doc/src/sgml/ref/createuser.sgml

   1 <!--
   2 $PostgreSQL$
   3 PostgreSQL documentation
   4 -->
   5
   6 <refentry id="APP-CREATEUSER">
   7  <refmeta>
   8   <refentrytitle id="APP-CREATEUSER-TITLE"><application>createuser</application></refentrytitle>
   9   <manvolnum>1</manvolnum>
  10   <refmiscinfo>Application</refmiscinfo>
  11  </refmeta>
  12
  13  <refnamediv>
  14   <refname>createuser</refname>
  15   <refpurpose>define a new <productname>PostgreSQL</productname> user account</refpurpose>
  16  </refnamediv>
  17
  18  <indexterm zone="app-createuser">
  19   <primary>createuser</primary>
  20  </indexterm>
  21
  22  <refsynopsisdiv>
  23   <cmdsynopsis>
  24    <command>createuser</command>
  25    <arg rep="repeat"><replaceable>option</replaceable></arg>
  26    <arg><replaceable>username</replaceable></arg>
  27   </cmdsynopsis>
  28  </refsynopsisdiv>
  29
  30
  31  <refsect1>
  32   <title>Description</title>
  33   <para>
  34    <application>createuser</application> creates a
  35    new <productname>PostgreSQL</productname> user (or more precisely, a role).
  36    Only superusers and users with <literal>CREATEROLE</> privilege can create
  37    new users, so <application>createuser</application> must be
  38    invoked by someone who can connect as a superuser or a user with
  39    <literal>CREATEROLE</> privilege.
  40   </para>
  41
  42   <para>
  43    If you wish to create a new superuser, you must connect as a
  44    superuser, not merely with <literal>CREATEROLE</> privilege.
  45    Being a superuser implies the ability to bypass all access permission
  46    checks within the database, so superuserdom should not be granted lightly.
  47   </para>
  48
  49   <para>
  50    <application>createuser</application> is a wrapper around the
  51    <acronym>SQL</acronym> command <xref linkend="SQL-CREATEROLE"
  52    endterm="SQL-CREATEROLE-title">.
  53    There is no effective difference between creating users via
  54    this utility and via other methods for accessing the server.
  55   </para>
  56
  57  </refsect1>
  58
  59
  60  <refsect1>
  61   <title>Options</title>
  62
  63   <para>
  64    <application>createuser</> accepts the following command-line arguments:
  65
  66     <variablelist>
  67      <varlistentry>
  68       <term><replaceable class="parameter">username</replaceable></term>
  69       <listitem>
  70        <para>
  71         Specifies the name of the <productname>PostgreSQL</productname> user
  72         to be created.
  73         This name must be different from all existing roles in this
  74         <productname>PostgreSQL</productname> installation.
  75        </para>
  76       </listitem>
  77      </varlistentry>
  78
  79      <varlistentry>
  80       <term><option>-s</></term>
  81       <term><option>--superuser</></term>
  82       <listitem>
  83        <para>
  84         The new user will be a superuser.
  85        </para>
  86       </listitem>
  87      </varlistentry>
  88
  89      <varlistentry>
  90       <term><option>-S</></term>
  91       <term><option>--no-superuser</></term>
  92       <listitem>
  93        <para>
  94         The new user will not be a superuser.
  95         This is the default.
  96        </para>
  97       </listitem>
  98      </varlistentry>
  99
 100      <varlistentry>
 101       <term><option>-d</></term>
 102       <term><option>--createdb</></term>
 103       <listitem>
 104        <para>
 105         The new user will be allowed to create databases.
 106        </para>
 107       </listitem>
 108      </varlistentry>
 109
 110      <varlistentry>
 111       <term><option>-D</></term>
 112       <term><option>--no-createdb</></term>
 113       <listitem>
 114        <para>
 115         The new user will not be allowed to create databases.
 116         This is the default.
 117        </para>
 118       </listitem>
 119      </varlistentry>
 120
 121      <varlistentry>
 122       <term><option>-r</></term>
 123       <term><option>--createrole</></term>
 124       <listitem>
 125        <para>
 126         The new user will be allowed to create new roles (that is,
 127         this user will have <literal>CREATEROLE</> privilege).
 128        </para>
 129       </listitem>
 130      </varlistentry>
 131
 132      <varlistentry>
 133       <term><option>-R</></term>
 134       <term><option>--no-createrole</></term>
 135       <listitem>
 136        <para>
 137         The new user will not be allowed to create new roles.
 138         This is the default.
 139        </para>
 140       </listitem>
 141      </varlistentry>
 142
 143      <varlistentry>
 144       <term><option>-l</></term>
 145       <term><option>--login</></term>
 146       <listitem>
 147        <para>
 148         The new user will be allowed to log in (that is, the user name
 149         can be used as the initial session user identifier).
