| <!-- |
| doc/src/sgml/ref/createuser.sgml |
| PostgreSQL documentation |
| --> |
| |
| <refentry id="app-createuser"> |
| <indexterm zone="app-createuser"> |
| <primary>createuser</primary> |
| </indexterm> |
| |
| <refmeta> |
| <refentrytitle><application>createuser</application></refentrytitle> |
| <manvolnum>1</manvolnum> |
| <refmiscinfo>Application</refmiscinfo> |
| </refmeta> |
| |
| <refnamediv> |
| <refname>createuser</refname> |
| <refpurpose>define a new <productname>PostgreSQL</productname> user account</refpurpose> |
| </refnamediv> |
| |
| <refsynopsisdiv> |
| <cmdsynopsis> |
| <command>createuser</command> |
| <arg rep="repeat"><replaceable>connection-option</replaceable></arg> |
| <arg rep="repeat"><replaceable>option</replaceable></arg> |
| <arg choice="opt"><replaceable>username</replaceable></arg> |
| </cmdsynopsis> |
| </refsynopsisdiv> |
| |
| |
| <refsect1> |
| <title>Description</title> |
| <para> |
| <application>createuser</application> creates a |
| new <productname>PostgreSQL</productname> user (or more precisely, a role). |
| Only superusers and users with <literal>CREATEROLE</literal> privilege can create |
| new users, so <application>createuser</application> must be |
| invoked by someone who can connect as a superuser or a user with |
| <literal>CREATEROLE</literal> privilege. |
| </para> |
| |
| <para> |
| If you wish to create a new superuser, you must connect as a |
| superuser, not merely with <literal>CREATEROLE</literal> privilege. |
| Being a superuser implies the ability to bypass all access permission |
| checks within the database, so superuser access should not be granted lightly. |
| </para> |
| |
| <para> |
| <application>createuser</application> is a wrapper around the |
| <acronym>SQL</acronym> command <link linkend="sql-createrole"><command>CREATE ROLE</command></link>. |
| There is no effective difference between creating users via |
| this utility and via other methods for accessing the server. |
| </para> |
| |
| </refsect1> |
| |
| |
| <refsect1> |
| <title>Options</title> |
| |
| <para> |
| <application>createuser</application> accepts the following command-line arguments: |
| |
| <variablelist> |
| <varlistentry> |
| <term><replaceable class="parameter">username</replaceable></term> |
| <listitem> |
| <para> |
| Specifies the name of the <productname>PostgreSQL</productname> user |
| to be created. |
| This name must be different from all existing roles in this |
| <productname>PostgreSQL</productname> installation. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-c <replaceable class="parameter">number</replaceable></option></term> |
| <term><option>--connection-limit=<replaceable class="parameter">number</replaceable></option></term> |
| <listitem> |
| <para> |
| Set a maximum number of connections for the new user. |
| The default is to set no limit. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-d</option></term> |
| <term><option>--createdb</option></term> |
| <listitem> |
| <para> |
| The new user will be allowed to create databases. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-D</option></term> |
| <term><option>--no-createdb</option></term> |
| <listitem> |
| <para> |
| The new user will not be allowed to create databases. This is the |
| default. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-e</option></term> |
| <term><option>--echo</option></term> |
| <listitem> |
| <para> |
| Echo the commands that <application>createuser</application> generates |
| and sends to the server. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-E</option></term> |
| <term><option>--encrypted</option></term> |
| <listitem> |
| <para> |
| This option is obsolete but still accepted for backward |
| compatibility. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-g <replaceable class="parameter">role</replaceable></option></term> |
| <term><option>--role=<replaceable class="parameter">role</replaceable></option></term> |
| <listitem> |
| <para> |
| Indicates role to which this role will be added immediately as a new |
| member. Multiple roles to which this role will be added as a member |
| can be specified by writing multiple |
| <option>-g</option> switches. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-i</option></term> |
| <term><option>--inherit</option></term> |
| <listitem> |
| <para> |
| The new role will automatically inherit privileges of roles |
| it is a member of. |
| This is the default. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-I</option></term> |
| <term><option>--no-inherit</option></term> |
| <listitem> |
| <para> |
| The new role will not automatically inherit privileges of roles |
| it is a member of. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--interactive</option></term> |
