On Sat, Aug 19, 2023 at 12:59:47PM -0400, Bruce Momjian wrote: > On Thu, Aug 17, 2023 at 08:37:28AM +0300, Pavel Luzanov wrote: > > I can try to explain how I understand it myself. > > > > In v15 and early, inheritance of granted to role privileges depends on > > INHERIT attribute of a role: > > > > create user alice; > > grant pg_read_all_settings to alice; > > > > By default privileges inherited: > > \c - alice > > show data_directory; > > data_directory > > ----------------------------- > > /var/lib/postgresql/15/main > > (1 row) > > > > After disabling the INHERIT attribute, privileges are not inherited: > > > > \c - postgres > > alter role alice noinherit; > > > > \c - alice > > show data_directory; > > ERROR: must be superuser or have privileges of pg_read_all_settings to > > examine "data_directory" > > > > In v16 changing INHERIT attribute on alice role doesn't change inheritance > > behavior of already granted roles. > > If we repeat the example, Alice still inherits pg_read_all_settings > > privileges after disabling the INHERIT attribute for the role. > > > > Information for making decisions about role inheritance has been moved from > > the role attribute to GRANT role TO role [WITH INHERIT|NOINHERIT] command > > and can be viewed by the new \drg command: > > > > \drg > > List of role grants > > Role name | Member of | Options | Grantor > > -----------+----------------------+--------------+---------- > > alice | pg_read_all_settings | INHERIT, SET | postgres > > (1 row) > > > > Changing the INHERIT attribute for a role now will affect (as the default > > value) only future GRANT commands without an INHERIT clause. > > I was able to create this simple example to illustrate it: > > CREATE ROLE a1; > CREATE ROLE a2; > CREATE ROLE a3; > CREATE ROLE a4; > CREATE ROLE b INHERIT; > > GRANT a1 TO b WITH INHERIT TRUE; > GRANT a2 TO b WITH INHERIT FALSE; > > GRANT a3 TO b; > ALTER USER b NOINHERIT; > GRANT a4 TO b; > > \drg > List of role grants > Role name | Member of | Options | Grantor > -----------+-----------+--------------+---------- > b | a1 | INHERIT, SET | postgres > b | a2 | SET | postgres > b | a3 | INHERIT, SET | postgres > b | a4 | SET | postgres > > I will work on the relase notes adjustments for this and reply in a few > days.
Attached is an applied patch that moves the inherit item into incompatibilities. clarifies it, and splits out the ADMIN syntax item. Please let me know if I need any other changes. Thanks. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
diff --git a/doc/src/sgml/release-16.sgml b/doc/src/sgml/release-16.sgml index c9c4fc07ca..c4ae566900 100644 --- a/doc/src/sgml/release-16.sgml +++ b/doc/src/sgml/release-16.sgml @@ -229,6 +229,24 @@ Collations and locales can vary between databases so having them as read-only se </para> </listitem> +<!-- +Author: Robert Haas <rh...@postgresql.org> +2022-08-25 [e3ce2de09] Allow grant-level control of role inheritance behavior. +--> + +<listitem> +<para> +Role inheritance now controls the default inheritance status of member roles added during <link linkend="sql-grant"><command>GRANT</command></link> (Robert Haas) +</para> + +<para> +The role's default inheritance behavior can be overridden with the new <command>GRANT ... WITH INHERIT</command> clause. +This allows inheritance of some roles and not others because the members' inheritance status is set at <command>GRANT</command> time. +Previously the inheritance status of member roles was controlled only by the role's inheritance status, and +changes to a role's inheritance status affected all previous and future member roles. +</para> +</listitem> + <!-- Author: Robert Haas <rh...@postgresql.org> 2023-01-10 [cf5eb37c5] Restrict the privileges of CREATEROLE users. @@ -814,11 +832,11 @@ Author: Robert Haas <rh...@postgresql.org> <listitem> <para> -Allow <link linkend="sql-grant"><command>GRANT</command></link> to control role inheritance behavior (Robert Haas) +Allow <link linkend="sql-grant"><command>GRANT</command></link> to use <literal>WITH ADMIN TRUE</literal>/<literal>FALSE</literal> syntax (Robert Haas) </para> <para> -By default, role inheritance is controlled by the inheritance status of the member role. The new <command>GRANT</command> clauses <literal>WITH INHERIT</literal> and <literal>WITH ADMIN</literal> can now override this. +Previously only the <literal>WITH ADMIN OPTION</literal> syntax was supported. </para> </listitem>