 150         This is the default.
 151        </para>
 152       </listitem>
 153      </varlistentry>
 154
 155      <varlistentry>
 156       <term><option>-L</></term>
 157       <term><option>--no-login</></term>
 158       <listitem>
 159        <para>
 160         The new user will not be allowed to log in.
 161         (A role without login privilege is still useful as a means of
 162         managing database permissions.)
 163        </para>
 164       </listitem>
 165      </varlistentry>
 166
 167      <varlistentry>
 168       <term><option>-i</></term>
 169       <term><option>--inherit</></term>
 170       <listitem>
 171        <para>
 172         The new role will automatically inherit privileges of roles
 173         it is a member of.
 174         This is the default.
 175        </para>
 176       </listitem>
 177      </varlistentry>
 178
 179      <varlistentry>
 180       <term><option>-I</></term>
 181       <term><option>--no-inherit</></term>
 182       <listitem>
 183        <para>
 184         The new role will not automatically inherit privileges of roles
 185         it is a member of.
 186        </para>
 187       </listitem>
 188      </varlistentry>
 189
 190      <varlistentry>
 191       <term><option>-c <replaceable class="parameter">number</replaceable></></term>
 192       <term><option>--connection-limit <replaceable class="parameter">number</replaceable></></term>
 193       <listitem>
 194        <para>
 195         Set a maximum number of connections for the new user.
 196         The default is to set no limit.
 197        </para>
 198       </listitem>
 199      </varlistentry>
 200
 201      <varlistentry>
 202       <term><option>-P</></term>
 203       <term><option>--pwprompt</></term>
 204       <listitem>
 205        <para>
 206        If given, <application>createuser</application> will issue a prompt for
 207        the password of the new user. This is not necessary if you do not plan
 208        on using password authentication.
 209        </para>
 210       </listitem>
 211      </varlistentry>
 212
 213      <varlistentry>
 214       <term><option>-E</></term>
 215       <term><option>--encrypted</></term>
 216       <listitem>
 217        <para>
 218         Encrypts the user's password stored in the database. If not
 219         specified, the default password behavior is used.
 220        </para>
 221       </listitem>
 222      </varlistentry>
 223
 224      <varlistentry>
 225       <term><option>-N</></term>
 226       <term><option>--unencrypted</></term>
 227       <listitem>
 228        <para>
 229         Does not encrypt the user's password stored in the database. If
 230         not specified, the default password behavior is used.
 231        </para>
 232       </listitem>
 233      </varlistentry>
 234
 235      <varlistentry>
 236       <term><option>-e</></term>
 237       <term><option>--echo</></term>
 238       <listitem>
 239        <para>
 240         Echo the commands that <application>createuser</application> generates
 241         and sends to the server.
 242        </para>
 243       </listitem>
 244      </varlistentry>
 245     </variablelist>
 246   </para>
 247
 248   <para>
 249    You will be prompted for a name and other missing information if it
 250    is not specified on the command line.
 251   </para>
 252
 253   <para>
 254    <application>createuser</application> also accepts the following
 255    command-line arguments for connection parameters:
 256
 257    <variablelist>
 258      <varlistentry>
 259       <term><option>-h <replaceable class="parameter">host</replaceable></></term>
 260       <term><option>--host <replaceable class="parameter">host</replaceable></></term>
 261       <listitem>
 262        <para>
 263         Specifies the host name of the machine on which the
 264         server
 265         is running.  If the value begins with a slash, it is used
 266         as the directory for the Unix domain socket.
 267        </para>
 268       </listitem>
 269      </varlistentry>
 270
 271      <varlistentry>
 272       <term><option>-p <replaceable class="parameter">port</replaceable></></term>
 273       <term><option>--port <replaceable class="parameter">port</replaceable></></term>
 274       <listitem>
 275        <para>
 276         Specifies the TCP port or local Unix domain socket file
 277         extension on which the server
 278         is listening for connections.
 279        </para>
 280       </listitem>
 281      </varlistentry>
 282
 283      <varlistentry>
 284       <term><option>-U <replaceable class="parameter">username</replaceable></></term>
 285       <term><option>--username <replaceable class="parameter">username</replaceable></></term>
 286       <listitem>
 287        <para>
 288         User name to connect as (not the user name to create).
 289        </para>
 290       </listitem>
 291      </varlistentry>
 292
 293      <varlistentry>
 294       <term><option>-w</></term>
 295       <term><option>--no-password</></term>
 296       <listitem>
 297        <para>
 298         Never issue a password prompt.  If the server requires
 299         password authentication and a password is not available by
 300         other means such as a <filename>.pgpass</filename> file, the
 301         connection attempt will fail.  This option can be useful in
 302         batch jobs and scripts where no user is present to enter a
 303         password.
