> How does this work with newly created objects? Is there a way to have
> them default objects to a different owner, the parent of the two
> roles?
No, but you could easily assign default permissions.
> In the case of password rotation, the goal would be to
> drop the old password after all clients have had reasonable chance to
> get an update. One could work around by generating new
> username+password pairs constantly, but there are conveniences to
> having a stable public-identifier for a role in addition to a private
> secret used to authenticate it
I guess I don't really understand what the real-world use case for this is.
-- -- Josh Berkus PostgreSQL Experts Inc.
http://www.pgexperts.com