Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Vērot 1
Pievienot zvaigznīti 0
Vikivietne 捐赠
gooderp18绿色标准版
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
Koks: 0f75e31513
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/sql-createrole.html

264 rindas
22KB
Neapstrādāts Vainot Vēsture 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>CREATE ROLE</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="sql-createpublication.html" title="CREATE PUBLICATION" /><link rel="next" href="sql-createrule.html" title="CREATE RULE" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">CREATE ROLE</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sql-createpublication.html" title="CREATE PUBLICATION">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><th width="60%" align="center">SQL Commands</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sql-createrule.html" title="CREATE RULE">Next</a></td></tr></table><hr></hr></div><div class="refentry" id="SQL-CREATEROLE"><div class="titlepage"></div><a id="id-1.9.3.78.1" class="indexterm"></a><div class="refnamediv"><h2><span class="refentrytitle">CREATE ROLE</span></h2><p>CREATE ROLE — define a new database role</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><pre class="synopsis">

  3. CREATE ROLE <em class="replaceable"><code>name</code></em> [ [ WITH ] <em class="replaceable"><code>option</code></em> [ ... ] ]

  4. 

  5. <span class="phrase">where <em class="replaceable"><code>option</code></em> can be:</span>

  6. 

  7.       SUPERUSER | NOSUPERUSER

  8.     | CREATEDB | NOCREATEDB

  9.     | CREATEROLE | NOCREATEROLE

  10.     | INHERIT | NOINHERIT

  11.     | LOGIN | NOLOGIN

  12.     | REPLICATION | NOREPLICATION

  13.     | BYPASSRLS | NOBYPASSRLS

  14.     | CONNECTION LIMIT <em class="replaceable"><code>connlimit</code></em>

  15.     | [ ENCRYPTED ] PASSWORD '<em class="replaceable"><code>password</code></em>' | PASSWORD NULL

  16.     | VALID UNTIL '<em class="replaceable"><code>timestamp</code></em>'

  17.     | IN ROLE <em class="replaceable"><code>role_name</code></em> [, ...]

  18.     | IN GROUP <em class="replaceable"><code>role_name</code></em> [, ...]

  19.     | ROLE <em class="replaceable"><code>role_name</code></em> [, ...]

  20.     | ADMIN <em class="replaceable"><code>role_name</code></em> [, ...]

  21.     | USER <em class="replaceable"><code>role_name</code></em> [, ...]

  22.     | SYSID <em class="replaceable"><code>uid</code></em>

  23. </pre></div><div class="refsect1" id="id-1.9.3.78.5"><h2>Description</h2><p>

  24.    <code class="command">CREATE ROLE</code> adds a new role to a

  25.    <span class="productname">PostgreSQL</span> database cluster.  A role is

  26.    an entity that can own database objects and have database privileges;

  27.    a role can be considered a <span class="quote">“<span class="quote">user</span>”</span>, a <span class="quote">“<span class="quote">group</span>”</span>, or both

  28.    depending on how it is used.  Refer to

  29.    <a class="xref" href="user-manag.html" title="Chapter 21. Database Roles">Chapter 21</a> and <a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a> for information about managing

  30.    users and authentication.  You must have <code class="literal">CREATEROLE</code>

  31.    privilege or be a database superuser to use this command.

  32.   </p><p>

  33.    Note that roles are defined at the database cluster

  34.    level, and so are valid in all databases in the cluster.

  35.   </p></div><div class="refsect1" id="id-1.9.3.78.6"><h2>Parameters</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><em class="replaceable"><code>name</code></em></span></dt><dd><p>

  36.         The name of the new role.

  37.        </p></dd><dt><span class="term"><code class="literal">SUPERUSER</code><br /></span><span class="term"><code class="literal">NOSUPERUSER</code></span></dt><dd><p>

  38.         These clauses determine whether the new role is a <span class="quote">“<span class="quote">superuser</span>”</span>,

  39.         who can override all access restrictions within the database.

  40.         Superuser status is dangerous and should be used only when really

  41.         needed.  You must yourself be a superuser to create a new superuser.

  42.         If not specified,

  43.         <code class="literal">NOSUPERUSER</code> is the default.

