Improve some documentation about the bootstrap superuser.

This commit adds some notes about the inability to remove superuser
privileges from the bootstrap superuser.  This has been blocked
since commit e530be2c5c, but it wasn't intended be a supported
feature before that, either.

In passing, change "bootstrap user" to "bootstrap superuser" in a
couple places.

Author: Yurii Rashkovskii
Reviewed-by: Vignesh C, David G. Johnston
Discussion: https://postgr.es/m/CA%2BRLCQzSx_eTC2Fch0EzeNHD3zFUcPvBYOoB%2BpPScFLch1DEQw%40mail.gmail.com

diff --git a/doc/src/sgml/glossary.sgml b/doc/src/sgml/glossary.sgml
index 881026ded6319803c33f6ba51e3e071b4c720ae7..ccd480aede014baec1353ca94c042429306a48f7 100644 (file)
--- a/doc/src/sgml/glossary.sgml
+++ b/doc/src/sgml/glossary.sgml
@@ -247,7 +247,8 @@
     </para>
     <para>
      This role also behaves as a normal
-     <glossterm linkend="glossary-database-superuser">database superuser</glossterm>.
+     <glossterm linkend="glossary-database-superuser">database superuser</glossterm>,
+     and its superuser status cannot be removed.
     </para>
    </glossdef>
   </glossentry>

diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index ab1ee45d54e1a069ac477cb728496af8422ab71f..7b0a04bc4637c7c08246e597a9acf4466b467fa2 100644 (file)
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -69,7 +69,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-grant"><command>GRANT</command></link> and
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
-   Database superusers can change any of these settings for any role.
+   Database superusers can change any of these settings for any role, except
+   for changing the <literal>SUPERUSER</literal> property for the
+   <glossterm linkend="glossary-bootstrap-superuser">bootstrap superuser</glossterm>.
    Non-superuser roles having <literal>CREATEROLE</literal> privilege can
    change most of these properties, but only for non-superuser and
    non-replication roles for which they have been granted

diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 92a299d2d33b6c3aa988ae78027d1f6db008d821..1c011ac62b57397fc21fad7aec9a960dcc0e93c5 100644 (file)
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -350,7 +350,7 @@ ALTER ROLE myname SET enable_indexscan TO off;
    options. Thus, the fact that privileges are not inherited by default nor
    is <literal>SET ROLE</literal> granted by default is a safeguard against
    accidents, not a security feature. Also note that, because this automatic
-   grant is granted by the bootstrap user, it cannot be removed or changed by
+   grant is granted by the bootstrap superuser, it cannot be removed or changed by
    the <literal>CREATEROLE</literal> user; however, any superuser could
    revoke it, modify it, and/or issue additional such grants to other
    <literal>CREATEROLE</literal> users. Whichever <literal>CREATEROLE</literal>

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 7e815897116e37d01ef671774bb9b74661a49442..7a9c177b21c82c4fd43dac31d0d28cf8be99230b 100644 (file)
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -868,7 +868,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("permission denied to alter role"),
-                    errdetail("The bootstrap user must have the %s attribute.",
+                    errdetail("The bootstrap superuser must have the %s attribute.",
                               "SUPERUSER")));
 
        new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(should_be_super);