Pavel Luzanov <p.luzanov@postgrespro.ru> writes: > On 08.07.2024 22:22, Christophe Pettus wrote: >> This is more curiosity than anything else. In the v16 role system, is there actually any reason to grant membership in a role to a different role, but with SET FALSE, INHERIT FALSE, and ADMIN FALSE? Does the role granted membership gain any ability it didn't have before in that case?
> Looks like there is one ability. > Authentication in pg_hba.conf "USER" field via +role syntax.
Hmm, if that check doesn't require INHERIT TRUE I'd say it's a bug.
The code doesn't support that claim. It seems quite intentional that this check is purely on membership - what with ACL having a dedicated function for the purpose of checking plain recursive membership that only this and the circularity check code use. I suppose it makes sense too - at least unless you also check for SET - since it seems desirable to allow login as a member role to a group you can only SET to and don't inherit from.
