mirror of
https://github.com/postgres/postgres.git
synced 2026-03-28 21:33:14 -04:00
c3afe8cf5a
This role can be granted to non-superusers to allow them to issue CREATE SUBSCRIPTION. The non-superuser must additionally have CREATE permissions on the database in which the subscription is to be created. Most forms of ALTER SUBSCRIPTION, including ALTER SUBSCRIPTION .. SKIP, now require only that the role performing the operation own the subscription, or inherit the privileges of the owner. However, to use ALTER SUBSCRIPTION ... RENAME or ALTER SUBSCRIPTION ... OWNER TO, you also need CREATE permission on the database. This is similar to what we do for schemas. To change the owner of a schema, you must also have permission to SET ROLE to the new owner, similar to what we do for other object types. Non-superusers are required to specify a password for authentication and the remote side must use the password, similar to what is required for postgres_fdw and dblink. A superuser who wants a non-superuser to own a subscription that does not rely on password authentication may set the new password_required=false property on that subscription. A non-superuser may not set password_required=false and may not modify a subscription that already has password_required=false. This new password_required subscription property works much like the eponymous postgres_fdw property. In both cases, the actual semantics are that a password is not required if either (1) the property is set to false or (2) the relevant user is the superuser. Patch by me, reviewed by Andres Freund, Jeff Davis, Mark Dilger, and Stephen Frost (but some of those people did not fully endorse all of the decisions that the patch makes). Discussion: http://postgr.es/m/CA+TgmoaDH=0Xj7OBiQnsHTKcF2c4L+=gzPBUKSJLh8zed2_+Dg@mail.gmail.com
103 lines
5.7 KiB
Text
103 lines
5.7 KiB
Text
#----------------------------------------------------------------------
|
|
#
|
|
# pg_authid.dat
|
|
# Initial contents of the pg_authid system catalog.
|
|
#
|
|
# Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
|
|
# Portions Copyright (c) 1994, Regents of the University of California
|
|
#
|
|
# src/include/catalog/pg_authid.dat
|
|
#
|
|
#----------------------------------------------------------------------
|
|
|
|
[
|
|
|
|
# The C code typically refers to these roles using the #define symbols,
|
|
# so make sure every entry has an oid_symbol value.
|
|
|
|
# The bootstrap superuser is named POSTGRES according to this data and
|
|
# according to BKI_DEFAULT entries in other catalogs. However, initdb
|
|
# will replace that at database initialization time.
|
|
|
|
{ oid => '10', oid_symbol => 'BOOTSTRAP_SUPERUSERID',
|
|
rolname => 'POSTGRES', rolsuper => 't', rolinherit => 't',
|
|
rolcreaterole => 't', rolcreatedb => 't', rolcanlogin => 't',
|
|
rolreplication => 't', rolbypassrls => 't', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '6171', oid_symbol => 'ROLE_PG_DATABASE_OWNER',
|
|
rolname => 'pg_database_owner', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '6181', oid_symbol => 'ROLE_PG_READ_ALL_DATA',
|
|
rolname => 'pg_read_all_data', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '6182', oid_symbol => 'ROLE_PG_WRITE_ALL_DATA',
|
|
rolname => 'pg_write_all_data', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '3373', oid_symbol => 'ROLE_PG_MONITOR',
|
|
rolname => 'pg_monitor', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '3374', oid_symbol => 'ROLE_PG_READ_ALL_SETTINGS',
|
|
rolname => 'pg_read_all_settings', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '3375', oid_symbol => 'ROLE_PG_READ_ALL_STATS',
|
|
rolname => 'pg_read_all_stats', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '3377', oid_symbol => 'ROLE_PG_STAT_SCAN_TABLES',
|
|
rolname => 'pg_stat_scan_tables', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '4569', oid_symbol => 'ROLE_PG_READ_SERVER_FILES',
|
|
rolname => 'pg_read_server_files', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '4570', oid_symbol => 'ROLE_PG_WRITE_SERVER_FILES',
|
|
rolname => 'pg_write_server_files', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '4571', oid_symbol => 'ROLE_PG_EXECUTE_SERVER_PROGRAM',
|
|
rolname => 'pg_execute_server_program', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '4200', oid_symbol => 'ROLE_PG_SIGNAL_BACKEND',
|
|
rolname => 'pg_signal_backend', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '4544', oid_symbol => 'ROLE_PG_CHECKPOINT',
|
|
rolname => 'pg_checkpoint', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '4549', oid_symbol => 'ROLE_PG_MAINTAIN',
|
|
rolname => 'pg_maintain', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '4550', oid_symbol => 'ROLE_PG_USE_RESERVED_CONNECTIONS',
|
|
rolname => 'pg_use_reserved_connections', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
{ oid => '9535', oid_symbol => 'ROLE_PG_CREATE_SUBSCRIPTION',
|
|
rolname => 'pg_create_subscription', rolsuper => 'f', rolinherit => 't',
|
|
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
|
|
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
|
|
rolpassword => '_null_', rolvaliduntil => '_null_' },
|
|
|
|
]
|