| <listitem> |
| <para> |
| Prompt for the user name if none is specified on the command line, and |
| also prompt for whichever of the options |
| <option>-d</option>/<option>-D</option>, |
| <option>-r</option>/<option>-R</option>, |
| <option>-s</option>/<option>-S</option> is not specified on the command |
| line. (This was the default behavior up to PostgreSQL 9.1.) |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-l</option></term> |
| <term><option>--login</option></term> |
| <listitem> |
| <para> |
| The new user will be allowed to log in (that is, the user name |
| can be used as the initial session user identifier). |
| This is the default. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-L</option></term> |
| <term><option>--no-login</option></term> |
| <listitem> |
| <para> |
| The new user will not be allowed to log in. |
| (A role without login privilege is still useful as a means of |
| managing database permissions.) |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-P</option></term> |
| <term><option>--pwprompt</option></term> |
| <listitem> |
| <para> |
| If given, <application>createuser</application> will issue a prompt for |
| the password of the new user. This is not necessary if you do not plan |
| on using password authentication. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-r</option></term> |
| <term><option>--createrole</option></term> |
| <listitem> |
| <para> |
| The new user will be allowed to create new roles (that is, |
| this user will have <literal>CREATEROLE</literal> privilege). |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-R</option></term> |
| <term><option>--no-createrole</option></term> |
| <listitem> |
| <para> |
| The new user will not be allowed to create new roles. This is the |
| default. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-s</option></term> |
| <term><option>--superuser</option></term> |
| <listitem> |
| <para> |
| The new user will be a superuser. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-S</option></term> |
| <term><option>--no-superuser</option></term> |
| <listitem> |
| <para> |
| The new user will not be a superuser. This is the default. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-V</option></term> |
| <term><option>--version</option></term> |
| <listitem> |
| <para> |
| Print the <application>createuser</application> version and exit. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--replication</option></term> |
| <listitem> |
| <para> |
| The new user will have the <literal>REPLICATION</literal> privilege, |
| which is described more fully in the documentation for <xref |
| linkend="sql-createrole"/>. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--no-replication</option></term> |
| <listitem> |
| <para> |
| The new user will not have the <literal>REPLICATION</literal> |
| privilege, which is described more fully in the documentation for <xref |
| linkend="sql-createrole"/>. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-?</option></term> |
| <term><option>--help</option></term> |
| <listitem> |
| <para> |
| Show help about <application>createuser</application> command line |
| arguments, and exit. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| </variablelist> |
| </para> |
| |
| <para> |
| <application>createuser</application> also accepts the following |
| command-line arguments for connection parameters: |
| |
| <variablelist> |
| <varlistentry> |
| <term><option>-h <replaceable class="parameter">host</replaceable></option></term> |
| <term><option>--host=<replaceable class="parameter">host</replaceable></option></term> |
| <listitem> |
| <para> |
| Specifies the host name of the machine on which the |
| server |
| is running. If the value begins with a slash, it is used |
| as the directory for the Unix domain socket. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-p <replaceable class="parameter">port</replaceable></option></term> |
| <term><option>--port=<replaceable class="parameter">port</replaceable></option></term> |
| <listitem> |
| <para> |
| Specifies the TCP port or local Unix domain socket file |
| extension on which the server |
| is listening for connections. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-U <replaceable class="parameter">username</replaceable></option></term> |
| <term><option>--username=<replaceable class="parameter">username</replaceable></option></term> |
| <listitem> |
| <para> |
| User name to connect as (not the user name to create). |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-w</option></term> |
| <term><option>--no-password</option></term> |
| <listitem> |
| <para> |
| Never issue a password prompt. If the server requires |