  44.        </p></dd><dt><span class="term"><code class="literal">CREATEDB</code><br /></span><span class="term"><code class="literal">NOCREATEDB</code></span></dt><dd><p>

  45.         These clauses define a role's ability to create databases.  If

  46.         <code class="literal">CREATEDB</code> is specified, the role being

  47.         defined will be allowed to create new databases. Specifying

  48.         <code class="literal">NOCREATEDB</code> will deny a role the ability to

  49.         create databases. If not specified,

  50.         <code class="literal">NOCREATEDB</code> is the default.

  51.        </p></dd><dt><span class="term"><code class="literal">CREATEROLE</code><br /></span><span class="term"><code class="literal">NOCREATEROLE</code></span></dt><dd><p>

  52.         These clauses determine whether a role will be permitted to

  53.         create new roles (that is, execute <code class="command">CREATE ROLE</code>).

  54.         A role with <code class="literal">CREATEROLE</code> privilege can also alter

  55.         and drop other roles.

  56.         If not specified,

  57.         <code class="literal">NOCREATEROLE</code> is the default.

  58.        </p></dd><dt><span class="term"><code class="literal">INHERIT</code><br /></span><span class="term"><code class="literal">NOINHERIT</code></span></dt><dd><p>

  59.         These clauses determine whether a role <span class="quote">“<span class="quote">inherits</span>”</span> the

  60.         privileges of roles it is a member of.

  61.         A role with the <code class="literal">INHERIT</code> attribute can automatically

  62.         use whatever database privileges have been granted to all roles

  63.         it is directly or indirectly a member of.

  64.         Without <code class="literal">INHERIT</code>, membership in another role

  65.         only grants the ability to <code class="command">SET ROLE</code> to that other role;

  66.         the privileges of the other role are only available after having

  67.         done so.

  68.         If not specified,

  69.         <code class="literal">INHERIT</code> is the default.

  70.        </p></dd><dt><span class="term"><code class="literal">LOGIN</code><br /></span><span class="term"><code class="literal">NOLOGIN</code></span></dt><dd><p>

  71.         These clauses determine whether a role is allowed to log in;

  72.         that is, whether the role can be given as the initial session

  73.         authorization name during client connection.  A role having

  74.         the <code class="literal">LOGIN</code> attribute can be thought of as a user.

  75.         Roles without this attribute are useful for managing database

  76.         privileges, but are not users in the usual sense of the word.

  77.         If not specified,

  78.         <code class="literal">NOLOGIN</code> is the default, except when

  79.         <code class="command">CREATE ROLE</code> is invoked through its alternative spelling

  80.         <a class="xref" href="sql-createuser.html" title="CREATE USER"><span class="refentrytitle">CREATE USER</span></a>.

  81.        </p></dd><dt><span class="term"><code class="literal">REPLICATION</code><br /></span><span class="term"><code class="literal">NOREPLICATION</code></span></dt><dd><p>

  82.         These clauses determine whether a role is a replication role.  A role

  83.         must have this attribute (or be a superuser) in order to be able to

  84.         connect to the server in replication mode (physical or logical

  85.         replication) and in order to be able to create or drop replication

  86.         slots.

  87.         A role having the <code class="literal">REPLICATION</code> attribute is a very

  88.         highly privileged role, and should only be used on roles actually

  89.         used for replication. If not specified,

  90.         <code class="literal">NOREPLICATION</code> is the default.

  91.        </p></dd><dt><span class="term"><code class="literal">BYPASSRLS</code><br /></span><span class="term"><code class="literal">NOBYPASSRLS</code></span></dt><dd><p>

  92.         These clauses determine whether a role bypasses every row-level

  93.         security (RLS) policy.  <code class="literal">NOBYPASSRLS</code> is the default.

  94.         Note that pg_dump will set <code class="literal">row_security</code> to

  95.         <code class="literal">OFF</code> by default, to ensure all contents of a table are

  96.         dumped out.  If the user running pg_dump does not have appropriate

  97.         permissions, an error will be returned.  The superuser and owner of the

  98.         table being dumped always bypass RLS.

