Robert Haas <robertmhaas@gmail.com> writes:
> Is this a kind of change people would support? Here's a quick sketch:
> 1. Extend the GRANT role_name TO role_name [ WITH ADMIN OPTION ] with
> a new, optional clause, something like WITH NO INHERIT or WITH
> NOINHERIT or WITHOUT INHERIT.
> 2. Remove the INHERIT | NOINHERIT flag from CREATE ROLE and ALTER ROLE.
> 3. Replace pg_authid.rolinherit with pg_auth_members.inherit. Any
> place where we would have considered rolinherit, instead consider the
> inherit flag for the particular pg_auth_members entry at issue.
> 4. When dumping from an old version, dump all grants to NOINHERIT
> roles as non-inheritable grants.
Point 2 would cause every existing pg_dumpall script to fail, which
seems like kind of a large gotcha. Less unpleasant alternatives
could include
* Continue to accept the syntax, but ignore it, maybe with a WARNING
for the alternative that doesn't correspond to the new behavior.
* Keep pg_authid.rolinherit, and have it act as supplying the default
behavior for subsequent GRANTs to that role.
Perhaps there are other ways.
regards, tom lane