Re: PG 16 draft release notes ready
Bruce Momjian <bruce@momjian.us>
Commits
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revert MAINTAIN privilege and pg_maintain predefined role.
- 151c22deee66 17.0 cited
-
doc: PG 16 relnotes, remove "Have initdb use ICU by default"
- c729642bd760 16.0 cited
-
initdb: change default --locale-provider back to libc.
- 2535c74b1a61 16.0 cited
-
doc: PG 16 relnotes, add author
- b9e3f8005c99 16.0 landed
-
doc: PG 16 relnotes, move memory item and reword OUTER item
- e6a254c0d4af 16.0 landed
-
doc: PG 16 relnotes, add memory overhead reduction item
- 409d24485cbe 16.0 landed
-
doc: PG 16 relnotes, adjust subscription origin mention
- f7c16a120cfa 16.0 landed
-
doc: PG 16 relnotes, adjust auto_explain logging item
- 0bcb3ca3b95b 16.0 landed
-
doc: PG 16 relnotes: adjust outer/full hash join parallelization
- 5a6464096622 16.0 landed
-
doc: PG 16 relnotes, fix duplicate author and commit
- 9e28b83ae6fa 16.0 landed
-
doc: PG 16 relnotes, fix "locale" typo and windows locale text
- 503b0556d96f 16.0 landed
-
doc: PG 16 relnotes, add author from previous merge
- 46ba86cd32dc 16.0 landed
-
doc: PG 16 relnotes, wording adjustments
- 5c2c59ba0b5f 16.0 landed
-
doc: PG 16 relnotes, merge and move vector items
- ad5406246bff 16.0 landed
-
doc: PG 16 relnotes, update xid/subxid searches item
- a817edbf6f30 16.0 landed
-
doc: PG 16 relnotes, SIMD improvements
- 5cb54fc310fb 16.0 landed
-
doc: PG 16 relnotes, add major features list
- 60751aa50313 16.0 landed
-
doc: PG 16 relnotes, misc merged items and bootstrap detail
- de7c3fd34e0f 16.0 landed
-
doc: PG 16 relnotes, misc. updates
- c822358a256c 16.0 landed
-
doc: PG 16 relnotes, add commits
- 30579d23b226 16.0 landed
-
Allow logical decoding on standbys
- 0fdab27ad68a 16.0 cited
-
Fix ts_headline() edge cases for empty query and empty search text.
- 029dea882a7a 16.0 cited
-
Add a hook for modifying the ldapbind password
- 419a8dd8142a 16.0 cited
-
Rework design of functions in pg_walinspect
- 5c1b6628075a 16.0 cited
-
initdb: derive encoding from locale for ICU; similar to libc.
- c45dc7ffbba2 16.0 cited
-
Doc: add XML ID attributes to <sectN> and <varlistentry> tags.
- 78ee60ed84bb 16.0 cited
-
Simplify the implementations of the to_reg* functions.
- 3ea7329c9a79 16.0 cited
-
Rename pg_dissect_walfile_name() to pg_split_walfile_name()
- 13e0d7a60385 16.0 cited
-
Make materialized views participate in predicate locking
- 43351557d0d2 16.0 cited
-
Improve performance of and reduce overheads of memory management
- c6e0fe1f2a08 16.0 cited
-
Allow grant-level control of role inheritance behavior.
