From: | "Bossart, Nathan" <bossartn(at)amazon(dot)com> |
---|---|
To: | Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: [PATCH] Conflation of member/privs for predefined roles |
Date: | 2021-10-27 17:20:09 |
Message-ID: | 09EBC0F6-5DC7-4EC4-913F-5898DC21453B@amazon.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 10/26/21, 3:50 PM, "Joshua Brindle" <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
> Generally if a role is granted membership to another role with NOINHERIT
> they must use SET ROLE to access the privileges of that role, however
> with predefined roles the membership and privilege is conflated, as
> demonstrated by:
I think it makes sense that INHERIT/NOINHERIT should be respected for
the predefined roles. I went through some of the old threads and
commits for predefined roles, and I didn't find any mention of
inheritance, so there might not be a strong reason it was done this
way.
I saw a few places in the docs that will likely need to be updated as
well. For example, pg_freespacemap has this note:
By default use is restricted to superusers and members of the pg_stat_scan_tables role.
And I found at least one test (rolenames.sql) that fails due to the
new ERROR message.
Nathan
From | Date | Subject | |
---|---|---|---|
Next Message | Joshua Brindle | 2021-10-27 17:27:14 | Re: [PATCH] Conflation of member/privs for predefined roles |
Previous Message | Joshua Brindle | 2021-10-27 17:17:38 | Re: [PATCH] remove is_member_of_role() from header, add can_set_role() |