| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: New SET privilege for pg_has_role() in v16+ |
| Date: | 2024-01-02 16:33:10 |
| Message-ID: | CAKFQuwa-M2sgkTHWfW3xBbr=kzpH=J2H-7rCMS9TRhPRN8j2pw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Jan 2, 2024 at 9:21 AM Dominique Devienne <ddevienne(at)gmail(dot)com>
wrote:
> On Tue, Jan 2, 2024 at 5:11 PM David G. Johnston <
> david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
>
>> On Tue, Jan 2, 2024 at 8:25 AM Dominique Devienne <ddevienne(at)gmail(dot)com>
>> wrote:
>>
>>> pg_has_role() from
>>> https://www.postgresql.org/docs/current/functions-info.html
>>> added the 'SET' privilege in v16, and on top of the existing 'MEMBER'
>>> and 'USAGE' ones:
>>>
>>
>
>> Membership no longer does anything by itself.
>>
>
> OK! That's news to me, I must go back to the v16 (?) release notes and
> learn more about this.
>
>
>> Both inherit and set capabilities are now individually controlled
>> permissions related to membership.
>>
>
> Hmmm, what drove this change? (I guess I'm getting back to the rationale
> from earlier).
> The previous model was not granular enough?
> And the new one is as granular as it gets?
>
Essentially yes. Inherit used to be a property of a role and not a
specific membership which was deemed undesirable. We were fixing up the
broken CREATEROLE attribute and felt these improvements were needed as
well. Once inherit became optional per-membership it made sense to treat
set the same way.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2024-01-02 16:40:21 | Re: New SET privilege for pg_has_role() in v16+ |
| Previous Message | Dominique Devienne | 2024-01-02 16:21:32 | Re: New SET privilege for pg_has_role() in v16+ |