Re: PG 16 draft release notes ready

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Pavel Luzanov <p.luzanov@postgrespro.ru>
Cc: Noah Misch <noah@leadboat.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Robert Haas <robertmhaas@gmail.com>
Date: 2023-08-21T21:58:36Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Revert MAINTAIN privilege and pg_maintain predefined role.

  2. doc: PG 16 relnotes, remove "Have initdb use ICU by default"

  3. initdb: change default --locale-provider back to libc.

  4. doc: PG 16 relnotes, add author

  5. doc: PG 16 relnotes, move memory item and reword OUTER item

  6. doc: PG 16 relnotes, add memory overhead reduction item

  7. doc: PG 16 relnotes, adjust subscription origin mention

  8. doc: PG 16 relnotes, adjust auto_explain logging item

  9. doc: PG 16 relnotes: adjust outer/full hash join parallelization

  10. doc: PG 16 relnotes, fix duplicate author and commit

  11. doc: PG 16 relnotes, fix "locale" typo and windows locale text

  12. doc: PG 16 relnotes, add author from previous merge

  13. doc: PG 16 relnotes, wording adjustments

  14. doc: PG 16 relnotes, merge and move vector items

  15. doc: PG 16 relnotes, update xid/subxid searches item

  16. doc: PG 16 relnotes, SIMD improvements

  17. doc: PG 16 relnotes, add major features list

  18. doc: PG 16 relnotes, misc merged items and bootstrap detail

  19. doc: PG 16 relnotes, misc. updates

  20. doc: PG 16 relnotes, add commits

  21. Allow logical decoding on standbys

  22. Fix ts_headline() edge cases for empty query and empty search text.

  23. Add a hook for modifying the ldapbind password

  24. Rework design of functions in pg_walinspect

  25. initdb: derive encoding from locale for ICU; similar to libc.

  26. Doc: add XML ID attributes to <sectN> and <varlistentry> tags.

  27. Simplify the implementations of the to_reg* functions.

  28. Rename pg_dissect_walfile_name() to pg_split_walfile_name()

  29. Make materialized views participate in predicate locking

  30. Improve performance of and reduce overheads of memory management

  31. Allow grant-level control of role inheritance behavior.

Attachments

On Sat, Aug 19, 2023 at 12:59:47PM -0400, Bruce Momjian wrote:
> On Thu, Aug 17, 2023 at 08:37:28AM +0300, Pavel Luzanov wrote:
> > I can try to explain how I understand it myself.
> > 
> > In v15 and early, inheritance of granted to role privileges depends on
> > INHERIT attribute of a role:
> > 
> > create user alice;
> > grant pg_read_all_settings to alice;
> > 
> > By default privileges inherited:
> > \c - alice
> > show data_directory;
> >        data_directory
> > -----------------------------
> >  /var/lib/postgresql/15/main
> > (1 row)
> > 
> > After disabling the INHERIT attribute, privileges are not inherited:
> > 
> > \c - postgres
> > alter role alice noinherit;
> > 
> > \c - alice
> > show data_directory;
> > ERROR:  must be superuser or have privileges of pg_read_all_settings to
> > examine "data_directory"
> > 
> > In v16 changing INHERIT attribute on alice role doesn't change inheritance
> > behavior of already granted roles.
> > If we repeat the example, Alice still inherits pg_read_all_settings
> > privileges after disabling the INHERIT attribute for the role.
> > 
> > Information for making decisions about role inheritance has been moved from
> > the role attribute to GRANT role TO role [WITH INHERIT|NOINHERIT] command
> > and can be viewed by the new \drg command:
> > 
> > \drg
> >                     List of role grants
> >  Role name |      Member of       |   Options    | Grantor
> > -----------+----------------------+--------------+----------
> >  alice     | pg_read_all_settings | INHERIT, SET | postgres
> > (1 row)
> > 
> > Changing the INHERIT attribute for a role now will affect (as the default
> > value) only future GRANT commands without an INHERIT clause.
> 
> I was able to create this simple example to illustrate it:
> 
> 	CREATE ROLE a1;
> 	CREATE ROLE a2;
> 	CREATE ROLE a3;
> 	CREATE ROLE a4;
> 	CREATE ROLE b INHERIT;
> 
> 	GRANT a1 TO b WITH INHERIT TRUE;
> 	GRANT a2 TO b WITH INHERIT FALSE;
> 
> 	GRANT a3 TO b;
> 	ALTER USER b NOINHERIT;
> 	GRANT a4 TO b;
> 
> 	\drg
> 	               List of role grants
> 	 Role name | Member of |   Options    | Grantor
> 	-----------+-----------+--------------+----------
> 	 b         | a1        | INHERIT, SET | postgres
> 	 b         | a2        | SET          | postgres
> 	 b         | a3        | INHERIT, SET | postgres
> 	 b         | a4        | SET          | postgres
> 
> I will work on the relase notes adjustments for this and reply in a few
> days.

Attached is an applied patch that moves the inherit item into
incompatibilities. clarifies it, and splits out the ADMIN syntax item.

Please let me know if I need any other changes.  Thanks.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.