From e3ce2de09d814f8770b2e3b3c152b7671bcdb83f Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Thu, 25 Aug 2022 10:06:02 -0400 Subject: Allow grant-level control of role inheritance behavior. The GRANT statement can now specify WITH INHERIT TRUE or WITH INHERIT FALSE to control whether the member inherits the granted role's permissions. For symmetry, you can now likewise write WITH ADMIN TRUE or WITH ADMIN FALSE to turn ADMIN OPTION on or off. If a GRANT does not specify WITH INHERIT, the behavior based on whether the member role is marked INHERIT or NOINHERIT. This means that if all roles are marked INHERIT or NOINHERIT before any role grants are performed, the behavior is identical to what we had before; otherwise, it's different, because ALTER ROLE [NO]INHERIT now only changes the default behavior of future grants, and has no effect on existing ones. Patch by me. Reviewed and testing by Nathan Bossart and Tushar Ahuja, with design-level comments from various others. Discussion: http://postgr.es/m/CA+Tgmoa5Sf4PiWrfxA=sGzDKg0Ojo3dADw=wAHOhR9dggV=RmQ@mail.gmail.com --- doc/src/sgml/catalogs.sgml | 10 ++++++++++ doc/src/sgml/ref/create_role.sgml | 29 ++++++++++++++++++----------- doc/src/sgml/ref/grant.sgml | 26 ++++++++++++++++++++++++-- doc/src/sgml/ref/revoke.sgml | 9 ++++++++- 4 files changed, 60 insertions(+), 14 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 2ce539aaf04..00f833d210e 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -1717,6 +1717,16 @@ SCRAM-SHA-256$<iteration count>:&l roleid to others + + + + inherit_option bool + + + True if the member automatically inherits the privileges of the + granted role + + diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index b6a4ea1f722..029a1933615 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -133,17 +133,24 @@ in sync when changing the above synopsis! NOINHERIT - These clauses determine whether a role inherits the - privileges of roles it is a member of. - A role with the INHERIT attribute can automatically - use whatever database privileges have been granted to all roles - it is directly or indirectly a member of. - Without INHERIT, membership in another role - only grants the ability to SET ROLE to that other role; - the privileges of the other role are only available after having - done so. - If not specified, - INHERIT is the default. + When the GRANT statement is used to confer + membership in one role to another role, the GRANT + may use the WITH INHERIT clause to specify whether + the privileges of the granted role should be inherited + by the new member. If the GRANT statement does not + specify either inheritance behavior, the new GRANT + will be created WITH INHERIT TRUE if the member + role is set to INHERIT and to + WITH INHERIT FALSE if it is set to + NOINHERIT. + + + + In PostgreSQL versions before 16, + the GRANT statement did not support + WITH INHERIT. Therefore, changing this role-level + property would also change the behavior of already-existing grants. + This is no longer the case. diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml index d7a055b7291..dea19cd3480 100644 --- a/doc/src/sgml/ref/grant.sgml +++ b/doc/src/sgml/ref/grant.sgml @@ -98,7 +98,7 @@ GRANT { USAGE | ALL [ PRIVILEGES ] } [ GRANTED BY role_specification ] GRANT role_name [, ...] TO role_specification [, ...] - [ WITH ADMIN OPTION ] + [ WITH { ADMIN | INHERIT } { OPTION | TRUE | FALSE } ] [ GRANTED BY role_specification ] where role_specification can be: @@ -255,7 +255,17 @@ GRANT role_name [, ...] TO - If WITH ADMIN OPTION is specified, the member can + The effect of membership in a role can be modified by specifying the + ADMIN or INHERIT option, each + of which can be set to either TRUE or + FALSE. The keyword OPTION is accepted + as a synonym for TRUE, so that + WITH ADMIN OPTION + is a synonym for WITH ADMIN TRUE. + + + + The ADMIN option allows the member to in turn grant membership in the role to others, and revoke membership in the role as well. Without the admin option, ordinary users cannot do that. A role is not considered to hold WITH ADMIN @@ -265,6 +275,18 @@ GRANT role_name [, ...] TO + + The INHERIT option, if it is set to + TRUE, causes the member to inherit the privileges of + the granted role. That is, it can automatically use whatever database + privileges have been granted to that role. If set to + FALSE, the member does not inherit the privileges + of the granted role. If this clause is not specified, it defaults to + true if the member role is set to INHERIT and to false + if the member role is set to NOINHERIT. + See CREATE ROLE. + + If GRANTED BY is specified, the grant is recorded as having been done by the specified role. A user can only attribute a grant diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml index 16e840458c9..4fd4bfb3d74 100644 --- a/doc/src/sgml/ref/revoke.sgml +++ b/doc/src/sgml/ref/revoke.sgml @@ -125,7 +125,7 @@ REVOKE [ GRANT OPTION FOR ] [ GRANTED BY role_specification ] [ CASCADE | RESTRICT ] -REVOKE [ ADMIN OPTION FOR ] +REVOKE [ { ADMIN | INHERIT } OPTION FOR ] role_name [, ...] FROM role_specification [, ...] [ GRANTED BY role_specification ] [ CASCADE | RESTRICT ] @@ -206,6 +206,13 @@ REVOKE [ ADMIN OPTION FOR ] allow the noise word GROUP in role_specification. + + + Just as ADMIN OPTION can be removed from an existing + role grant, it is also possible to revoke INHERIT OPTION. + This is equivalent to setting the value of that option to + FALSE. + -- cgit v1.2.3