Home > mailing lists

Re: New SET privilege for pg_has_role() in v16+ - Mailing list pgsql-general

From	David G. Johnston
Subject	Re: New SET privilege for pg_has_role() in v16+
Date	January 2 19:33:10
Msg-id	CAKFQuwa-M2sgkTHWfW3xBbr=kzpH=J2H-7rCMS9TRhPRN8j2pw@mail.gmail.com Whole thread Raw
In response to	Re: New SET privilege for pg_has_role() in v16+ (Dominique Devienne <ddevienne@gmail.com>)
List	pgsql-general

Tree view

On Tue, Jan 2, 2024 at 9:21 AM Dominique Devienne <ddevienne@gmail.com> wrote:

On Tue, Jan 2, 2024 at 5:11 PM David G. Johnston <david.g.johnston@gmail.com> wrote:
On Tue, Jan 2, 2024 at 8:25 AM Dominique Devienne <ddevienne@gmail.com> wrote:
pg_has_role() from https://www.postgresql.org/docs/current/functions-info.html
added the 'SET' privilege in v16, and on top of the existing 'MEMBER' and 'USAGE' ones:

Membership no longer does anything by itself.

OK! That's news to me, I must go back to the v16 (?) release notes and learn more about this.

Both inherit and set capabilities are now individually controlled permissions related to membership.

Hmmm, what drove this change? (I guess I'm getting back to the rationale from earlier).
The previous model was not granular enough?
And the new one is as granular as it gets?

Essentially yes. Inherit used to be a property of a role and not a specific membership which was deemed undesirable. We were fixing up the broken CREATEROLE attribute and felt these improvements were needed as well. Once inherit became optional per-membership it made sense to treat set the same way.

David J.

pgsql-general by date:

From: Dominique Devienne
Date: 02 January, 19:21:32
Subject: Re: New SET privilege for pg_has_role() in v16+

From: Adrian Klaver
Date: 02 January, 19:40:21
Subject: Re: New SET privilege for pg_has_role() in v16+

Re: New SET privilege for pg_has_role() in v16+ - Mailing list pgsql-general

Previous

Next