Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nK5Y4-0003KG-Dl for pgsql-docs@arkaria.postgresql.org; Tue, 15 Feb 2022 21:39:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nK5Y3-0005VX-3W for pgsql-docs@arkaria.postgresql.org; Tue, 15 Feb 2022 21:39:47 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nK5Y2-0005VN-Ma for pgsql-docs@lists.postgresql.org; Tue, 15 Feb 2022 21:39:46 +0000 Received: from mail-pf1-x42a.google.com ([2607:f8b0:4864:20::42a]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nK5Xx-0003wI-TR for pgsql-docs@lists.postgresql.org; Tue, 15 Feb 2022 21:39:45 +0000 Received: by mail-pf1-x42a.google.com with SMTP id d187so350383pfa.10 for ; Tue, 15 Feb 2022 13:39:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jdX4O9TkHiFlZedU20sAPM6i5wg/dNNHa5yp8fGG+Ec=; b=AUQOVt/HNst4dorGwSo8pKS8dTQHHUp5qXJB1lGmubyv2BNMjnz7LgHMOvgd1QYZI1 JsQxhUL/fpfdSnRPxEnc+nxkyyXdC3PyOezoBagb9YGmACxHk2XJXP40aLuCSLDeEUZT kCMTFL+UwxDS559UQyplRX4Q7cOecBBQTdhDaw1mAgd6Mv0ciLtZCkpbPVhff2a4AAvX HYbz4jl84H5u0TuRSwsJTU9HS2w5srH2YyBdiNY5GyW5oWUdX3Dt25Z3L+LSrPA3IUxo U4yoNigRjdppaCGmRmuG8q1tuUFVFmhSfhT/Ce7qbMffeFQjt8AMAl1bIb6Q00uLn03V XNHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jdX4O9TkHiFlZedU20sAPM6i5wg/dNNHa5yp8fGG+Ec=; b=PpqN5UYofnvsoDv/luwVGkmvj9yZJW/X6z44BfTgo0vOfwZFw/jPRUZPXZvdV++PBt xiVlVDAy81lwYcW1chDGINoF9wgzPL1J1QaqzeLzYp4WQ3MajYyteOZwWipcGL0T3LAJ 6+Kh/TFDel/28VnRD0jA6iYgNSvZp24b/SHWGIkBQ3R0kt9YE1bC4O97YvIMnATdtu3h B+GlR8reI0SRzOWzuiRA6u+tijptX0NEAe7rVtwOX2bC2iMT+Cd1WyAwUID/haJhw+A7 +eRqKn9z3C6rL82F0enOCVpb5tPPID0izRFl9ebOj4t0aFzrmz2Azdj4wzwYRbKQX+vd gWzw== X-Gm-Message-State: AOAM531JPtTY/s657BynRr6yKHOzEqOPwjLAQfagO9ox4rFhmvXDxEeM eRqvd574OP07jwyauflZSQIUAnOs6XRqrqo/5JF8VrZ1HII= X-Google-Smtp-Source: ABdhPJx4AGYaZ2nrotptfrkm0dYH///2IH2Dykp1clg8Efez3gidSlkY51I3yaILVz2Yd3AWkgtbX612i6jC9rTxuro= X-Received: by 2002:aa7:96f9:: with SMTP id i25mr674296pfq.37.1644961180684; Tue, 15 Feb 2022 13:39:40 -0800 (PST) MIME-Version: 1.0 References: <1ecdb1ff78e9b03dfce37e85eaca725a@oss.nttdata.com> <746e739062e232ce42a3a8d07ecac1c5@oss.nttdata.com> In-Reply-To: <746e739062e232ce42a3a8d07ecac1c5@oss.nttdata.com> From: Swaha Miller Date: Tue, 15 Feb 2022 13:39:29 -0800 Message-ID: Subject: Re: Question about role attributes docs To: Shinya Kato Cc: Laurenz Albe , pgsql-docs@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000d8141e05d8155e63" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000d8141e05d8155e63 Content-Type: text/plain; charset="UTF-8" On Tue, Feb 15, 2022 at 1:32 PM Shinya Kato wrote: > On 2022-01-12 02:07, Laurenz Albe wrote: > > On Tue, 2022-01-11 at 16:40 +0900, Shinya Kato wrote: > >> I have a question about the documentation on ROLE. > >> > >> According to [1], INHERIT and BYPASSRLS can be specified when > >> executing > >> the CREATE ROLE command. However, there is no such description in Role > >> Attributes in [2]. Are these concepts different from Role Attributes? > >> Or > >> are they just not documented? If they need to be documented, I'll > >> create > >> a patch. > >> > >> [1] https://www.postgresql.org/docs/devel/sql-createrole.html > >> [2] https://www.postgresql.org/docs/devel/role-attributes.html > > > > I think that is indeed an omission, and adding documentation would be a > > good idea. > Thanks! I created the patch, and attached it. > > > On the other hand, a lot of that information is more or less > > a duplicate of the CREATE ROLE documentation. I wonder if the latter > > page could be removed altogether. > I think there is