pg_user cleanup.
This commit is contained in:
parent
ea89acc4d7
commit
ba1d990cf7
@ -89,7 +89,7 @@ void
|
||||
DefineUser(CreateUserStmt *stmt)
|
||||
{
|
||||
|
||||
char *pg_user;
|
||||
char *pg_shadow;
|
||||
Relation pg_shadow_rel;
|
||||
TupleDesc pg_shadow_dsc;
|
||||
HeapScanDesc scan;
|
||||
@ -112,12 +112,12 @@ DefineUser(CreateUserStmt *stmt)
|
||||
* Make sure the user attempting to create a user can insert into the
|
||||
* pg_shadow relation.
|
||||
*/
|
||||
pg_user = GetPgUserName();
|
||||
if (pg_aclcheck(ShadowRelationName, pg_user, ACL_RD | ACL_WR | ACL_AP) != ACLCHECK_OK)
|
||||
pg_shadow = GetPgUserName();
|
||||
if (pg_aclcheck(ShadowRelationName, pg_shadow, ACL_RD | ACL_WR | ACL_AP) != ACLCHECK_OK)
|
||||
{
|
||||
UserAbortTransactionBlock();
|
||||
elog(ERROR, "defineUser: user \"%s\" does not have SELECT and INSERT privilege for \"%s\"",
|
||||
pg_user, ShadowRelationName);
|
||||
pg_shadow, ShadowRelationName);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -220,7 +220,7 @@ extern void
|
||||
AlterUser(AlterUserStmt *stmt)
|
||||
{
|
||||
|
||||
char *pg_user;
|
||||
char *pg_shadow;
|
||||
Relation pg_shadow_rel;
|
||||
TupleDesc pg_shadow_dsc;
|
||||
HeapScanDesc scan;
|
||||
@ -242,12 +242,12 @@ AlterUser(AlterUserStmt *stmt)
|
||||
* Make sure the user attempting to create a user can insert into the
|
||||
* pg_shadow relation.
|
||||
*/
|
||||
pg_user = GetPgUserName();
|
||||
if (pg_aclcheck(ShadowRelationName, pg_user, ACL_RD | ACL_WR) != ACLCHECK_OK)
|
||||
pg_shadow = GetPgUserName();
|
||||
if (pg_aclcheck(ShadowRelationName, pg_shadow, ACL_RD | ACL_WR) != ACLCHECK_OK)
|
||||
{
|
||||
UserAbortTransactionBlock();
|
||||
elog(ERROR, "alterUser: user \"%s\" does not have SELECT and UPDATE privilege for \"%s\"",
|
||||
pg_user, ShadowRelationName);
|
||||
pg_shadow, ShadowRelationName);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -347,7 +347,7 @@ extern void
|
||||
RemoveUser(char *user)
|
||||
{
|
||||
|
||||
char *pg_user;
|
||||
char *pg_shadow;
|
||||
Relation pg_shadow_rel,
|
||||
pg_rel;
|
||||
TupleDesc pg_dsc;
|
||||
@ -369,12 +369,12 @@ RemoveUser(char *user)
|
||||
* Make sure the user attempting to create a user can delete from the
|
||||
* pg_shadow relation.
|
||||
*/
|
||||
pg_user = GetPgUserName();
|
||||
if (pg_aclcheck(ShadowRelationName, pg_user, ACL_RD | ACL_WR) != ACLCHECK_OK)
|
||||
pg_shadow = GetPgUserName();
|
||||
if (pg_aclcheck(ShadowRelationName, pg_shadow, ACL_RD | ACL_WR) != ACLCHECK_OK)
|
||||
{
|
||||
UserAbortTransactionBlock();
|
||||
elog(ERROR, "removeUser: user \"%s\" does not have SELECT and DELETE privilege for \"%s\"",
|
||||
pg_user, ShadowRelationName);
|
||||
pg_shadow, ShadowRelationName);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -463,7 +463,7 @@ RemoveUser(char *user)
|
||||
* tables, views, etc owned by the user.
|
||||
*
|
||||
* The second option would be to create a means of deleting tables, view,
|
||||
* etc. owned by the user from other databases. Pg_user is global and
|
||||
* etc. owned by the user from other databases. pg_shadow is global and
|
||||
* so this must be done at some point.
