Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sQvC7-00CLXr-Nk for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 20:42:43 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sQvC6-009DO9-FD for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 20:42:42 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sQvC6-009DLV-44 for pgsql-general@lists.postgresql.org; Mon, 08 Jul 2024 20:42:42 +0000 Received: from mail-oo1-xc36.google.com ([2607:f8b0:4864:20::c36]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sQvC3-0015kS-An for pgsql-general@postgresql.org; Mon, 08 Jul 2024 20:42:40 +0000 Received: by mail-oo1-xc36.google.com with SMTP id 006d021491bc7-5c47ad9967cso2397080eaf.2 for ; Mon, 08 Jul 2024 13:42:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720471358; x=1721076158; darn=postgresql.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CokKH5bYZ7W4spsVz7+fMMSuMSP8tTXOy864BmFHP7U=; b=EDgdhc3wQjdXtm9LFZbGLKK+MsZB35EKY0Cjc0lTE2toJ3uxcX0mh7FxeSz8J8Bc0J xD3rkoKOsy80EAhF3lQ+e0QvHnxsBrhYN0IF4o+aUmMRSkfLm8/f+v/+0p4jjOlocbh8 x6kvPa5v2v/mLligxR1vquM3mmaaKbrYFf/2oUi3o8CAE4Z9p7IXcAGECbDUk/bwVjmk 044/51CIpHzFJOd6EroYk0VQ6EDW2a/RtKL9ch3swt0zMV7dJKcs8QogiEkyLJx5qVEh khjvueOYabyjS+I1PY55smWhMudxbyFyj4UevpN4pfDVdCOqpWZMcxdSkMD+Uhm7TKj5 40yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720471358; x=1721076158; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CokKH5bYZ7W4spsVz7+fMMSuMSP8tTXOy864BmFHP7U=; b=Mwb1FIoYotYz/sv9oEh8NFnJfxyyWs69um45jgdeljwe78JOZbsRwRNFmc+vIcfP2v 9YuS3k+QpxH7EoMPCesYRSWFSr8v/J631URnPRCEYb3227p1MmuQoIwonV2OL6/IKlWW wf6Zs4QgCG1p6OtZF7iGHG81+1aM76AZD6oeYC7lYl2JGOChVfa3a7z5av7b261jVDOb 5EKaHNeEElJCOJo7FdBfPb+Z5MX8rsC0NwqgROLQdBElmPsM+GDeJ/wS1HtXbtNuPZ0g sie0XiLRPJ3pyf7BIEUS7QrPwcKxCxfE5u1iMCrilOhqIV7txhz8L8WLOH2nYDpI2s/P Pb+w== X-Forwarded-Encrypted: i=1; AJvYcCXpVaQizu0EDYtTAD9nRjhQ7MntkNH9oqU3ApTszzSwc3Co7QPu9oJtv6IgH8srodn+2SbwHFAR0QArT2Lxo4ZOqkJbquJBLvE7o+Pt X-Gm-Message-State: AOJu0YwRHbsoCcVG2NnYx9upxxBCvXbL/75YWXpvDuuLnsHx85O/wDB3 4FtmFoayBWXyAAhnW16Ce5UKDIYzDRGcdK+Md5ADbYN8Efyma1wCmoKQ7nOrirG5AxgmotQcQJ0 2kmtQsQFRxPjNR6yB6G8jH77YBQ8= X-Google-Smtp-Source: AGHT+IE2Dv3dGJi1lya0YRCsGekYNUCu3maZUSaWeTfUIR1sZoaeDqLms9evfCx3V7ONoGSoZPZXa9G8+lSQATxUAbA= X-Received: by 2002:a05:6870:213:b0:25c:c6fb:c011 with SMTP id 586e51a60fabf-25eae7bb668mr438055fac.19.1720471358427; Mon, 08 Jul 2024 13:42:38 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a8a:d53:0:b0:539:aa10:6c7 with HTTP; Mon, 8 Jul 2024 13:42:38 -0700 (PDT) In-Reply-To: <6A063ECC-E0FD-4CAF-A057-96BA55832889@thebuild.com> References: <69A2A7BD-F8CA-4067-B229-B5F9FC6A884F@thebuild.com> <78790ab5cdece730a2029310184f9bb9cfcc0fa6.camel@cybertec.at> <6A063ECC-E0FD-4CAF-A057-96BA55832889@thebuild.com> From: "David G. Johnston" Date: Mon, 8 Jul 2024 13:42:38 -0700 Message-ID: Subject: Re: v16 roles, SET FALSE, INHERIT FALSE, ADMIN FALSE To: Christophe Pettus Cc: Laurenz Albe , pgsql-general Content-Type: multipart/alternative; boundary="0000000000002a5adf061cc274e6" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000002a5adf061cc274e6 Content-Type: text/plain; charset="UTF-8" On Monday, July 8, 2024, Christophe Pettus wrote: > > > > On Jul 8, 2024, at 13:29, Christophe Pettus wrote: > > > > > > > >> On Jul 8, 2024, at 13:25, Laurenz Albe > wrote: > >> I didn't test it, but doesn't that allow the member rule to drop > objects owned > >> be the role it is a member of? > > > > No, apparently not. > > Just from a quick check, it looks like you need INHERIT to inherit the > ability to drop objects. The documentation strongly implies this, although > it doesn't quite come out and say it. > > Are you referring to this: The right to modify or destroy an object is inherent in being the object's owner, and cannot be granted or revoked in itself. (However, like all privileges, that right can be inherited by members of the owning role; see Section 22.3 .) https://www.postgresql.org/docs/current/ddl-priv.html It can be argued that is more than strong implication though a different more obvious (technical) wording could be in order. David J. --0000000000002a5adf061cc274e6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Monday, July 8, 2024, Christophe Pettus <xof@thebuild.com> wrote:
<= br>
> On Jul 8, 2024, at 13:29, Christophe Pettus <xof@thebuild.com> wrote:
>
>
>
>> On Jul 8, 2024, at 13:25, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
>> I didn't test it, but doesn't that allow the member rule t= o drop objects owned
>> be the role it is a member of?
>
> No, apparently not.

Just from a quick check, it looks like you need INHERIT to inherit the abil= ity to drop objects.=C2=A0 The documentation strongly implies this, althoug= h it doesn't quite come out and say it.


Are you referring to this:

<= /div>
The right to modify or destroy an object is inherent in being = the object's owner, and cannot be granted or revoked in itself. (Howeve= r, like all privileges, that right can be inherited by members of the ownin= g role; see=C2=A0Sec= tion=C2=A022.3.)


It can be argued that is more than strong implication though a differ= ent more obvious (technical) wording could be in order.

David J.

--0000000000002a5adf061cc274e6--