not really require it.
</para>
</tip>
<para> <para>
A role can also have role-specific defaults for many of the run-time A role can also have role-specific defaults for many of the run-time
configuration settings described in <xref configuration settings described in <xref