certainly a lot of overlap. However, I think that the > SQL commands page and the database roles page should exist separately, > and should be maintained as they are because there are parts that do not > overlap (for example, IN ROLE and ADMIN). > > -- > Regards, > > -- > Shinya Kato > Advanced Computing Technology Center > Research and Development Headquarters > NTT DATA CORPORATION May I suggest replacing the following verbiage in your patch + A role is needed to permission to inherit privileges of roles it is a member of. + (except for superusers, since those bypass all permission checks). + If not specified, INHERIT is the default, so to create such a role, use either: with clearer wording such as the following: A role can explicitly be restricted at time of creation from inheriting privileges of roles it is a member of (except for superusers, since those bypass all permission checks.) Restricting privileges is done by the NOINHERIT option. If no option is specified, INHERIT is the default. So to create a role that inherits privileges, use either: Regards, Swaha Miller Amazon Web Services --000000000000d8141e05d8155e63 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Feb 15, 2022 at 1:32 PM Shin= ya Kato <Shinya11.Kato@= oss.nttdata.com> wrote:
On 2022-01-12 02:07, Lauren= z Albe wrote:
> On Tue, 2022-01-11 at 16:40 +0900, Shinya Kato wrote:
>> I have a question about the documentation on ROLE.
>>
>> According to [1], INHERIT and BYPASSRLS can be specified when
>> executing
>> the CREATE ROLE command. However, there is no such description in = Role
>> Attributes in [2]. Are these concepts different from Role Attribut= es?
>> Or
>> are they just not documented? If they need to be documented, I'= ;ll
>> create
>> a patch.
>>
>> [1] https://www.postgresql.org/doc= s/devel/sql-createrole.html
>> [2] https://www.postgresql.org/do= cs/devel/role-attributes.html
>
> I think that is indeed an omission, and adding documentation would be = a
> good idea.
Thanks! I created the patch, and attached it.

> On the other hand, a lot of that information is more or less
> a duplicate of the CREATE ROLE documentation.=C2=A0 I wonder if the la= tter
> page could be removed altogether.
I think there is certainly a lot of overlap. However, I think that the
SQL commands page and the database roles page should exist separately,
and should be maintained as they are because there are parts that do not overlap (for example, IN ROLE and ADMIN).

--
Regards,

--
Shinya Kato
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION

May I suggest replacing the= following verbiage in your patch
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0A role is= needed to permission to inherit privileges of roles it is a member of.
= + =C2=A0 =C2=A0 =C2=A0 =C2=A0(except for superusers, since those bypass all= permission checks).
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0If not specified, <= literal>INHERIT</literal> is the default, so to create such a role= , use either:

with clearer wording such as the following:

A r= ole can explicitly be restricted at time of creation from inheriting privil= eges of=C2=A0
roles it is a member of=C2=A0(except for superusers, sinc= e those bypass all permission checks.)
Restricting privileges is done by= the <literal>NOINHERIT</literal> option.
If no option is sp= ecified, <literal>INHERIT</literal> is the default. So to creat= e a role that inherits
privileges, use either:=C2=A0

Regards,

Swaha Miller
A= mazon Web Services
--000000000000d8141e05d8155e63--