July 27, 2024
Summary: in this tutorial, you will learn about PostgreSQL superusers and how to create them using the CREATE ROLE
statement.
Table of Contents
Introduction to PostgreSQL superuser
In PostgreSQL, a superuser is a special role with the highest privileges. A superuser has full access to all databases and tables. Additionally, it can perform administrative tasks such as creating databases, dropping databases, managing user roles, modifying database configuration, and so on.
In other words, a superuser can bypass all security checks except the right to log in.
By default, PostgreSQL has a superuser role called postgres
. Typically, you use the postgres
user role for performing administrative tasks and don’t need to create additional users with the superuser privilege.
However, if you need additional superuser roles, you can create them using the CREATE ROLE
statement or change a regular user to a superuser using the ALTER ROLE
statement.
Creating new superusers
First, connect to the PostgreSQL database using a client such as psql
:
psql -U postgres
Second, execute the following CREATE ROLE
command to create a superuser:
CREATE ROLE username SUPERUSER;
You need to replace username
with your desired username for the superuser. For example:
CREATE ROLE spiderman SUPERUSER
LOGIN
PASSWORD 'moreSecurePass';
Third, verify the user creation:
\du spiderman
Output:
List of roles
Role name | Attributes
-----------+------------
spiderman | Superuser
The output indicates that spiderman
role is a superuser.
Changing a user to a superuser
It’s possible to change a user to a superuser using the ALTER ROLE
statement.
First, create a regular role with a login privilege and a password:
CREATE ROLE batman LOGIN PASSWORD 'moreSecurePass';
Second, make the batman
role become a superuser using the ALTER ROLE
statement:
ALTER ROLE batman SUPERUSER;
Third, verify the user modification:
\du batman
Output:
List of roles
Role name | Attributes
-----------+------------
batman | Superuser
Revoking superuser from a user
To revoke a superuser status of a user, you can use the following ALTER ROLE
statement:
ALTER USER username NOSUPERUSER;
For example, the following statement revokes the SUPERUSER
status from the spiderman
role:
ALTER USER spiderman NOSUPERUSER;
You can verify the spiderman
role as follows:
\du spiderman
Output:
List of roles
Role name | Attributes
-----------+------------
spiderman |
Summary
- In PostgreSQL, a superuser bypass all permission checks except the permission to log in.
- Use the
CREATE ROLE...SUPERUSER
statement to create a superuser. - Use the
ALTER ROLE...SUPERUSER
statement to make a role a superuser. - Use the
ALTER ROLE...NOSUPERUSER
statement to revoke the superuser from a user.