 304        </para>
 305       </listitem>
 306      </varlistentry>
 307
 308      <varlistentry>
 309       <term><option>-W</></term>
 310       <term><option>--password</></term>
 311       <listitem>
 312        <para>
 313         Force <application>createuser</application> to prompt for a
 314         password (for connecting to the server, not for the
 315         password of the new user).
 316        </para>
 317
 318        <para>
 319         This option is never essential, since
 320         <application>createuser</application> will automatically prompt
 321         for a password if the server demands password authentication.
 322         However, <application>createuser</application> will waste a
 323         connection attempt finding out that the server wants a password.
 324         In some cases it is worth typing <option>-W</> to avoid the extra
 325         connection attempt.
 326        </para>
 327       </listitem>
 328      </varlistentry>
 329    </variablelist>
 330   </para>
 331  </refsect1>
 332
 333
 334  <refsect1>
 335   <title>Environment</title>
 336
 337   <variablelist>
 338    <varlistentry>
 339     <term><envar>PGHOST</envar></term>
 340     <term><envar>PGPORT</envar></term>
 341     <term><envar>PGUSER</envar></term>
 342
 343     <listitem>
 344      <para>
 345       Default connection parameters
 346      </para>
 347     </listitem>
 348    </varlistentry>
 349   </variablelist>
 350
 351   <para>
 352    This utility, like most other <productname>PostgreSQL</> utilities,
 353    also uses the environment variables supported by <application>libpq</>
 354    (see <xref linkend="libpq-envars">).
 355   </para>
 356
 357  </refsect1>
 358
 359
 360  <refsect1>
 361   <title>Diagnostics</title>
 362
 363   <para>
 364    In case of difficulty, see <xref linkend="SQL-CREATEROLE"
 365    endterm="sql-createrole-title"> and <xref linkend="APP-PSQL"> for
 366    discussions of potential problems and error messages.
 367    The database server must be running at the
 368    targeted host.  Also, any default connection settings and environment
 369    variables used by the <application>libpq</application> front-end
 370    library will apply.
 371   </para>
 372
 373  </refsect1>
 374
 375
 376  <refsect1>
 377   <title>Examples</title>
 378
 379    <para>
 380     To create a user <literal>joe</literal> on the default database
 381     server:
 382 <screen>
 383 <prompt>$ </prompt><userinput>createuser joe</userinput>
 384 <computeroutput>Shall the new role be a superuser? (y/n) </computeroutput><userinput>n</userinput>
 385 <computeroutput>Shall the new role be allowed to create databases? (y/n) </computeroutput><userinput>n</userinput>
 386 <computeroutput>Shall the new role be allowed to create more new roles? (y/n) </computeroutput><userinput>n</userinput>
 387 </screen>
 388    </para>
 389
 390    <para>
 391     To create the same user <literal>joe</literal> using the
 392     server on host <literal>eden</>, port 5000, avoiding the prompts and
 393     taking a look at the underlying command:
 394 <screen>
 395 <prompt>$ </prompt><userinput>createuser -h eden -p 5000 -S -D -R -e joe</userinput>
 396 <computeroutput>CREATE ROLE joe NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;</computeroutput>
 397 </screen>
 398    </para>
 399
 400    <para>
 401     To create the user <literal>joe</literal> as a superuser,
 402     and assign a password immediately:
 403 <screen>
 404 <prompt>$ </prompt><userinput>createuser -P -s -e joe</userinput>
 405 <computeroutput>Enter password for new role: </computeroutput><userinput>xyzzy</userinput>
 406 <computeroutput>Enter it again: </computeroutput><userinput>xyzzy</userinput>
 407 <computeroutput>CREATE ROLE joe PASSWORD 'md5b5f5ba1a423792b526f799ae4eb3d59e' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
 408 </screen>
 409     In the above example, the new password isn't actually echoed when typed,
 410     but we show what was typed for clarity.  As you see, the password is
 411     encrypted before it is sent to the client.  If the option <option>--unencrypted</option>
 412     is used, the password <emphasis>will</> appear in the echoed command
 413     (and possibly also in the server log and elsewhere),
 414     so you don't want to use <option>-e</> in that case, if
 415     anyone else can see your screen.
 416    </para>
 417  </refsect1>
 418
 419
 420  <refsect1>
 421   <title>See Also</title>
 422
 423   <simplelist type="inline">
 424    <member><xref linkend="app-dropuser"></member>
 425    <member><xref linkend="sql-createrole" endterm="sql-createrole-title"></member>
 426   </simplelist>
 427  </refsect1>
 428
 429 </refentry>