|
||||
*
|
||||
* Let us not forget that the user should be removed from the pg_groups
|
||||
|
@ -68,10 +68,11 @@
|
||||
# by the host. If AUTH_ARGUMENT is specified then the password is
|
||||
# compared with the user's entry in that file (in the $PGDATA
|
||||
# directory). See pg_passwd(1). If it is omitted then the
|
||||
# password is compared with the user's entry in the pg_user table.
|
||||
# password is compared with the user's entry in the pg_shadow
|
||||
# table.
|
||||
#
|
||||
# crypt: Authentication is done by matching an encrypted password supplied
|
||||
# by the host with that held for the user in the pg_user table.
|
||||
# by the host with that held for the user in the pg_shadow table.
|
||||
#
|
||||
# krb4: Kerberos V4 authentication is used.
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" This is -*-nroff-*-
|
||||
.\" XXX standard disclaimer belongs here....
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/alter_user.l,v 1.1 1998/01/25 07:42:00 scrappy Exp $
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/alter_user.l,v 1.2 1998/03/06 18:02:49 momjian Exp $
|
||||
.TH "ALTER USER" SQL 01/26/98 PostgreSQL PostgreSQL
|
||||
.SH NAME
|
||||
alter user -- alter user account information within a PostgreSQL instance
|
||||
@ -20,10 +20,10 @@ detailed description of each of the clause in the alter user statement,
|
||||
please see the create_user(l) manual page. Please note that it is not
|
||||
possible to alter a user's usesysid via the alter user statement. Also,
|
||||
it is only possible for the postgres user or any user with read and modify
|
||||
permissions on pg_user to alter user passwords.
|
||||
permissions on pg_shadow to alter user passwords.
|
||||
|
||||
If any of the clauses of the alter user statement are omitted, the
|
||||
corresponding value in the pg_user relation is left unchanged.
|
||||
corresponding value in the pg_shadow relation is left unchanged.
|
||||
|
||||
This statement can be used to modify users created with createuser(1).
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" This is -*-nroff-*-
|
||||
.\" XXX standard disclaimer belongs here....
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/catalogs.3,v 1.3 1998/01/11 22:17:06 momjian Exp $
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/catalogs.3,v 1.4 1998/03/06 18:03:02 momjian Exp $
|
||||
.TH "SYSTEM CATALOGS" INTRO 03/13/94 PostgreSQL PostgreSQL
|
||||
.SH "Section 7 - System Catalogs"
|
||||
.de LS
|
||||
@ -43,7 +43,7 @@ the site:
|
||||
\fBname\fP \fBshared/local\fP \fBdescription\fP
|
||||
pg_database shared current databases
|
||||
pg_group shared user groups
|
||||
pg_user shared valid users
|
||||
pg_shadow shared valid users
|
||||
.LE
|
||||
.SH "RULE SYSTEM CATALOGS"
|
||||
.LS
|
||||
@ -339,7 +339,7 @@ pg_group
|
||||
int2 grolist[1] /* list of usesysids of group members */
|
||||
.fi
|
||||
.nf M
|
||||
pg_user
|
||||
pg_shadow
|
||||
NameData usename /* user's name */
|
||||
int2 usesysid /* user's UNIX user id */
|
||||
bool usecreatedb /* can user create databases? */
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" This is -*-nroff-*-
|
||||
.\" XXX standard disclaimer belongs here....
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/create_user.l,v 1.1 1998/01/25 07:42:01 scrappy Exp $
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/create_user.l,v 1.2 1998/03/06 18:03:21 momjian Exp $
|
||||
.TH "CREATE USER" SQL 01/26/98 PostgreSQL PostgreSQL
|
||||
.SH NAME
|
||||
create user -- create a new user within a PostgreSQL instance
|
||||
@ -16,7 +16,7 @@ create user -- create a new user within a PostgreSQL instance
|
||||
.SH DESCRIPTION
|
||||
.BR "create user"
|
||||
will add a new user to an instance of PostgreSQL. The new user will be
|
||||
given a usesysid of 'SELECT max(usesysid) + 1 FROM pg_user'. This means
|
||||
given a usesysid of 'SELECT max(usesysid) + 1 FROM pg_shadow'. This means
|
||||
that a PostgreSQL user's usesysid will not correspond to their operating
|
||||
system(OS) user id. The exception to this rule is the 'postgres' user,
|
||||
whose OS user id is used as the usesysid during the initdb process. If
|
||||
@ -24,15 +24,15 @@ you still want the OS user id and the usesysid to match for any given
|
||||
user, then use the createuser(1) script provided with the PostgreSQL
|
||||
distribution.
