Thread: ALTER ROLES - questions
Hi! I played around with roles a bit today and noticed some minor things: ALTER ROLE seems to support ALTER ROLE <name> ROLE <name> - but that form is not mentioned in the docs: playground=# CREATE ROLE myrole; CREATE ROLE playground=# CREATE ROLE myrole2; CREATE ROLE playground=# ALTER ROLE myrole ROLE myrole2; ALTER ROLE ALTER ROLE <name> IN ROLE <name> (undocumented but seems logical to try because CREATE ROLE supports that) seems to result in the following a bit cryptic error message: playground=# CREATE ROLE myrole; CREATE ROLE playground=# CREATE ROLE myrole2; CREATE ROLE playground=# ALTER ROLE myrole IN ROLE myrole2; ERROR: option "addroleto" not recognized I understand that adding/removing role membership can be done by the means of GRANT/REVOKE but at least improving the error message(or stopping the parser from accepting that syntax) a bit would be nice :-) Stefan
Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
> I played around with roles a bit today and noticed some minor things:
> ALTER ROLE seems to support ALTER ROLE <name> ROLE <name> - but that
> form is not mentioned in the docs:
There are some cases that work, but are not documented (or supported),
as a result of the fact that the same productions are used in the
grammar to support both the ROLE commands and the older GROUP commands.
I don't think it's worth bloating the grammar to suppress this.
regards, tom lane
* Stefan Kaltenbrunner (stefan@kaltenbrunner.cc) wrote:
> ALTER ROLE seems to support ALTER ROLE <name> ROLE <name> - but that
> form is not mentioned in the docs:
It's not really encouraged and is more because (iirc) that's what 'alter
group' did.
> ALTER ROLE <name> IN ROLE <name> (undocumented but seems logical to try
> because CREATE ROLE supports that) seems to result in the following a
> bit cryptic error message:
[...]
> playground=# ALTER ROLE myrole IN ROLE myrole2;
> ERROR: option "addroleto" not recognized
Yeah, 'alter group' (or 'alter user', one of them) did the same thing,
which suprised me but lead me to not really be too concerned about this
issue.
> I understand that adding/removing role membership can be done by the
> means of GRANT/REVOKE but at least improving the error message(or
> stopping the parser from accepting that syntax) a bit would be nice :-)
Improving the error message would probably be good (though the error
messages in those functions did tend to follow the same "blah not
recognized" format, so if it's going to be changed to something 'better'
it'd probably make sense to change them all). Having the parser not
accept the syntax would mean splitting the CREATE ROLE and ALTER ROLE
options-which-are-accepted into two sets (currently there's just one set
which both use) which would create quite a bit of duplication...
Thanks,
Stephen
On Mon, Aug 15, 2005 at 09:49:35AM -0400, Tom Lane wrote: > Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes: > > I played around with roles a bit today and noticed some minor things: > > > ALTER ROLE seems to support ALTER ROLE <name> ROLE <name> - but that > > form is not mentioned in the docs: > > There are some cases that work, but are not documented (or supported), > as a result of the fact that the same productions are used in the > grammar to support both the ROLE commands and the older GROUP commands. > I don't think it's worth bloating the grammar to suppress this. Should we mention this in the docs along with the warning that it's unsupported and may go away in the future? TBH it seems like it would be better not to have hidden behaviors that people end up using because they don't remember the supported syntax and end up in the habit of using unsupported syntax without realizing it. -- Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com Pervasive Software http://pervasive.com 512-569-9461
I see a lot of ALTER ROLE items not documented: SYSIDIN ROLEROLE/USERADMIN Is anyone working on documenting these? I see these flags as used by and documented in CREATE ROLE too. Should they be disabled for ALTER ROLE? --------------------------------------------------------------------------- Stefan Kaltenbrunner wrote: > Hi! > > I played around with roles a bit today and noticed some minor things: > > ALTER ROLE seems to support ALTER ROLE <name> ROLE <name> - but that > form is not mentioned in the docs: > > playground=# CREATE ROLE myrole; > CREATE ROLE > playground=# CREATE ROLE myrole2; > CREATE ROLE > playground=# ALTER ROLE myrole ROLE myrole2; > ALTER ROLE > > ALTER ROLE <name> IN ROLE <name> (undocumented but seems logical to try > because CREATE ROLE supports that) seems to result in the following a > bit cryptic error message: > > playground=# CREATE ROLE myrole; > CREATE ROLE > playground=# CREATE ROLE myrole2; > CREATE ROLE > playground=# ALTER ROLE myrole IN ROLE myrole2; > ERROR: option "addroleto" not recognized > > > I understand that adding/removing role membership can be done by the > means of GRANT/REVOKE but at least improving the error message(or > stopping the parser from accepting that syntax) a bit would be nice :-) > > Stefan > > ---------------------------(end of broadcast)--------------------------- > TIP 1: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> I see a lot of ALTER ROLE items not documented:
> SYSID
> IN ROLE
> ROLE/USER
> ADMIN
> Is anyone working on documenting these?
No, because they're not actually supported. The grammar happens to
accept them because we use the same productions for CREATE ROLE and
ALTER ROLE, but they are not intended for use.
regards, tom lane
OK, I have added comments to gram.y to document what is happening. ALTER ROLE ... ROLE is supported for ALTER GROUP. The others like IN ROL are supported by CREATE, but when used by ALTER throw an error printing their internal names, so it is kind of cryptic. Not sure what we should do to improve this. Let's see if others complain. --------------------------------------------------------------------------- Stefan Kaltenbrunner wrote: > Hi! > > I played around with roles a bit today and noticed some minor things: > > ALTER ROLE seems to support ALTER ROLE <name> ROLE <name> - but that > form is not mentioned in the docs: > > playground=# CREATE ROLE myrole; > CREATE ROLE > playground=# CREATE ROLE myrole2; > CREATE ROLE > playground=# ALTER ROLE myrole ROLE myrole2; > ALTER ROLE > > ALTER ROLE <name> IN ROLE <name> (undocumented but seems logical to try > because CREATE ROLE supports that) seems to result in the following a > bit cryptic error message: > > playground=# CREATE ROLE myrole; > CREATE ROLE > playground=# CREATE ROLE myrole2; > CREATE ROLE > playground=# ALTER ROLE myrole IN ROLE myrole2; > ERROR: option "addroleto" not recognized > > > I understand that adding/removing role membership can be done by the > means of GRANT/REVOKE but at least improving the error message(or > stopping the parser from accepting that syntax) a bit would be nice :-) > > Stefan > > ---------------------------(end of broadcast)--------------------------- > TIP 1: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073