I am unhappy with the documentation adjustments made to CREATE ROLE in
Postgres 16 by this commit:
commit e3ce2de09d
Author: Robert Haas <rhaas@postgresql.org>
Date: Thu Aug 25 10:06:02 2022 -0400
Allow grant-level control of role inheritance behavior.
The GRANT statement can now specify WITH INHERIT TRUE or WITH
INHERIT FALSE to control whether the member inherits the granted
role's permissions. For symmetry, you can now likewise write
WITH ADMIN TRUE or WITH ADMIN FALSE to turn ADMIN OPTION on or off.
If a GRANT does not specify WITH INHERIT, the behavior based on
whether the member role is marked INHERIT or NOINHERIT. This means
that if all roles are marked INHERIT or NOINHERIT before any role
grants are performed, the behavior is identical to what we had before;
otherwise, it's different, because ALTER ROLE [NO]INHERIT now only
changes the default behavior of future grants, and has no effect on
existing ones.
Patch by me. Reviewed and testing by Nathan Bossart and Tushar Ahuja,
with design-level comments from various others.
Discussion: http://postgr.es/m/CA+Tgmoa5Sf4PiWrfxA=sGzDKg0Ojo3dADw=wAHOhR9dggV=RmQ@mail.gmail.com
It seems to have removed important details about how inherit works
beyond GRANT.
Using the attached script, test_inh.sh, I generated SQL queries
contained in attached file test_inh.sql, and this generated this output
showing that the inheritance setting of the role being added as a member
controls the inheritance status of the membership:
rolname | Is member of role | inherit_option
------------------+-------------------+----------------
init_1_noinherit | user_1_inherit | f
init_1_noinherit | user_2_noinherit | f
init_1_noinherit | user_3_inherit | f
init_1_noinherit | user_4_noinherit | f
init_2_inherit | user_5_inherit | t
init_2_inherit | user_6_noinherit | t
init_2_inherit | user_7_inherit | t
init_2_inherit | user_8_noinherit | t
user_1_inherit | init_3_noinherit | t
user_2_noinherit | init_3_noinherit | f
user_3_inherit | init_4_inherit | t
user_4_noinherit | init_4_inherit | f
user_5_inherit | init_3_noinherit | t
user_6_noinherit | init_3_noinherit | f
user_7_inherit | init_4_inherit | t
user_8_noinherit | init_4_inherit | f
I have attached a patch to re-add this information, and clarify it. I
would like to apply this to PG 16 and master.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.