From 60caacfe7d456e6fa4763f967c92eae2f73f59f4 Mon Sep 17 00:00:00 2001 From: Yurii Rashkovskii Date: Fri, 15 Sep 2023 11:41:46 -0700 Subject: [PATCH] Improve ALTER ROLE documentation to document current behavior. Previously, this was possible (assuming current_user is a bootstrap user): ``` ALTER ROLE current_user NOSUPERUSER ``` However, as of 16.0 this is no longer allowed: ``` ERROR: permission denied to alter role DETAIL: The bootstrap user must have the SUPERUSER attribute. ``` Also, update the term across the board to use "bootstrap superuser" --- doc/src/sgml/glossary.sgml | 3 ++- doc/src/sgml/ref/alter_role.sgml | 4 +++- doc/src/sgml/user-manag.sgml | 2 +- src/backend/commands/user.c | 2 +- src/backend/po/de.po | 2 +- src/backend/po/es.po | 2 +- src/backend/po/ja.po | 2 +- src/backend/po/sv.po | 2 +- 8 files changed, 11 insertions(+), 8 deletions(-) diff --git a/doc/src/sgml/glossary.sgml b/doc/src/sgml/glossary.sgml index fe8def41d0..783c78eb1b 100644 --- a/doc/src/sgml/glossary.sgml +++ b/doc/src/sgml/glossary.sgml @@ -243,7 +243,8 @@ This user owns all system catalog tables in each database. It is also the role from which all granted permissions originate. Because of these things, this - role may not be dropped. + role may not be dropped. This role must always be a superuser, it can't be changed + to be a non-superuser. This role also behaves as a normal diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index ab1ee45d54..8b0d194845 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -69,7 +69,9 @@ ALTER ROLE { role_specification | A GRANT and REVOKE for that.) Attributes not mentioned in the command retain their previous settings. - Database superusers can change any of these settings for any role. + Database superusers can change any of these settings for any role, except for + changing SUPERUSER to NOSUPERUSER + for a bootstrap superuser. Non-superuser roles having CREATEROLE privilege can change most of these properties, but only for non-superuser and non-replication roles for which they have been granted diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 27c1f3d703..30ff60b2e1 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -351,7 +351,7 @@ ALTER ROLE myname SET enable_indexscan TO off; options. Thus, the fact that privileges are not inherited by default nor is SET ROLE granted by default is a safeguard against accidents, not a security feature. Also note that, because this automatic - grant is granted by the bootstrap user, it cannot be removed or changed by + grant is granted by the bootstrap superuser, it cannot be removed or changed by the CREATEROLE user; however, any superuser could revoke it, modify it, and/or issue additional such grants to other CREATEROLE users. Whichever CREATEROLE diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index ce77a055e5..ea32cbfe96 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -868,7 +868,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("permission denied to alter role"), - errdetail("The bootstrap user must have the %s attribute.", + errdetail("The bootstrap superuser must have the %s attribute.", "SUPERUSER"))); new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(should_be_super); diff --git a/src/backend/po/de.po b/src/backend/po/de.po index 0a9e668c38..0c56de6a66 100644 --- a/src/backend/po/de.po +++ b/src/backend/po/de.po @@ -12381,7 +12381,7 @@ msgstr "Nur Rollen mit der %s-Option für Rolle »%s« können Mitglieder hinzuf #: commands/user.c:871 #, c-format -msgid "The bootstrap user must have the %s attribute." +msgid "The bootstrap superuser must have the %s attribute." msgstr "Der Bootstrap-Benutzer muss das %s-Attribut haben." #: commands/user.c:1076 diff --git a/src/backend/po/es.po b/src/backend/po/es.po index e50a935033..451f7eba74 100644 --- a/src/backend/po/es.po +++ b/src/backend/po/es.po @@ -12591,7 +12591,7 @@ msgstr "" #: commands/user.c:871 #, c-format -msgid "The bootstrap user must have the %s attribute." +msgid "The bootstrap superuser must have the %s attribute." msgstr "" #: commands/user.c:1076 diff --git a/src/backend/po/ja.po b/src/backend/po/ja.po index 1ab9f7f68f..4527d027bb 100644 --- a/src/backend/po/ja.po +++ b/src/backend/po/ja.po @@ -11911,7 +11911,7 @@ msgstr "ロール\"%2$s\"に対する%1$sオプションを持つロールのみ #: commands/user.c:871 #, c-format -msgid "The bootstrap user must have the %s attribute." +msgid "The bootstrap superuser must have the %s attribute." msgstr "ブートストラップユーザーは%s属性を持つ必要があります。" #: commands/user.c:1076 diff --git a/src/backend/po/sv.po b/src/backend/po/sv.po index 0da20b6d43..29dcbcf01f 100644 --- a/src/backend/po/sv.po +++ b/src/backend/po/sv.po @@ -12402,7 +12402,7 @@ msgstr "Bara roller med flaggan %s på rollen \"%s\" får lägga till medlemmar. #: commands/user.c:871 #, c-format -msgid "The bootstrap user must have the %s attribute." +msgid "The bootstrap superuser must have the %s attribute." msgstr "Bootstrap-användaren måste ha attributet %s." #: commands/user.c:1076 -- 2.33.0