From 976d5c9104dc58eddecc1c3e97a1ae913c28fd8c Mon Sep 17 00:00:00 2001 From: Rich Loveland Date: Wed, 29 Oct 2025 14:13:39 -0400 Subject: [PATCH] Allow DB owner to set session var defaults in DB Fixes DOC-14457 --- src/current/v25.4/alter-database.md | 8 ++++++-- src/current/v25.4/alter-role.md | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/current/v25.4/alter-database.md b/src/current/v25.4/alter-database.md index 4f4dfe3cde4..2e96d90b54b 100644 --- a/src/current/v25.4/alter-database.md +++ b/src/current/v25.4/alter-database.md @@ -355,7 +355,9 @@ For usage, see [Synopsis](#synopsis). #### Required privileges -No [privileges]({% link {{ page.version.version }}/security-reference/authorization.md %}#managing-privileges) are required to reset a session setting. +To reset default session variable values for a database with `ALTER DATABASE ... RESET {session variable}`, the user must be a member of the [`admin` role]({% link {{ page.version.version }}/security-reference/authorization.md %}#admin-role) or the [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of the target database. + +All other session variables do not require [privileges]({% link {{ page.version.version }}/security-reference/authorization.md %}#managing-privileges) to modify. #### Parameters @@ -379,7 +381,9 @@ In CockroachDB, the following are aliases for `ALTER DATABASE ... RESET {session #### Required privileges -To set the `role` session variable, the current user must be a member of the `admin` role, or a member of the target role. +To set default session variable values for a database with `ALTER DATABASE ... SET {session variable}`, the user must be a member of the [`admin` role]({% link {{ page.version.version }}/security-reference/authorization.md %}#admin-role) or the [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of the target database. + +Additionally, to set the `role` session variable, the current user must be a member of the `admin` role or a member of the target role. All other session variables do not require [privileges]({% link {{ page.version.version }}/security-reference/authorization.md %}#managing-privileges) to modify. diff --git a/src/current/v25.4/alter-role.md b/src/current/v25.4/alter-role.md index 883bb829b8f..5f3bf625b60 100644 --- a/src/current/v25.4/alter-role.md +++ b/src/current/v25.4/alter-role.md @@ -23,6 +23,7 @@ Password creation and alteration is supported only in secure clusters. - To alter an [`admin` role]({% link {{ page.version.version }}/security-reference/authorization.md %}#admin-role), the user must be a member of the `admin` role. - To alter other roles, the user must be a member of the `admin` role or have the [`CREATEROLE`]({% link {{ page.version.version }}/create-role.md %}#create-a-role-that-can-create-other-roles-and-manage-authentication-methods-for-the-new-roles) [role option](#role-options). +- {% include_cached new-in.html version="v25.4" %} For [per-database defaults](#set-default-session-variable-values-for-a-specific-database), the [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of a database can execute `ALTER ROLE ALL IN DATABASE ... {SET|RESET}` for that database (in addition to users who meet the general requirements above). ## Synopsis @@ -228,6 +229,8 @@ SHOW statement_timeout; In the following example, the `root` user creates a database named `movr`, and sets the default value of the `timezone` [session variable]({% link {{ page.version.version }}/set-vars.md %}#supported-variables) for all roles in that database. +{% include_cached new-in.html version="v25.4" %} The [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of a database can also execute `ALTER ROLE ALL IN DATABASE ... {SET|RESET}` for that database. + ~~~ sql CREATE DATABASE IF NOT EXISTS movr; ~~~