|
||||
|
||||
The 'with password' clause sets the user's password within the pg_user
|
||||
relation. For this reason, pg_user is no longer accessible to the
|
||||
The 'with password' clause sets the user's password within the pg_shadow
|
||||
relation. For this reason, pg_shadow is no longer accessible to the
|
||||
'public' group. Please note that when initdb(1) is executed for an
|
||||
instance of PostgreSQL that the postgres user's password is initially set
|
||||
to NULL. When a user's password in the pg_user relation is NULL, then
|
||||
to NULL. When a user's password in the pg_shadow relation is NULL, then
|
||||
user authentication proceeds as it historically has (HBA, PG_PASSWORD,
|
||||
etc). However, if a password is set for a user, then a new authentication
|
||||
system supplants any other configured for the PostgreSQL instance, and the
|
||||
password stored in the pg_user relation is used for authentication. For
|
||||
password stored in the pg_shadow relation is used for authentication. For
|
||||
more details on how this authentication system functions see pg_crypt(3).
|
||||
If the 'with password' clause is omitted, then the user's password is set
|
||||
to the empty string with equates to a NULL value in the authentication
|
||||
@ -54,9 +54,9 @@ defined in the pg_group relation).
|
||||
|
||||
Finally, the 'valid until' clause sets an absolute time after which the
|
||||
user's PostgreSQL login is no longer valid. Please note that if a user
|
||||
does not have a password defined in the pg_user relation, then the valid
|
||||
does not have a password defined in the pg_shadow relation, then the valid
|
||||
until date will not be checked during user authentication. If this clause
|
||||
is omitted, then a NULL value is stored in pg_user for this attribute, and
|
||||
is omitted, then a NULL value is stored in pg_shadow for this attribute, and
|
||||
the login will be valid for all time.
|
||||
|
||||
.SH EXAMPLES
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" This is -*-nroff-*-
|
||||
.\" XXX standard disclaimer belongs here....
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/createuser.1,v 1.6 1998/01/26 01:42:44 scrappy Exp $
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/createuser.1,v 1.7 1998/03/06 18:03:31 momjian Exp $
|
||||
.TH CREATEUSER UNIX 11/05/95 PostgreSQL PostgreSQL
|
||||
.SH NAME
|
||||
createuser - create a Postgres user
|
||||
@ -19,7 +19,7 @@ port]
|
||||
.SH DESCRIPTION
|
||||
.IR Createuser
|
||||
creates a new Postgres user. Only users with \*(lqusesuper\*(rq set in
|
||||
the \*(lqpg_user\*(rq class can create new Postgres users. As shipped,
|
||||
the \*(lqpg_shadow\*(rq class can create new Postgres users. As shipped,
|
||||
the user \*(lqpostgres\*(rq can create users.
|
||||
.PP
|
||||
.IR Createuser
|
||||
@ -96,8 +96,8 @@ is running on the proper host and that you have specified the proper
|
||||
port. If your site uses an authentication system, ensure that you
|
||||
have obtained the required authentication credentials.
|
||||
.TP
|
||||
.BI "user \*(lq" "username" "\*(rq is not in \*(lqpg_user\*(rq"
|
||||
You do not have a valid entry in the relation \*(lqpg_user\*(rq and
|
||||
.BI "user \*(lq" "username" "\*(rq is not in \*(lqpg_shadow\*(rq"
|
||||
You do not have a valid entry in the relation \*(lqpg_shadow\*(rq and
|
||||
cannot do anything with Postgres at all; contact your Postgres site
|
||||
administrator.
|
||||
.TP
|
||||
@ -106,7 +106,7 @@ You do not have permission to create new users; contact your Postgres
|
||||
site administrator.
|
||||
.TP
|
||||
.BI "user \*(lq" "username" "\*(rq already exists"
|
||||
The user to be added already has an entry in the \*(lqpg_user\*(rq
|
||||
The user to be added already has an entry in the \*(lqpg_shadow\*(rq
|
||||
class.
|
||||
.TP
|
||||
.BR "database access failed"
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" This is -*-nroff-*-
|
||||
.\" XXX standard disclaimer belongs here....
