Postgresql 中文操作指南

SET ROLE

SET ROLE —设置当前会话的当前用户标识符

SET ROLE — set the current user identifier of the current session

Synopsis

SET [ SESSION | LOCAL ] ROLE role_name
SET [ SESSION | LOCAL ] ROLE NONE
RESET ROLE

Description

此命令将当前 SQL 会话的当前用户标识符设置为 role_name 。角色名称可以写为标识符或字符串文本。在 SET ROLE 之后，SQL 命令的权限检查将按照命名角色最初登录的方式执行。

This command sets the current user identifier of the current SQL session to be role_name. The role name can be written as either an identifier or a string literal. After SET ROLE, permissions checking for SQL commands is carried out as though the named role were the one that had logged in originally.

当前会话用户必须具有指定 role_name 的 SET 选项，可以通过具有 SET 选项的成员资格链直接或间接地获取该选项。（如果会话用户是超级用户，则可以选择任何角色。）

The current session user must have the SET option for the specified role_name, either directly or indirectly via a chain of memberships with the SET option. (If the session user is a superuser, any role can be selected.)

SESSION 和 LOCAL 修饰符的作用与常规 SET 命令的作用相同。

The SESSION and LOCAL modifiers act the same as for the regular SET command.

SET ROLE NONE 将当前用户标识符设置为通过 session_user 返回的当前会话用户标识符。 RESET ROLE 将当前用户标识符设置为连接时设置中由 command-line options 、 ALTER ROLE 或 ALTER DATABASE （如果存在此类设置）指定的设置。否则， RESET ROLE 将当前用户标识符设置为当前会话用户标识符。任何用户都可以执行这些格式。

SET ROLE NONE sets the current user identifier to the current session user identifier, as returned by session_user. RESET ROLE sets the current user identifier to the connection-time setting specified by the command-line options, ALTER ROLE, or ALTER DATABASE, if any such settings exist. Otherwise, RESET ROLE sets the current user identifier to the current session user identifier. These forms can be executed by any user.

Notes

使用此命令可以添加权限或限制自己的权限。如果会话用户角色被授予了 WITH INHERIT TRUE 成员资格，则自动具有此类角色的所有权限。在这种情况下， SET ROLE 实际上会放弃除目标角色直接拥有或继承的所有权限。另一方面，如果会话用户角色被授予了 WITH INHERIT FALSE 成员资格，则默认情况下无法访问已授予角色的权限。但是，如果角色被授予 WITH SET TRUE ，会话用户可以使用 SET ROLE 放弃直接分配给会话用户的权限，并改为获得命名角色可用的权限。如果角色被授予 WITH INHERIT FALSE, SET FALSE ，则无论是否使用 SET ROLE ，都无法行使该角色的权限。

Using this command, it is possible to either add privileges or restrict one’s privileges. If the session user role has been granted memberships WITH INHERIT TRUE, it automatically has all the privileges of every such role. In this case, SET ROLE effectively drops all the privileges except for those which the target role directly possesses or inherits. On the other hand, if the session user role has been granted memberships WITH INHERIT FALSE, the privileges of the granted roles can’t be accessed by default. However, if the role was granted WITH SET TRUE, the session user can use SET ROLE to drop the privileges assigned directly to the session user and instead acquire the privileges available to the named role. If the role was granted WITH INHERIT FALSE, SET FALSE then the privileges of that role cannot be exercised either with or without SET ROLE.

请注意，当超级用户选择 SET ROLE 为非超级用户角色时，他们将失去其超级用户权限。

Note that when a superuser chooses to SET ROLE to a non-superuser role, they lose their superuser privileges.

SET ROLE 具有与 SET SESSION AUTHORIZATION 相当的效果，但涉及的权限检查差别很大。此外， SET SESSION AUTHORIZATION 确定哪些角色允许用于后面的 SET ROLE 命令，而使用 SET ROLE 更改角色不会更改允许用于后面的 SET ROLE 的角色集。

SET ROLE has effects comparable to SET SESSION AUTHORIZATION, but the privilege checks involved are quite different. Also, SET SESSION AUTHORIZATION determines which roles are allowable for later SET ROLE commands, whereas changing roles with SET ROLE does not change the set of roles allowed to a later SET ROLE.

SET ROLE 不根据角色的 ALTER ROLE 所设置的会话变量来处理会话变量；这仅在登录期间发生。

SET ROLE does not process session variables as specified by the role’s ALTER ROLE settings; this only happens during login.

SET ROLE 无法用于 SECURITY DEFINER 函数内。

SET ROLE cannot be used within a SECURITY DEFINER function.

Examples

SELECT SESSION_USER, CURRENT_USER;

 session_user | current_user
--------------+--------------
 peter        | peter

SET ROLE 'paul';

SELECT SESSION_USER, CURRENT_USER;

 session_user | current_user
--------------+--------------
 peter        | paul

Compatibility

PostgreSQL 允许标识符语法 ( "_rolename “ ), while the SQL standard requires the role name to be written as a string literal. SQL does not allow this command during a transaction; PostgreSQL does not make this restriction because there is no reason to. The _SESSION 和 LOCAL 修饰符是 PostgreSQL 扩展， RESET 语法也是如此。

PostgreSQL allows identifier syntax ("_rolename"), while the SQL standard requires the role name to be written as a string literal. SQL does not allow this command during a transaction; PostgreSQL does not make this restriction because there is no reason to. The _SESSION and LOCAL modifiers are a PostgreSQL extension, as is the RESET syntax.