  99.        </p></dd><dt><span class="term"><code class="literal">CONNECTION LIMIT</code> <em class="replaceable"><code>connlimit</code></em></span></dt><dd><p>

  100.         If role can log in, this specifies how many concurrent connections

  101.         the role can make.  -1 (the default) means no limit. Note that only

  102.         normal connections are counted towards this limit. Neither prepared

  103.         transactions nor background worker connections are counted towards

  104.         this limit.

  105.        </p></dd><dt><span class="term">[ <code class="literal">ENCRYPTED</code> ] <code class="literal">PASSWORD</code> '<em class="replaceable"><code>password</code></em>'<br /></span><span class="term"><code class="literal">PASSWORD NULL</code></span></dt><dd><p>

  106.         Sets the role's password.  (A password is only of use for

  107.         roles having the <code class="literal">LOGIN</code> attribute, but you

  108.         can nonetheless define one for roles without it.)  If you do

  109.         not plan to use password authentication you can omit this

  110.         option.  If no password is specified, the password will be set

  111.         to null and password authentication will always fail for that

  112.         user.  A null password can optionally be written explicitly as

  113.         <code class="literal">PASSWORD NULL</code>.

  114.        </p><div class="note"><h3 class="title">Note</h3><p>

  115.            Specifying an empty string will also set the password to null,

  116.            but that was not the case before <span class="productname">PostgreSQL</span>

  117.            version 10. In earlier versions, an empty string could be used,

  118.            or not, depending on the authentication method and the exact

  119.            version, and libpq would refuse to use it in any case.

  120.            To avoid the ambiguity, specifying an empty string should be

  121.            avoided.

  122.          </p></div><p>

  123.         The password is always stored encrypted in the system catalogs. The

  124.         <code class="literal">ENCRYPTED</code> keyword has no effect, but is accepted for

  125.         backwards compatibility. The method of encryption is determined

  126.         by the configuration parameter <a class="xref" href="runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION">password_encryption</a>.

  127.         If the presented password string is already in MD5-encrypted or

  128.         SCRAM-encrypted format, then it is stored as-is regardless of

  129.         <code class="varname">password_encryption</code> (since the system cannot decrypt

  130.         the specified encrypted password string, to encrypt it in a

  131.         different format).  This allows reloading of encrypted passwords

  132.         during dump/restore.

  133.        </p></dd><dt><span class="term"><code class="literal">VALID UNTIL</code> '<em class="replaceable"><code>timestamp</code></em>'</span></dt><dd><p>

  134.         The <code class="literal">VALID UNTIL</code> clause sets a date and

  135.         time after which the role's password is no longer valid.  If

  136.         this clause is omitted the password will be valid for all time.

  137.        </p></dd><dt><span class="term"><code class="literal">IN ROLE</code> <em class="replaceable"><code>role_name</code></em></span></dt><dd><p>

  138.         The <code class="literal">IN ROLE</code> clause lists one or more existing

  139.         roles to which the new role will be immediately added as a new

  140.         member.  (Note that there is no option to add the new role as an

  141.         administrator; use a separate <code class="command">GRANT</code> command to do that.)

  142.        </p></dd><dt><span class="term"><code class="literal">IN GROUP</code> <em class="replaceable"><code>role_name</code></em></span></dt><dd><p><code class="literal">IN GROUP</code> is an obsolete spelling of

  143.         <code class="literal">IN ROLE</code>.

  144.        </p></dd><dt><span class="term"><code class="literal">ROLE</code> <em class="replaceable"><code>role_name</code></em></span></dt><dd><p>

  145.         The <code class="literal">ROLE</code> clause lists one or more existing

  146.         roles which are automatically added as members of the new role.

  147.         (This in effect makes the new role a <span class="quote">“<span class="quote">group</span>”</span>.)

  148.        </p></dd><dt><span class="term"><code class="literal">ADMIN</code> <em class="replaceable"><code>role_name</code></em></span></dt><dd><p>

  149.         The <code class="literal">ADMIN</code> clause is like <code class="literal">ROLE</code>,

  150.         but the named roles are added to the new role <code class="literal">WITH ADMIN

  151.         OPTION</code>, giving them the right to grant membership in this role

  152.         to others.

