From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Pavel Luzanov <p(dot)luzanov(at)postgrespro(dot)ru> |
Cc: | Noah Misch <noah(at)leadboat(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com> |
Subject: | Re: PG 16 draft release notes ready |
Date: | 2023-08-19 16:59:47 |
Message-ID: | ZOD1Axx4p2lz0KmT@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Aug 17, 2023 at 08:37:28AM +0300, Pavel Luzanov wrote:
> On 17.08.2023 05:36, Bruce Momjian wrote:
> > On Wed, Aug 9, 2023 at 08:35:21PM -0400, Bruce Momjian wrote:
> > > On Sat, Aug 5, 2023 at 04:08:47PM -0700, Noah Misch wrote:
> > > > > Author: Robert Haas <rhaas(at)postgresql(dot)org>
> > > > > 2022-08-25 [e3ce2de09] Allow grant-level control of role inheritance behavior.
> > > > > -->
> > > > >
> > > > > <listitem>
> > > > > <para>
> > > > > Allow GRANT to control role inheritance behavior (Robert Haas)
> > > > > </para>
> > > > >
> > > > > <para>
> > > > > By default, role inheritance is controlled by the inheritance status of the member role. The new GRANT clauses WITH INHERIT and WITH ADMIN can now override this.
> > > > > </para>
> > > > > </listitem>
> > > > >
> > > > > <!--
> > > > > Author: Robert Haas <rhaas(at)postgresql(dot)org>
> > > > > 2023-01-10 [e5b8a4c09] Add new GUC createrole_self_grant.
> > > > > Author: Daniel Gustafsson <dgustafsson(at)postgresql(dot)org>
> > > > > 2023-02-22 [e00bc6c92] doc: Add default value of createrole_self_grant
> > > > > -->
> > > > >
> > > > > <listitem>
> > > > > <para>
> > > > > Allow roles that create other roles to automatically inherit the new role's rights or SET ROLE to the new role (Robert Haas, Shi Yu)
> > > > > </para>
> > > > >
> > > > > <para>
> > > > > This is controlled by server variable createrole_self_grant.
> > > > > </para>
> > > > > </listitem>
> > > > Similarly, v16 radically changes the CREATE ROLE ... WITH INHERIT clause. The
> > > > clause used to "change the behavior of already-existing grants." Let's merge
> > > > these two and move the combination to the incompatibilities section.
> > > I need help with this. I don't understand how they can be combined, and
> > > I don't understand the incompatibility text in commit e3ce2de09d:
> > >
> > > If a GRANT does not specify WITH INHERIT, the behavior based on
> > > whether the member role is marked INHERIT or NOINHERIT. This means
> > > that if all roles are marked INHERIT or NOINHERIT before any role
> > > grants are performed, the behavior is identical to what we had before;
> > > otherwise, it's different, because ALTER ROLE [NO]INHERIT now only
> > > changes the default behavior of future grants, and has no effect on
> > > existing ones.
> > I am waiting for an answer to this question, or can I assume the release
> > notes are acceptable?
>
> I can try to explain how I understand it myself.
>
> In v15 and early, inheritance of granted to role privileges depends on
> INHERIT attribute of a role:
>
> create user alice;
> grant pg_read_all_settings to alice;
>
> By default privileges inherited:
> \c - alice
> show data_directory;
> data_directory
> -----------------------------
> /var/lib/postgresql/15/main
> (1 row)
>
> After disabling the INHERIT attribute, privileges are not inherited:
>
> \c - postgres
> alter role alice noinherit;
>
> \c - alice
> show data_directory;
> ERROR: must be superuser or have privileges of pg_read_all_settings to
> examine "data_directory"
>
> In v16 changing INHERIT attribute on alice role doesn't change inheritance
> behavior of already granted roles.
> If we repeat the example, Alice still inherits pg_read_all_settings
> privileges after disabling the INHERIT attribute for the role.
>
> Information for making decisions about role inheritance has been moved from
> the role attribute to GRANT role TO role [WITH INHERIT|NOINHERIT] command
> and can be viewed by the new \drg command:
>
> \drg
> List of role grants
> Role name | Member of | Options | Grantor
> -----------+----------------------+--------------+----------
> alice | pg_read_all_settings | INHERIT, SET | postgres
> (1 row)
>
> Changing the INHERIT attribute for a role now will affect (as the default
> value) only future GRANT commands without an INHERIT clause.
I was able to create this simple example to illustrate it:
CREATE ROLE a1;
CREATE ROLE a2;
CREATE ROLE a3;
CREATE ROLE a4;
CREATE ROLE b INHERIT;
GRANT a1 TO b WITH INHERIT TRUE;
GRANT a2 TO b WITH INHERIT FALSE;
GRANT a3 TO b;
ALTER USER b NOINHERIT;
GRANT a4 TO b;
\drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+--------------+----------
b | a1 | INHERIT, SET | postgres
b | a2 | SET | postgres
b | a3 | INHERIT, SET | postgres
b | a4 | SET | postgres
I will work on the relase notes adjustments for this and reply in a few
days.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2023-08-19 17:19:22 | Re: BUG #18059: Unexpected error 25001 in stored procedure |
Previous Message | Drouvot, Bertrand | 2023-08-19 16:30:12 | Re: WIP: new system catalog pg_wait_event |