Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sQxvn-00CZex-AI
	for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 23:38:03 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sQxvl-00AcM0-92
	for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 23:38:01 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <robertmhaas@gmail.com>)
	id 1sQxvk-00AcL8-S5
	for pgsql-general@lists.postgresql.org; Mon, 08 Jul 2024 23:38:00 +0000
Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <robertmhaas@gmail.com>)
	id 1sQxvi-0016zK-3Y
	for pgsql-general@postgresql.org; Mon, 08 Jul 2024 23:37:59 +0000
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-52ea7d2a039so3568097e87.3
        for <pgsql-general@postgresql.org>; Mon, 08 Jul 2024 16:37:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1720481876; x=1721086676; darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7JDlBrD/h6AJxUS0xEzMCsF85Zn/84x8REhgzACWgLE=;
        b=bSgwcOdsjwh/fL1eN5ExwYrgv+AAUkgnF2t7SXG/n2VpsHo/KOz/u66ZEFxsr9ZXlv
         MpZQKEKaopYb2eIysnXvdUIkdaFa/198ADawDcoR0DNqYlBvS6lPZBbd3sc9ow6mjXd9
         EuvCD57W1vnw5/LxQjdaJdwEx9kQP25Ew1Vymoy9HIc1BjthO2belMV+EzEWhhiuAy0v
         3l70BSJ43DiOvXvW31bWiJuVrSG8dH8At47CXDreJT/uDDVpAwCeSLdq8VphNTzk1K3f
         Yjlh3/MdVwj+mBsUG+gM/EN99qHrcWljzxVgqOF9LjJO6dG+/Sx5wHyfY8ttIZuHqU3p
         wLJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1720481876; x=1721086676;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7JDlBrD/h6AJxUS0xEzMCsF85Zn/84x8REhgzACWgLE=;
        b=RHvQfXR/OTMTQvoCuAKrDL/TjVSTUH81q9v9Kojolttl7VHs3mRB2vcfjZxuQuidup
         1A3GDRTI8AEjXHZi58dgMjMK6JbiGBpBPFsGsECcyKpV+WyOl06iHxYs/z1NMtVMFPZs
         7aKaSzUv0XXlDdXZDGxG2VAvx38/4PxVeEK+NjLpQzmZJYXjA4N2KX9TcyAmtN0V65iR
         bCYYZXMNNC4wXzzb5WoJHgMdYFL1cSwbHjpRfI+vHg843QX2+TTbF+k4lHrhRFXyGDNl
         Ngw6lXhYTOaevyb9jmFKmbFPkQ8SJnE3OtSAJkuNM3aQyZAemzI/cZRHePTRPB4FE3wW
         Vryg==
X-Forwarded-Encrypted: i=1; AJvYcCVq/rDhF0EKPwwwkAhcx98f3Sv4zJq/Lf0vCo8smv1VvAoQsWorE5FcQa/cLejLc3gy3jU/ar44FtJrxALI4V1L/aeMLaGu0iar7TQv
X-Gm-Message-State: AOJu0Yx3qae51ihi8L0GnBSWQ7zinnq2yFjHRoFBc0sLk88b5LAX8S93
	Xi2szuFEAr2S9Lg9IY2Z8ekeJg+99z7/NblRpf8joWoSldOJaOC7NZYCNMqiTLOZIHTK/wYeDOn
	kGdqLn573ZDn23Yd+q1LBwnBI5wA=
X-Google-Smtp-Source: AGHT+IFCMx4OQnXhOVgjhFhYXe2NxOz44gt4MzzT9FwZrXyK81Sp98x5SUxrHcvhVHRpv6lwCUBu7gNiy7b4Q1DgZzM=
X-Received: by 2002:ac2:47e4:0:b0:52c:a8c4:4d99 with SMTP id
 2adb3069b0e04-52eb99da430mr348114e87.68.1720481875872; Mon, 08 Jul 2024
 16:37:55 -0700 (PDT)
MIME-Version: 1.0
References: <69A2A7BD-F8CA-4067-B229-B5F9FC6A884F@thebuild.com>
 <2e3e4ddb-52b5-49b2-b363-00e3f12a83a0@postgrespro.ru> <1214992.1720473388@sss.pgh.pa.us>
 <CAKFQuwYdD-rUZy7nYCi0K-RxvL-=s1wMHU6hqdBNY7VsaCwv3A@mail.gmail.com> <1221566.1720476530@sss.pgh.pa.us>
In-Reply-To: <1221566.1720476530@sss.pgh.pa.us>
From: Robert Haas <robertmhaas@gmail.com>
Date: Mon, 8 Jul 2024 19:37:44 -0400
Message-ID: <CA+TgmobAZQo8KgVjDFsp=hGmMxEgmCXE_FNEWoCiSr6qmgPTBg@mail.gmail.com>
Subject: Re: v16 roles, SET FALSE, INHERIT FALSE, ADMIN FALSE
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: "David G. Johnston" <david.g.johnston@gmail.com>, Pavel Luzanov <p.luzanov@postgrespro.ru>, 
	Christophe Pettus <xof@thebuild.com>, pgsql-general <pgsql-general@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CA%2BTgmobAZQo8KgVjDFsp%3DhGmMxEgmCXE_FNEWoCiSr6qmgPTBg%40mail.gmail.com>
Precedence: bulk

On Mon, Jul 8, 2024 at 6:08=E2=80=AFPM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> >> Hmm, if that check doesn't require INHERIT TRUE I'd say it's
> >> a bug.
>
> > The code doesn't support that claim.
>
> That doesn't make it not a bug.  Robert, what do you think?  If this
> is correct behavior, why is it correct?

Correct is debatable, but it's definitely intentional. I didn't think
that referencing a group in pg_hba.conf constituted either (a) the
group inheriting the privileges of the role -- which would make it
governed by INHERIT -- or (b) the group being able to SET ROLE to the
role -- which would make it controlled by SET. I guess you're arguing
for INHERIT which is probably the more logical of the two, but I'm not
really sold on it. I think the pg_hba.conf matching is just asking
whether X is in set S, not whether S has the privileges of X.

For contemporaneous evidence of my thinking on this subject see
https://www.postgresql.org/message-id/CA+TgmobhEYYnW9vrHvoLvD8ODsPBJuU9CbK6=
tms6Owd70hFMTw@mail.gmail.com
particularly the paragraph that starts with "That's it".

--
Robert Haas
EDB: http://www.enterprisedb.com