On 4/25/19 11:25 AM, Steven Winfield wrote:
> Again, that's much clearer than what is currently there. It might help
> if some of the language/definitions from pg_has_role() is used, though.
>
> For example:
> A role X is a "MEMBER" of another role Y if there is a chain of GRANTs
> from X to Y via zero or more intermediate roles. This allows X to
> execute "SET ROLE Y".
> Additionally X has "USAGE" of Y if X and all the intermediate roles (but
> *not* necessarily Y) are marked INHERIT. In this case X automatically
> has the privileges of Y, without the need to "SET ROLE Y".
I've been whacking this around for the better part of the afternoon and
came up with the attached. I think it is correct, and better than my
previous proposal, but possibly need more polish. Comments welcome.
> * A role's attributes are not inherited by its members - SUPERUSER,
> CREATEROLE, etc. The CREATE ROLE docs refer to these things as both
> "attributes" and "privileges", which is a bit unhelpful. It would be
> better to refer to them only as "attributes" everywhere, so it is clear
> that "attributes" are never inherited whereas "privileges" can be inherited.
Sounds reasonable but probably a separate patch.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development