Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oEugW-00075U-FL for pgsql-docs@arkaria.postgresql.org; Fri, 22 Jul 2022 15:35:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1oEugU-0001vp-70 for pgsql-docs@arkaria.postgresql.org; Fri, 22 Jul 2022 15:35:22 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oEugT-0001vf-Vq for pgsql-docs@lists.postgresql.org; Fri, 22 Jul 2022 15:35:21 +0000 Received: from oss.nttdata.com ([49.212.34.109]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oEugQ-0004sx-Lj for pgsql-docs@lists.postgresql.org; Fri, 22 Jul 2022 15:35:20 +0000 Received: from [192.168.11.5] (p2292104-ipngn10401funabasi.chiba.ocn.ne.jp [180.11.136.104]) by oss.nttdata.com (Postfix) with ESMTPSA id 7E11060E97; Sat, 23 Jul 2022 00:35:13 +0900 (JST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.6 at oss.nttdata.com Message-ID: Date: Sat, 23 Jul 2022 00:35:13 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: Question about role attributes docs Content-Language: en-US To: Shinya Kato , Swaha Miller Cc: Laurenz Albe , pgsql-docs@lists.postgresql.org References: <1ecdb1ff78e9b03dfce37e85eaca725a@oss.nttdata.com> <746e739062e232ce42a3a8d07ecac1c5@oss.nttdata.com> From: Fujii Masao In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2022/03/17 17:56, Shinya Kato wrote: > Thank you for the review, and sorry for late reply. > I fixed it. Thanks for updating the patch! I found that the patch has two trailing whitespaces. + A role can explicitly be restricted at time of creation from inheriting privileges of + roles it is a member of (except for superusers, since those bypass all permission checks.) + Restricting privileges is done by the NOINHERIT option. + If no option is specified, INHERIT is the default. So to create a role that inherits + privileges, use either: It sounds strange to me that restriction of inheritance is explained at the beginning. Instead, something like the following is more intuitive and easy-to-understand to users? ------------------------ A role is given permission to inherit the privileges of roles it is a member of, by default. However, to create a role without the permission, use CREATE ROLE name NOINHERIT. ------------------------ + A role must be explicitly given permission to bypass row-level security (RLS) policy. + (except for superusers, since those bypass all permission checks). Like CREATE ROLE docs does, isn't it better to add "every" just before "row-level"? A dot just between "policy" and "(except" should be removed. + bypass row-level securityroleprivilege to bypass "bypass" should be "bypassing" or something because a noun is used for each entry title in other places? + To create such a role, use CREATE ROLE name BYPASSRLS. Isn't it better to add "as a superuser" just after "BYPASSRLS" because only a superuser can create a new role having the BYPASSRLS attribute? + -1 (the default) means no limit. To create such a role, use CREATE ROLE name CONNECTION LIMIT connlimit LOGIN. "To create such a role" sounds odd to me in this context. Instead, how about something like "Specify connection limit upon role creation with CREATE ROLE name CONNECTION LIMIT 'integer'."? Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION