Re: replacing role-level NOINHERIT with a grant-level option

On Sat, Jul 02, 2022 at 11:04:28PM -0400, Robert Haas wrote:
> On Sat, Jul 2, 2022 at 6:16 PM Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote:
>> I was thinking that when DEFAULT was removed, pg_dump would just need to
>> generate WITH INHERIT TRUE/FALSE based on the value of rolinherit for older
>> versions. Using the role-level property as the default for future grants
>> seems a viable strategy, although it would break backward compatibility.
>> For example, if I create a NOINHERIT role, grant a bunch of roles to it,
>> and then change it to INHERIT, the role won't begin inheriting the
>> privileges of the roles it is a member of. Right now, it does.
>
> I think the idea you propose here is interesting, because I think it
> proves that committing v2 or something like it doesn't really lock us
> into the role-level property any more than we already are, which at
> least makes me feel slightly less bad about that option. However, if
> there's implacable opposition to any compatibility break at any point,
> then maybe this plan would never actually be implemented in practice.
> And if there's not, maybe we can be bolder now.

If by "bolder" you mean "mark [NO]INHERIT as deprecated-and-to-be-removed
and begin emitting WARNINGs when it and WITH INHERIT DEFAULT are used," I
think it's worth consideration. I suspect it will be hard to sell removing
[NO]INHERIT in v16 because it would introduce a compatibility break without
giving users much time to migrate. I could be wrong, though.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com