  153.        </p></dd><dt><span class="term"><code class="literal">USER</code> <em class="replaceable"><code>role_name</code></em></span></dt><dd><p>

  154.         The <code class="literal">USER</code> clause is an obsolete spelling of

  155.         the <code class="literal">ROLE</code> clause.

  156.        </p></dd><dt><span class="term"><code class="literal">SYSID</code> <em class="replaceable"><code>uid</code></em></span></dt><dd><p>

  157.         The <code class="literal">SYSID</code> clause is ignored, but is accepted

  158.         for backwards compatibility.

  159.        </p></dd></dl></div></div><div class="refsect1" id="id-1.9.3.78.7"><h2>Notes</h2><p>

  160.    Use <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a> to

  161.    change the attributes of a role, and <a class="xref" href="sql-droprole.html" title="DROP ROLE"><span class="refentrytitle">DROP ROLE</span></a>

  162.    to remove a role.  All the attributes

  163.    specified by <code class="command">CREATE ROLE</code> can be modified by later

  164.    <code class="command">ALTER ROLE</code> commands.

  165.   </p><p>

  166.    The preferred way to add and remove members of roles that are being

  167.    used as groups is to use

  168.    <a class="xref" href="sql-grant.html" title="GRANT"><span class="refentrytitle">GRANT</span></a> and

  169.    <a class="xref" href="sql-revoke.html" title="REVOKE"><span class="refentrytitle">REVOKE</span></a>.

  170.   </p><p>

  171.    The <code class="literal">VALID UNTIL</code> clause defines an expiration time for a

  172.    password only, not for the role <span class="foreignphrase"><em class="foreignphrase">per se</em></span>.  In

  173.    particular, the expiration time is not enforced when logging in using

  174.    a non-password-based authentication method.

  175.   </p><p>

  176.    The <code class="literal">INHERIT</code> attribute governs inheritance of grantable

  177.    privileges (that is, access privileges for database objects and role

  178.    memberships).  It does not apply to the special role attributes set by

  179.    <code class="command">CREATE ROLE</code> and <code class="command">ALTER ROLE</code>.  For example, being

  180.    a member of a role with <code class="literal">CREATEDB</code> privilege does not immediately

  181.    grant the ability to create databases, even if <code class="literal">INHERIT</code> is set;

  182.    it would be necessary to become that role via

  183.    <a class="xref" href="sql-set-role.html" title="SET ROLE"><span class="refentrytitle">SET ROLE</span></a> before

  184.    creating a database.

  185.   </p><p>

  186.    The <code class="literal">INHERIT</code> attribute is the default for reasons of backwards

  187.    compatibility: in prior releases of <span class="productname">PostgreSQL</span>,

  188.    users always had access to all privileges of groups they were members of.

  189.    However, <code class="literal">NOINHERIT</code> provides a closer match to the semantics

  190.    specified in the SQL standard.

  191.   </p><p>

  192.    Be careful with the <code class="literal">CREATEROLE</code> privilege. There is no concept of

  193.    inheritance for the privileges of a <code class="literal">CREATEROLE</code>-role. That

  194.    means that even if a role does not have a certain privilege but is allowed

  195.    to create other roles, it can easily create another role with different

  196.    privileges than its own (except for creating roles with superuser

  197.    privileges). For example, if the role <span class="quote">“<span class="quote">user</span>”</span> has the

  198.    <code class="literal">CREATEROLE</code> privilege but not the <code class="literal">CREATEDB</code> privilege,

  199.    nonetheless it can create a new role with the <code class="literal">CREATEDB</code>

  200.    privilege. Therefore, regard roles that have the <code class="literal">CREATEROLE</code>

  201.    privilege as almost-superuser-roles.

  202.   </p><p>

  203.    <span class="productname">PostgreSQL</span> includes a program <a class="xref" href="app-createuser.html" title="createuser"><span class="refentrytitle"><span class="application">createuser</span></span></a> that has

  204.    the same functionality as <code class="command">CREATE ROLE</code> (in fact,

  205.    it calls this command) but can be run from the command shell.

  206.   </p><p>

  207.    The <code class="literal">CONNECTION LIMIT</code> option is only enforced approximately;

  208.    if two new sessions start at about the same time when just one

  209.    connection <span class="quote">“<span class="quote">slot</span>”</span> remains for the role, it is possible that

  210.    both will fail.  Also, the limit is never enforced for superusers.

