Re: PG 16 draft release notes ready

On Sat, Aug 19, 2023 at 12:59:47PM -0400, Bruce Momjian wrote:
> On Thu, Aug 17, 2023 at 08:37:28AM +0300, Pavel Luzanov wrote:
> > I can try to explain how I understand it myself.
> >
> > In v15 and early, inheritance of granted to role privileges depends on
> > INHERIT attribute of a role:
> >
> > create user alice;
> > grant pg_read_all_settings to alice;
> >
> > By default privileges inherited:
> > \c - alice
> > show data_directory;
> >        data_directory
> > -----------------------------
> >  /var/lib/postgresql/15/main
> > (1 row)
> >
> > After disabling the INHERIT attribute, privileges are not inherited:
> >
> > \c - postgres
> > alter role alice noinherit;
> >
> > \c - alice
> > show data_directory;
> > ERROR:  must be superuser or have privileges of pg_read_all_settings to
> > examine "data_directory"
> >
> > In v16 changing INHERIT attribute on alice role doesn't change inheritance
> > behavior of already granted roles.
> > If we repeat the example, Alice still inherits pg_read_all_settings
> > privileges after disabling the INHERIT attribute for the role.
> >
> > Information for making decisions about role inheritance has been moved from
> > the role attribute to GRANT role TO role [WITH INHERIT|NOINHERIT] command
> > and can be viewed by the new \drg command:
> >
> > \drg
> >                     List of role grants
> >  Role name |      Member of       |   Options    | Grantor
> > -----------+----------------------+--------------+----------
> >  alice     | pg_read_all_settings | INHERIT, SET | postgres
> > (1 row)
> >
> > Changing the INHERIT attribute for a role now will affect (as the default
> > value) only future GRANT commands without an INHERIT clause.
>
> I was able to create this simple example to illustrate it:
>
> CREATE ROLE a1;
> CREATE ROLE a2;
> CREATE ROLE a3;
> CREATE ROLE a4;
> CREATE ROLE b INHERIT;
>
> GRANT a1 TO b WITH INHERIT TRUE;
> GRANT a2 TO b WITH INHERIT FALSE;
>
> GRANT a3 TO b;
> ALTER USER b NOINHERIT;
> GRANT a4 TO b;
>
> \drg
> List of role grants
> Role name | Member of | Options | Grantor
> -----------+-----------+--------------+----------
> b | a1 | INHERIT, SET | postgres
> b | a2 | SET | postgres
> b | a3 | INHERIT, SET | postgres
> b | a4 | SET | postgres
>
> I will work on the relase notes adjustments for this and reply in a few
> days.

Attached is an applied patch that moves the inherit item into
incompatibilities. clarifies it, and splits out the ADMIN syntax item.

Please let me know if I need any other changes. Thanks.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.