- e3ce2de09d81 16.0 cited
On Thu, Aug 17, 2023 at 08:37:28AM +0300, Pavel Luzanov wrote: > On 17.08.2023 05:36, Bruce Momjian wrote: > > On Wed, Aug 9, 2023 at 08:35:21PM -0400, Bruce Momjian wrote: > > > On Sat, Aug 5, 2023 at 04:08:47PM -0700, Noah Misch wrote: > > > > > Author: Robert Haas <rhaas@postgresql.org> > > > > > 2022-08-25 [e3ce2de09] Allow grant-level control of role inheritance behavior. > > > > > --> > > > > > > > > > > <listitem> > > > > > <para> > > > > > Allow GRANT to control role inheritance behavior (Robert Haas) > > > > > </para> > > > > > > > > > > <para> > > > > > By default, role inheritance is controlled by the inheritance status of the member role. The new GRANT clauses WITH INHERIT and WITH ADMIN can now override this. > > > > > </para> > > > > > </listitem> > > > > > > > > > > <!-- > > > > > Author: Robert Haas <rhaas@postgresql.org> > > > > > 2023-01-10 [e5b8a4c09] Add new GUC createrole_self_grant. > > > > > Author: Daniel Gustafsson <dgustafsson@postgresql.org> > > > > > 2023-02-22 [e00bc6c92] doc: Add default value of createrole_self_grant > > > > > --> > > > > > > > > > > <listitem> > > > > > <para> > > > > > Allow roles that create other roles to automatically inherit the new role's rights or SET ROLE to the new role (Robert Haas, Shi Yu) > > > > > </para> > > > > > > > > > > <para> > > > > > This is controlled by server variable createrole_self_grant. > > > > > </para> > > > > > </listitem> > > > > Similarly, v16 radically changes the CREATE ROLE ... WITH INHERIT clause. The > > > > clause used to "change the behavior of already-existing grants." Let's merge > > > > these two and move the combination to the incompatibilities section. > > > I need help with this. I don't understand how they can be combined, and > > > I don't understand the incompatibility text in commit e3ce2de09d: > > > > > > If a GRANT does not specify WITH INHERIT, the behavior based on > > > whether the member role is marked INHERIT or NOINHERIT. This means > > > that if all roles are marked INHERIT or NOINHERIT before any role > > > grants are performed, the behavior is identical to what we had before; > > > otherwise, it's different, because ALTER ROLE [NO]INHERIT now only > > > changes the default behavior of future grants, and has no effect on > > > existing ones. > > I am waiting for an answer to this question, or can I assume the release > > notes are acceptable? > > I can try to explain how I understand it myself. > > In v15 and early, inheritance of granted to role privileges depends on > INHERIT attribute of a role: > > create user alice; > grant pg_read_all_settings to alice; > > By default privileges inherited: > \c - alice > show data_directory; > data_directory > ----------------------------- > /var/lib/postgresql/15/main > (1 row) > > After disabling the INHERIT attribute, privileges are not inherited: > > \c - postgres > alter role alice noinherit; > > \c - alice > show data_directory; > ERROR: must be superuser or have privileges of pg_read_all_settings to > examine "data_directory" > > In v16 changing INHERIT attribute on alice role doesn't change inheritance > behavior of already granted roles. > If we repeat the example, Alice still inherits pg_read_all_settings > privileges after disabling the INHERIT attribute for the role. > > Information for making decisions about role inheritance has been moved from > the role attribute to GRANT role TO role [WITH INHERIT|NOINHERIT] command > and can be viewed by the new \drg command: > > \drg > List of role grants > Role name | Member of | Options | Grantor > -----------+----------------------+--------------+---------- > alice | pg_read_all_settings | INHERIT, SET | postgres > (1 row) > > Changing the INHERIT attribute for a role now will affect (as the default > value) only future GRANT commands without an INHERIT clause. I was able to create this simple example to illustrate it: CREATE ROLE a1; CREATE ROLE a2; CREATE ROLE a3; CREATE ROLE a4; CREATE ROLE b INHERIT; GRANT a1 TO b WITH INHERIT TRUE; GRANT a2 TO b WITH INHERIT FALSE; GRANT a3 TO b; ALTER USER b NOINHERIT; GRANT a4 TO b; \drg List of role grants Role name | Member of | Options | Grantor -----------+-----------+--------------+---------- b | a1 | INHERIT, SET | postgres b | a2 | SET | postgres b | a3 | INHERIT, SET | postgres b | a4 | SET | postgres I will work on the relase notes adjustments for this and reply in a few days. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.