On 6/30/22 22:58, Nathan Bossart wrote:
On Thu, Jun 30, 2022 at 10:21:53PM -0400, Robert Haas wrote:
On Thu, Jun 30, 2022 at 7:29 PM Nathan Bossart <nathandboss...@gmail.com> wrote:
IIUC you are suggesting that we'd leave rolinherit in pg_authid alone, but
we'd add the ability to specify a grant-level option that would always take
precedence. The default (WITH INHERIT DEFAULT) would cause things to work
exactly as they do today (i.e., use rolinherit). Does this sound right?
Yeah, that could be an alternative to the patch I proposed previously.
What do you (and others) think of that idea?
I like it. If rolinherit is left in place, existing pg_dumpall scripts
will continue to work, and folks can continue to use the role-level option
exactly as they do today. However, we'd be adding the ability to use a
grant-level option if desired, and it would be relatively easy to reason
about (i.e., the grant-level option always takes precedence over the
role-level option). Also, AFAICT this strategy still provides the full set
of behavior that would be possible if only the grant-level option existed.
Would this allow for an explicit REVOKE to override a default INHERIT
along a specific path?
--
Joe Conway
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
