Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Watch 1
Star 0
Wiki 捐赠
gooderp18绿色标准版
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 0f75e31513
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/role-attributes.html

87 lines
8.2KB
Raw Blame History 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.2. Role Attributes</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="database-roles.html" title="21.1. Database Roles" /><link rel="next" href="role-membership.html" title="21.3. Role Membership" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.2. Role Attributes</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="database-roles.html" title="21.1. Database Roles">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><th width="60%" align="center">Chapter 21. Database Roles</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="role-membership.html" title="21.3. Role Membership">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="ROLE-ATTRIBUTES"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.2. Role Attributes</h2></div></div></div><p>

  3.     A database role can have a number of attributes that define its

  4.     privileges and interact with the client authentication system.

  5. 

  6.     </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">login privilege<a id="id-1.6.8.6.2.1.1.1.1" class="indexterm"></a></span></dt><dd><p>

  7.         Only roles that have the <code class="literal">LOGIN</code> attribute can be used

  8.         as the initial role name for a database connection.  A role with

  9.         the <code class="literal">LOGIN</code> attribute can be considered the same

  10.         as a <span class="quote">“<span class="quote">database user</span>”</span>.  To create a role with login privilege,

  11.         use either:

  12. </p><pre class="programlisting">

  13. CREATE ROLE <em class="replaceable"><code>name</code></em> LOGIN;

  14. CREATE USER <em class="replaceable"><code>name</code></em>;

  15. </pre><p>

  16.         (<code class="command">CREATE USER</code> is equivalent to <code class="command">CREATE ROLE</code>

  17.         except that <code class="command">CREATE USER</code> includes <code class="literal">LOGIN</code> by

  18.         default, while <code class="command">CREATE ROLE</code> does not.)

  19.        </p></dd><dt><span class="term">superuser status<a id="id-1.6.8.6.2.1.2.1.1" class="indexterm"></a></span></dt><dd><p>

  20.         A database superuser bypasses all permission checks, except the right

  21.         to log in.  This is a dangerous privilege and should not be used

  22.         carelessly; it is best to do most of your work as a role that is not a

  23.         superuser.  To create a new database superuser, use <code class="literal">CREATE

  24.         ROLE <em class="replaceable"><code>name</code></em> SUPERUSER</code>.  You must do

  25.         this as a role that is already a superuser.

  26.        </p></dd><dt><span class="term">database creation<a id="id-1.6.8.6.2.1.3.1.1" class="indexterm"></a></span></dt><dd><p>

  27.         A role must be explicitly given permission to create databases

  28.         (except for superusers, since those bypass all permission

  29.         checks). To create such a role, use <code class="literal">CREATE ROLE

  30.         <em class="replaceable"><code>name</code></em> CREATEDB</code>.

  31.        </p></dd><dt><span class="term">role creation<a id="id-1.6.8.6.2.1.4.1.1" class="indexterm"></a></span></dt><dd><p>

  32.         A role must be explicitly given permission to create more roles

  33.         (except for superusers, since those bypass all permission

  34.         checks). To create such a role, use <code class="literal">CREATE ROLE

  35.         <em class="replaceable"><code>name</code></em> CREATEROLE</code>.

  36.         A role with <code class="literal">CREATEROLE</code> privilege can alter and drop

  37.         other roles, too, as well as grant or revoke membership in them.

  38.         However, to create, alter, drop, or change membership of a

  39.         superuser role, superuser status is required;

  40.         <code class="literal">CREATEROLE</code> is insufficient for that.

  41.        </p></dd><dt><span class="term">initiating replication<a id="id-1.6.8.6.2.1.5.1.1" class="indexterm"></a></span></dt><dd><p>

  42.         A role must explicitly be given permission to initiate streaming

  43.         replication (except for superusers, since those bypass all permission

  44.         checks). A role used for streaming replication must

  45.         have <code class="literal">LOGIN</code> permission as well. To create such a role, use

  46.         <code class="literal">CREATE ROLE <em class="replaceable"><code>name</code></em> REPLICATION

  47.         LOGIN</code>.

  48.        </p></dd><dt><span class="term">password<a id="id-1.6.8.6.2.1.6.1.1" class="indexterm"></a></span></dt><dd><p>

  49.         A password is only significant if the client authentication

  50.         method requires the user to supply a password when connecting

  51.         to the database. The <code class="option">password</code> and

  52.         <code class="option">md5</code> authentication methods

  53.         make use of passwords. Database passwords are separate from

  54.         operating system passwords. Specify a password upon role

  55.         creation with <code class="literal">CREATE ROLE

  56.         <em class="replaceable"><code>name</code></em> PASSWORD '<em class="replaceable"><code>string</code></em>'</code>.

  57.        </p></dd></dl></div><p>

  58. 

  59.     A role's attributes can be modified after creation with

  60.     <code class="command">ALTER ROLE</code>.<a id="id-1.6.8.6.2.3" class="indexterm"></a>

  61.     See the reference pages for the <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a>

  62.     and <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a> commands for details.

  63.    </p><div class="tip"><h3 class="title">Tip</h3><p>

  64.     It is good practice to create a role that has the <code class="literal">CREATEDB</code>

  65.     and <code class="literal">CREATEROLE</code> privileges, but is not a superuser, and then

  66.     use this role for all routine management of databases and roles.  This

  67.     approach avoids the dangers of operating as a superuser for tasks that

  68.     do not really require it.

  69.    </p></div><p>

  70.    A role can also have role-specific defaults for many of the run-time

  71.    configuration settings described in <a class="xref" href="runtime-config.html" title="Chapter 19. Server Configuration">Chapter 19</a>.  For example, if for some reason you

  72.    want to disable index scans (hint: not a good idea) anytime you

  73.    connect, you can use:

  74. </p><pre class="programlisting">

  75. ALTER ROLE myname SET enable_indexscan TO off;

  76. </pre><p>

  77.    This will save the setting (but not set it immediately).  In

  78.    subsequent connections by this role it will appear as though

  79.    <code class="literal">SET enable_indexscan TO off</code> had been executed

  80.    just before the session started.

  81.    You can still alter this setting during the session; it will only

  82.    be the default. To remove a role-specific default setting, use

  83.    <code class="literal">ALTER ROLE <em class="replaceable"><code>rolename</code></em> RESET <em class="replaceable"><code>varname</code></em></code>.

  84.    Note that role-specific defaults attached to roles without

  85.    <code class="literal">LOGIN</code> privilege are fairly useless, since they will never

  86.    be invoked.

  87.   </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="database-roles.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="user-manag.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="role-membership.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.1. Database Roles </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 21.3. Role Membership</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1