  211.   </p><p>

  212.    Caution must be exercised when specifying an unencrypted password

  213.    with this command.  The password will be transmitted to the server

  214.    in cleartext, and it might also be logged in the client's command

  215.    history or the server log.  The command <a class="xref" href="app-createuser.html" title="createuser"><span class="refentrytitle"><span class="application">createuser</span></span></a>, however, transmits

  216.    the password encrypted.  Also, <a class="xref" href="app-psql.html" title="psql"><span class="refentrytitle"><span class="application">psql</span></span></a>

  217.    contains a command

  218.    <code class="command">\password</code> that can be used to safely change the

  219.    password later.

  220.   </p></div><div class="refsect1" id="id-1.9.3.78.8"><h2>Examples</h2><p>

  221.    Create a role that can log in, but don't give it a password:

  222. </p><pre class="programlisting">

  223. CREATE ROLE jonathan LOGIN;

  224. </pre><p>

  225.   </p><p>

  226.    Create a role with a password:

  227. </p><pre class="programlisting">

  228. CREATE USER davide WITH PASSWORD 'jw8s0F4';

  229. </pre><p>

  230.    (<code class="command">CREATE USER</code> is the same as <code class="command">CREATE ROLE</code> except

  231.    that it implies <code class="literal">LOGIN</code>.)

  232.   </p><p>

  233.    Create a role with a password that is valid until the end of 2004.

  234.    After one second has ticked in 2005, the password is no longer

  235.    valid.

  236. 

  237. </p><pre class="programlisting">

  238. CREATE ROLE miriam WITH LOGIN PASSWORD 'jw8s0F4' VALID UNTIL '2005-01-01';

  239. </pre><p>

  240.   </p><p>

  241.    Create a role that can create databases and manage roles:

  242. </p><pre class="programlisting">

  243. CREATE ROLE admin WITH CREATEDB CREATEROLE;

  244. </pre></div><div class="refsect1" id="id-1.9.3.78.9"><h2>Compatibility</h2><p>

  245.    The <code class="command">CREATE ROLE</code> statement is in the SQL standard,

  246.    but the standard only requires the syntax

  247. </p><pre class="synopsis">

  248. CREATE ROLE <em class="replaceable"><code>name</code></em> [ WITH ADMIN <em class="replaceable"><code>role_name</code></em> ]

  249. </pre><p>

  250.    Multiple initial administrators, and all the other options of

  251.    <code class="command">CREATE ROLE</code>, are

  252.    <span class="productname">PostgreSQL</span> extensions.

  253.   </p><p>

  254.    The SQL standard defines the concepts of users and roles, but it

  255.    regards them as distinct concepts and leaves all commands defining

  256.    users to be specified by each database implementation.  In

  257.    <span class="productname">PostgreSQL</span> we have chosen to unify

  258.    users and roles into a single kind of entity.  Roles therefore

  259.    have many more optional attributes than they do in the standard.

  260.   </p><p>

  261.    The behavior specified by the SQL standard is most closely approximated

  262.    by giving users the <code class="literal">NOINHERIT</code> attribute, while roles are

  263.    given the <code class="literal">INHERIT</code> attribute.

  264.   </p></div><div class="refsect1" id="id-1.9.3.78.10"><h2>See Also</h2><span class="simplelist"><a class="xref" href="sql-set-role.html" title="SET ROLE"><span class="refentrytitle">SET ROLE</span></a>, <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>, <a class="xref" href="sql-droprole.html" title="DROP ROLE"><span class="refentrytitle">DROP ROLE</span></a>, <a class="xref" href="sql-grant.html" title="GRANT"><span class="refentrytitle">GRANT</span></a>, <a class="xref" href="sql-revoke.html" title="REVOKE"><span class="refentrytitle">REVOKE</span></a>, <a class="xref" href="app-createuser.html" title="createuser"><span class="refentrytitle"><span class="application">createuser</span></span></a></span></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sql-createpublication.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sql-commands.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sql-createrule.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">CREATE PUBLICATION </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> CREATE RULE</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1