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/destroyuser.1,v 1.6 1998/01/26 01:42:46 scrappy Exp $
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/destroyuser.1,v 1.7 1998/03/06 18:03:35 momjian Exp $
|
||||
.TH DESTROYUSER UNIX 11/05/95 PostgreSQL PostgreSQL
|
||||
.SH NAME
|
||||
destroyuser - destroy a Postgres user and associated databases
|
||||
@ -21,7 +21,7 @@ port]
|
||||
.IR Destroyuser
|
||||
destroys an existing Postgres user and the databases for which that user
|
||||
is database administrator. Only users with \*(lqusesuper\*(rq set in
|
||||
the \*(lqpg_user\*(rq class can destroy new Postgres users. As shipped,
|
||||
the \*(lqpg_shadow\*(rq class can destroy new Postgres users. As shipped,
|
||||
the user \*(lqpostgres\*(rq can destroy users.
|
||||
.PP
|
||||
.IR Destroyuser
|
||||
@ -92,8 +92,8 @@ is running on the proper host and that you have specified the proper
|
||||
port. If your site uses an authentication system, ensure that you
|
||||
have obtained the required authentication credentials.
|
||||
.TP
|
||||
.BI "user \*(lq" "username" "\*(rq is not in \*(lqpg_user\*(rq"
|
||||
You do not have a valid entry in the relation \*(lqpg_user\*(rq and
|
||||
.BI "user \*(lq" "username" "\*(rq is not in \*(lqpg_shadow\*(rq"
|
||||
You do not have a valid entry in the relation \*(lqpg_shadow\*(rq and
|
||||
cannot do anything with Postgres at all; contact your Postgres site
|
||||
administrator.
|
||||
.TP
|
||||
@ -102,7 +102,7 @@ You do not have permission to delete users; contact your Postgres site
|
||||
administrator.
|
||||
.TP
|
||||
.BI "user \*(lq" "username" "\*(rq does not exist"
|
||||
The user to be removed does not have an entry in the \*(lqpg_user\*(rq
|
||||
The user to be removed does not have an entry in the \*(lqpg_shadow\*(rq
|
||||
class.
|
||||
.TP
|
||||
.BR "database access failed"
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\" This is -*-nroff-*-
|
||||
.\" XXX standard disclaimer belongs here....
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_dumpall.1,v 1.3 1998/01/11 22:17:47 momjian Exp $
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_dumpall.1,v 1.4 1998/03/06 18:03:37 momjian Exp $
|
||||
.TH pg_dumpall UNIX 1/20/96 PostgreSQL PostgreSQL
|
||||
.SH NAME
|
||||
pg_dumpall - dumps out all Postgres databases into a script file
|
||||
@ -10,7 +10,7 @@ pg_dumpall - dumps out all Postgres databases into a script file
|
||||
.SH DESCRIPTION
|
||||
.IR "pg_dumpall"
|
||||
is a utility for dumping out all Postgres databases into one file.
|
||||
It also dumps the pg_user table, which is global to all databases.
|
||||
It also dumps the pg_shadow table, which is global to all databases.
|
||||
pg_dumpall creates each dumped database before loading.
|
||||
pg_dumpall takes all pg_dump options, but \fB-f\fR and \fBdbname\fR
|
||||
should not be used.
|
||||
|
@ -1,5 +1,5 @@
|
||||
.\" This is -*-nroff-*-
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_hba.conf.5,v 1.4 1998/01/27 03:25:14 scrappy Exp $
|
||||
.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_hba.conf.5,v 1.5 1998/03/06 18:03:38 momjian Exp $
|
||||
.TH pg_hba.conf 5 1/26/98 PostgreSQL PostgreSQL
|
||||
.SH NAME
|
||||
$PGDATA/pg_hba.conf
|
||||
@ -61,16 +61,16 @@ domain sockets.
|
||||
.PP
|
||||
.IR crypt
|
||||
- the client is asked for a password for the user. This is sent encrypted
|
||||
(using crypt(3)) and compared against the password held in the pg_user table.
|
||||
(using crypt(3)) and compared against the password held in the pg_shadow table.
|
||||
If the passwords match, the connection is allowed.
|
||||
.PP
|
||||
.IR password
|
||||
- the client is asked for a password for the user. This is sent in clear
|
||||
and compared against the password held in the pg_user table.
|
||||
and compared against the password held in the pg_shadow table.
|
||||
If the passwords match, the connection is allowed. An optional password file
|
||||
may be specified after the
|
||||
.IR password
|
||||
keyword which is used to match the supplied password rather than the pg_user
|
||||
keyword which is used to match the supplied password rather than the pg_shadow
|
||||
table. See pg_passwd(1).
|
||||
.PP
|
||||
The following authentication methods are supported for TCP/IP
|
||||
|
Loading…
Reference in New Issue
Block a user