Improve some documentation about the bootstrap superuser.

nathan-bossart · nathan-bossart · commit d891dcc065a2 · 2024-01-18T21:39:51.000-06:00
This commit adds some notes about the inability to remove superuser privileges from the bootstrap superuser. This has been blocked since commit e530be2, but it wasn't intended be a supported feature before that, either. In passing, change "bootstrap user" to "bootstrap superuser" in a couple places. Author: Yurii Rashkovskii Reviewed-by: Vignesh C, David G. Johnston Discussion: https://postgr.es/m/CA%2BRLCQzSx_eTC2Fch0EzeNHD3zFUcPvBYOoB%2BpPScFLch1DEQw%40mail.gmail.com
diff --git a/doc/src/sgml/glossary.sgml b/doc/src/sgml/glossary.sgml
@@ -247,7 +247,8 @@
     </para>
     <para>
      This role also behaves as a normal
-     <glossterm linkend="glossary-database-superuser">database superuser</glossterm>.
+     <glossterm linkend="glossary-database-superuser">database superuser</glossterm>,
+     and its superuser status cannot be removed.
     </para>
    </glossdef>
   </glossentry>
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
@@ -69,7 +69,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-grant"><command>GRANT</command></link> and
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
-   Database superusers can change any of these settings for any role.
+   Database superusers can change any of these settings for any role, except
+   for changing the <literal>SUPERUSER</literal> property for the
+   <glossterm linkend="glossary-bootstrap-superuser">bootstrap superuser</glossterm>.
    Non-superuser roles having <literal>CREATEROLE</literal> privilege can
    change most of these properties, but only for non-superuser and
    non-replication roles for which they have been granted
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
@@ -350,7 +350,7 @@ ALTER ROLE myname SET enable_indexscan TO off;
    options. Thus, the fact that privileges are not inherited by default nor
    is <literal>SET ROLE</literal> granted by default is a safeguard against
    accidents, not a security feature. Also note that, because this automatic
-   grant is granted by the bootstrap user, it cannot be removed or changed by
+   grant is granted by the bootstrap superuser, it cannot be removed or changed by
    the <literal>CREATEROLE</literal> user; however, any superuser could
    revoke it, modify it, and/or issue additional such grants to other
    <literal>CREATEROLE</literal> users. Whichever <literal>CREATEROLE</literal>
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
@@ -868,7 +868,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 					 errmsg("permission denied to alter role"),
-					 errdetail("The bootstrap user must have the %s attribute.",
+					 errdetail("The bootstrap superuser must have the %s attribute.",
 							   "SUPERUSER")));
 
 		new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(should_be_super);
