tencent cloud

Feedback

Users and Permission Operations

Last updated: 2024-01-24 11:16:51

    TencentDB Default Role

    TencentDB for PostgreSQL does not open the superuser role attribute and the pg_execute_server_program, pg_read_server_files, and pg_write_server_files roles for you to use. However, as some operations require the superuser role, TencentDB for PostgreSQL provides the pg_tencentdb_superuser to replace superuser.

    pg_tencentdb_superuser Role

    This role supports system permissions and database object permissions, as listed in the following tables.

    System permissions

    Permission
    Description
    CREATEDB
    Create a database.
    BYPASSRLS
    Bypass all row-level security policy checks.
    REPLICATION
    Have the REPLICATION permission by default, and allow granting the REPLICATION permission to other users.
    CREATEROLE
    Have the same CREATEROLE permission as the community edition, except that the role cannot create the pg_read_server_files, pg_write_server_files, and pg_execute_server_program roles.

    Object permissions

    Object
    Description
    database
    By default, have the permissions of all databases not owned by a a superuser.
    schema
    By default, have the permissions of all schemas not owned by a superuser.
    table/sequence
    By default, have the permissions of all tables/sequences not owned by a a superuser.
    function
    By default, have the permissions of all functions not owned by a superuser.
    language
    No permissions.
    tablespace
    No permissions.
    FDW/foreign server
    By default, have the permissions of all FDWs/foreign servers not owned by a a superuser.
    TYPE
    By default, have the permissions of all TYPEs not owned by a superuser.

    Other operations

    Pub/Sub: the tencentdb_superuser role can implement the pub/sub messaging paradigm, create a publication for all tables, and create slots.
    Extensions: the tencentdb_superuser role can create all supported extensions. When creating an extension, the pg_tencentdb_superuser is temporarily escalated to superuser and passes all permission checks.
    The load_file permission only allows loading supported extension libraries.
    The tencentdb_superuser role can use the pgstat_get_backend_current_activity function to view deadlock details, so that users can easily troubleshoot deadlocks themselves.
    The use of the pg_signal_backend function is restricted, and processes of the pg_tencentdb_superuser role can only be killed by itself.

    Permission Operations

    For more information, see the official documents in the PostgreSQL community:
    CREATE USER name [ [ WITH ] option [ ... ] ]
    
    where option can be:
    
    SUPERUSER | NOSUPERUSER
    | CREATEDB | NOCREATEDB
    | CREATEROLE | NOCREATEROLE
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
    | REPLICATION | NOREPLICATION
    | BYPASSRLS | NOBYPASSRLS
    | CONNECTION LIMIT connlimit
    | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL
    | VALID UNTIL 'timestamp'
    | IN ROLE role_name [, ...]
    | IN GROUP role_name [, ...]
    | ROLE role_name [, ...]
    | ADMIN role_name [, ...]
    | USER role_name [, ...]
    | SYSID uid
    CREATE ROLE name [ [ WITH ] option [ ... ] ]
    
    where option can be:
    
    SUPERUSER | NOSUPERUSER
    | CREATEDB | NOCREATEDB
    | CREATEROLE | NOCREATEROLE
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
    | REPLICATION | NOREPLICATION
    | BYPASSRLS | NOBYPASSRLS
    | CONNECTION LIMIT connlimit
    | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL
    | VALID UNTIL 'timestamp'
    | IN ROLE role_name [, ...]
    | IN GROUP role_name [, ...]
    | ROLE role_name [, ...]
    | ADMIN role_name [, ...]
    | USER role_name [, ...]
    | SYSID uid
    ALTER ROLE role_specification [ WITH ] option [ ... ]
    
    where option can be:
    
    SUPERUSER | NOSUPERUSER
    | CREATEDB | NOCREATEDB
    | CREATEROLE | NOCREATEROLE
    | INHERIT | NOINHERIT
    | LOGIN | NOLOGIN
    | REPLICATION | NOREPLICATION
    | BYPASSRLS | NOBYPASSRLS
    | CONNECTION LIMIT connlimit
    | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL
    | VALID UNTIL 'timestamp'
    # Syntax example
    GRANT <privilege> on <object> to <role>;
    # Syntax example
    REVOKE <privilege> ON <object> FROM <role>;
    Grant a role to another role:
    # Syntax example
    GRANT <role name> to <another role>;
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support