Re: has_privs_of_role vs. is_member_of_role, redux

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: Wolfgang Walther <walther@technowledgy.de>
Cc: Robert Haas <robertmhaas@gmail.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-09-26T19:41:11Z
Lists: pgsql-hackers
Greetings,

* Wolfgang Walther (walther@technowledgy.de) wrote:
> Robert Haas:
> > I don't think we're going to be very happy if we redefine inheriting
> > the privileges of another role to mean inheriting only some of them.
> > That seems pretty counterintuitive to me. I also think that this
> > particular definition is pretty fuzzy.
> 
> Scratch my previous suggestion. A new, less fuzyy definition would be:
> Ownership is not a privilege itself and as such not inheritable.

One of the reasons the role system was brought into being was explicitly
to allow other roles to have ownership-level rights on objects that they
didn't directly own.

I don't see us changing that.

Thanks,

Stephen

Commits

  1. Make ALTER DEFAULT PRIVILEGES require privileges, not membership.