Roles
What Are Roles in PostgreSQL?
A role
in Postgres is one of the Postgres identifiers and a concept dedicated to group and manage database object privileges. Alternatively, it can be stated that role is used to denote:
-
a user,
-
a group of users, or
-
a container for privileges to be used or inherited by other roles.
Roles and role names (like some other objects) are global across a database cluster.
Postgres diverges from the SQL standard when it comes to roles. In the SQL standard the concept of a user is distinct from the concept of a role.
Predefined Role
An initialized Postgres installation always comes with a one predefined role with a superuser
attribute. Most probably the name of the role will be the same as the operating initializing system user. This role can be used to connect to a database cluster with a psql -U [role name]
command and create additional roles.
Database Connection
A connection to a database is always associated with a role and is governed by the scope of privileges of that role.
Many Postgres command line commands, including psql
, when no role is expressly indicated use the name of the current operating system user. This works similarly for the default database name. Therefore, when the current operating system user is johndoe
simply entering psql
on the command line will try to establish a connection to the database johndoe
using the role johndoe
. If no such role or database exist a fatal error is thrown.
$ psql
To expressly indicate the role to be used when establishing the connection use -U
option.
$ psql -U otherjohndoe
To expressly indicate the database to which the connection should be established use -d
option.
$ psql -d otherdatabase
-U
and -d
options can be combined.
$ psql -U otherjohndoe -d otherdatabase
The above command line command will try to establish a connection using the role otherjohndoe
to the database otherdatabase
.
Once connected it is possible to change the current's connection role using the SET ROLE
command.
SET ROLE role_name;
Listing Roles
To list roles existing in the current Postgres database cluster use \du
meta-command:
\du
The \du
returns the list of all database cluster roles with indication of their names, attributes and memberships.
Creating & Dropping Roles
To create a role use CREATE ROLE
command.
CREATE ROLE admin;
To drop a role use DROP ROLE
command.
DROP ROLE admin;
A role cannot be dropped when there are database objects owned by it. To reassign or drop database objects globally within a given database use REASSIGN OWNED
or DROP OWNED
respectively.
Role Attributes
Each role can have different attributes - granted to it at its creation or later - defining the scope of privileges the role has and/or its login behavior. The attributes include among others:
-
superuser - roles with
SUPERUSER
attribute ignore all permission checks, -
login - only roles with
LOGIN
attribute can establish initial connections, -
password - only roles with
PASSWORD
attribute require passwords for establishing connections, -
database creation - only roles with
CREATEDB
attribute can create/drop databases, -
role creation - only roles with
CREATEROLE
attribute can create/drop roles and grant/revoke role memberships.
To create a superuser role use the following command:
CREATE ROLE admin SUPERUSER;
To create a role with login and password attributes that can create databases and roles use the following command:
CREATE ROLE admin LOGIN PASSWORD 'foobar' CREATEDB CREATEROLE;
To alter an existing role use ALTER ROLE
command. For example, to a take database creation privilege from a role use the command NOCREATEDB
.
ALTER ROLE admin NOCREATEDB;
Ownership & Privileges
A role that creates an object becomes its owner.
CREATE DATABASE bike_shop;
An ownership can be transferred to another role.
ALTER DATABASE bike_shop OWNER TO jimmy;
Only a role owning an object can take effective actions on it unless it inherits respective privileges.
There are many kind of privileges. Among them are:
-
INSERT
, -
SELECT
, -
UPDATE
, -
DELETE
, and -
CONNECT
.
To grant privileges on a database object use GRANT ... ON ... TO
command.
GRANT INSERT ON users TO jimmy;
GRANT ALL ON users TO jimmy;
To revoke privileges use REVOKE ... ON ... FROM
command.
Memberships
Each role can be granted a membership in another role which allows it to use privileges of that another role.
Some roles can be created with the purpose of grouping privileges. Such roles can sometimes be referred to as group roles. Being granted a membership in a group role allows for sharing its privileges.
A role can use privileges of the role to which it is a member in two ways:
-
it can set (using the
SET ROLE
command) the current's connection role to the role to which it is a member and use the privileges directly, or -
use the privileges itself provided it has the
INHERIT
attribute.
Member roles can be set to INHERIT
or NOINHERIT
. Default in Postgres is INHERIT
.
SUPERUSER
, LOGIN
, CREATEDB
and CREATEROLE
attributes are not inherited.
To grant a membership in a given role use GRANT [group role] TO [role];
.
GRANT admins TO joe;
To revoke use REVOKE [group role] FROM [role];
.
REVOKE admins FROM joe;
To restore an initial connection role use SET ROLE
or RESET ROLE
.
SET ROLE NONE;
RESET ROLE;
All roles are members of the PUBLIC
role. Therefore granting privileges to PUBLIC
means granting them to all roles.