| password authentication and a password is not available by |
| other means such as a <filename>.pgpass</filename> file, the |
| connection attempt will fail. This option can be useful in |
| batch jobs and scripts where no user is present to enter a |
| password. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>-W</option></term> |
| <term><option>--password</option></term> |
| <listitem> |
| <para> |
| Force <application>createuser</application> to prompt for a |
| password (for connecting to the server, not for the |
| password of the new user). |
| </para> |
| |
| <para> |
| This option is never essential, since |
| <application>createuser</application> will automatically prompt |
| for a password if the server demands password authentication. |
| However, <application>createuser</application> will waste a |
| connection attempt finding out that the server wants a password. |
| In some cases it is worth typing <option>-W</option> to avoid the extra |
| connection attempt. |
| </para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </para> |
| </refsect1> |
| |
| |
| <refsect1> |
| <title>Environment</title> |
| |
| <variablelist> |
| <varlistentry> |
| <term><envar>PGHOST</envar></term> |
| <term><envar>PGPORT</envar></term> |
| <term><envar>PGUSER</envar></term> |
| |
| <listitem> |
| <para> |
| Default connection parameters |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><envar>PG_COLOR</envar></term> |
| <listitem> |
| <para> |
| Specifies whether to use color in diagnostic messages. Possible values |
| are <literal>always</literal>, <literal>auto</literal> and |
| <literal>never</literal>. |
| </para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| |
| <para> |
| This utility, like most other <productname>PostgreSQL</productname> utilities, |
| also uses the environment variables supported by <application>libpq</application> |
| (see <xref linkend="libpq-envars"/>). |
| </para> |
| |
| </refsect1> |
| |
| |
| <refsect1> |
| <title>Diagnostics</title> |
| |
| <para> |
| In case of difficulty, see <xref linkend="sql-createrole"/> |
| and <xref linkend="app-psql"/> for |
| discussions of potential problems and error messages. |
| The database server must be running at the |
| targeted host. Also, any default connection settings and environment |
| variables used by the <application>libpq</application> front-end |
| library will apply. |
| </para> |
| |
| </refsect1> |
| |
| |
| <refsect1> |
| <title>Examples</title> |
| |
| <para> |
| To create a user <literal>joe</literal> on the default database |
| server: |
| <screen> |
| <prompt>$ </prompt><userinput>createuser joe</userinput> |
| </screen> |
| </para> |
| |
| <para> |
| To create a user <literal>joe</literal> on the default database |
| server with prompting for some additional attributes: |
| <screen> |
| <prompt>$ </prompt><userinput>createuser --interactive joe</userinput> |
| <computeroutput>Shall the new role be a superuser? (y/n) </computeroutput><userinput>n</userinput> |
| <computeroutput>Shall the new role be allowed to create databases? (y/n) </computeroutput><userinput>n</userinput> |
| <computeroutput>Shall the new role be allowed to create more new roles? (y/n) </computeroutput><userinput>n</userinput> |
| </screen> |
| </para> |
| |
| <para> |
| To create the same user <literal>joe</literal> using the |
| server on host <literal>eden</literal>, port 5000, with attributes explicitly specified, |
| taking a look at the underlying command: |
| <screen> |
| <prompt>$ </prompt><userinput>createuser -h eden -p 5000 -S -D -R -e joe</userinput> |
| <computeroutput>CREATE ROLE joe NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;</computeroutput> |
| </screen> |
| </para> |
| |
| <para> |
| To create the user <literal>joe</literal> as a superuser, |
| and assign a password immediately: |
| <screen> |
| <prompt>$ </prompt><userinput>createuser -P -s -e joe</userinput> |
| <computeroutput>Enter password for new role: </computeroutput><userinput>xyzzy</userinput> |
| <computeroutput>Enter it again: </computeroutput><userinput>xyzzy</userinput> |
| <computeroutput>CREATE ROLE joe PASSWORD 'md5b5f5ba1a423792b526f799ae4eb3d59e' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput> |
| </screen> |
| In the above example, the new password isn't actually echoed when typed, |
| but we show what was typed for clarity. As you see, the password is |
| encrypted before it is sent to the client. |
| </para> |
| </refsect1> |
| |
| |
| <refsect1> |
| <title>See Also</title> |
| |
| <simplelist type="inline"> |
| <member><xref linkend="app-dropuser"/></member> |
| <member><xref linkend="sql-createrole"/></member> |
| </simplelist> |
| </refsect1> |
| |
| </refentry> |
