Re: pg_auth_members.grantor is bunk

On Thu, Jul 28, 2022 at 5:17 PM David G. Johnston
<david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
> I suggest changing \du memberof to output something like this:
>
> rolname | memberof
> ---------+------------------------------------
> vagrant | {}
> r | {q:admin/vagrant}
> t | {q:admin/vagrant,s:member/vagrant}
>
> (needs sorting, tried to model it after ACL - column privileges specifically)

I don't know. I agree with you that we should probably think about
changing the \du output, but I'm not sure if I like this particular
idea about how to do it. I mean, the ACL format that we use for tables
and other objects is basically an internal format which we throw at
the user, hoping they'll know how to interpret it. I don't know if
it's what we should pick when we don't have that kind of internal
format already. On the other hand, consistency is worth something, and
I'm not sure that I have a better idea.

https://commitfest.postgresql.org/38/3744/ might affect what we want
to do here, too.

> If we aren't dead set on having \du and \dg be aliases for each other I'd rather redesign \dg (or add a new meta-command) to be a group-centric view of this exact same data instead of user-centric one. Namely it has a "members" column instead of "memberof" and have it output, one line per member:
>
> user=[admin|member]/grantor

That seems like a topic for a separate thread, but I agree that a
flipped view of this data would be more useful than using two letters
of the alphabet for exactly the same thing, especially given that
we're pretty short on unused letters.

> I don't have any meaningful insight as to breaking things with these changes but I am strongly in favor of tightening this up and formalizing it.

Cool.

--
Robert Haas
EDB: http://www.enterprisedb.com