Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1o6gyM-00047l-HB for pgsql-hackers@arkaria.postgresql.org; Wed, 29 Jun 2022 23:19:50 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1o6gyK-0006JX-E4 for pgsql-hackers@arkaria.postgresql.org; Wed, 29 Jun 2022 23:19:48 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1o6gyK-0006JN-3X for pgsql-hackers@lists.postgresql.org; Wed, 29 Jun 2022 23:19:48 +0000 Received: from mail-pg1-x535.google.com ([2607:f8b0:4864:20::535]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1o6gyH-0003Il-8v for pgsql-hackers@postgresql.org; Wed, 29 Jun 2022 23:19:47 +0000 Received: by mail-pg1-x535.google.com with SMTP id d129so16736342pgc.9 for ; Wed, 29 Jun 2022 16:19:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=0Ra5Bfw96h4HvvG+BXZGn2qTmQyteslQ2hlxsQwch0g=; b=aHdKXm8YWdih2+jKeFjrpS5IMNyuUQ6kCoVWk8T2it/+jJyBHc3BZ5d7rFK9ia/PpQ h+/oX0LNIeIwYTGYGc5oXGVacdmcKHMEBTuD93U+NVERd1WWiCUHwXde9hRWWEJ38ThV scrPnRuRr6qovU0LbR810YQbpZxEhJmxh7rciNa6MlU/BiOA7v2ioUDJA3iYK3pKiFnA I68JxwPhIvbpsAWnVmTbpso4BIA32nSki+YVVZlErKKEZUVuuzPytcab8GieUh/PFsTN bM9CRZ13NLLNUE8tdj/PtAkE2GVbpFvSq9d9trE/it4a6VuFi+PN3nrYxfQVjxqHTeFo AYpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=0Ra5Bfw96h4HvvG+BXZGn2qTmQyteslQ2hlxsQwch0g=; b=iGHOJAK5S8BLKDvL3SpDIwH0VZ7yUzWqOJlYbs904bKZKKHz/klF8uWQerGenFxa3f 8S2GDgHPHuzNyQOieD+Lt2mrhjuEz1qUZtaCuOptTqoxoTSM/BOXLmnk42R+il4UAM/S CVZa++KcpfC8iPTWV6sblYUhKekpcc254PNakeu5alhmXrwX01lV1/OcRfSeFf40Wkpm lW32MdvgVfxiWcgJUkGQBlL758kVK1s8JcGrUDRMlRCZcF5V1ZtEOpqX03MUTUKpbmc6 zjEHycC0FvNYmxqsMy5jjgaNZSmBt7+o2v9vJnJX4daSkkhfcms5kVfIks4kU+G7uv7r 34NA== X-Gm-Message-State: AJIora+FmmFAwHrdgSBahLjZ83sEpn3sSeaZkW2qEOhvwV/bVneu2YpL PMNY0+6UzKv2klNhU2OOCrCFVxR91Zc= X-Google-Smtp-Source: AGRyM1tsBSWXyDARe/NsjbrDhBcbwItsC/0bkxD9JV9lgbm00GSwmjh1YjBjoEq9eNA+EV9ziDB0Vg== X-Received: by 2002:a65:604a:0:b0:3f9:f423:b474 with SMTP id a10-20020a65604a000000b003f9f423b474mr4833575pgp.527.1656544782021; Wed, 29 Jun 2022 16:19:42 -0700 (PDT) Received: from nathanxps13 ([50.54.155.70]) by smtp.gmail.com with ESMTPSA id n24-20020a170902969800b0016a034ae481sm11949899plp.176.2022.06.29.16.19.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Jun 2022 16:19:41 -0700 (PDT) Date: Wed, 29 Jun 2022 16:19:39 -0700 From: Nathan Bossart To: Robert Haas Cc: Tom Lane , Joe Conway , "Bossart, Nathan" , Stephen Frost , PostgreSQL-development Subject: Re: replacing role-level NOINHERIT with a grant-level option Message-ID: <20220629231939.GA362451@nathanxps13> References: <0ED10807-9E7F-4BB5-9473-4668EE68AE2D@amazon.com> <4117557.1641329799@sss.pgh.pa.us> <730520.1644168290@sss.pgh.pa.us> <80af9ba7-ec24-9134-8fd9-00bf13f5c494@joeconway.com> <1066202.1654190251@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Jun 22, 2022 at 04:30:36PM -0400, Robert Haas wrote: > On Thu, Jun 2, 2022 at 1:17 PM Tom Lane wrote: >> Point 2 would cause every existing pg_dumpall script to fail, which >> seems like kind of a large gotcha. Less unpleasant alternatives >> could include >> >> * Continue to accept the syntax, but ignore it, maybe with a WARNING >> for the alternative that doesn't correspond to the new behavior. >> >> * Keep pg_authid.rolinherit, and have it act as supplying the default >> behavior for subsequent GRANTs to that role. > > Here's a rather small patch that does it the first way. I've been thinking about whether we ought to WARNING or ERROR with the deprecated syntax. WARNING has the advantage of not breaking existing scripts, but users might not catch that NOINHERIT roles will effectively become INHERIT roles, which IMO is just a different type of breakage. However, I don't think I can defend ERROR-ing and breaking all existing pg_dumpall scripts completely, so perhaps the best we can do is emit a WARNING until we feel comfortable removing the option completely 5-10 years from now. I'm guessing we'll also need a new pg_dumpall option for generating pre-v16 style role commands versus the v16+ style ones. When run on v16 and later, you'd have to require the latter option, as you won't always be able to convert grant-level inheritance options into role-level options. However, you can always do the reverse. I'm thinking that by default, pg_dumpall would output the style of commands for the current server version. pg_upgrade would make use of this option when upgrading from I suppose if we did it the second way, we could make the syntax GRANT > granted_role TO recipient_role WITH INHERIT { TRUE | FALSE | DEFAULT > }, and DEFAULT would copy the current value of the rolinherit > property, so that changing the rolinherit property later would not > affect previous grants. The reverse is also possible: with the same > syntax, the rolinherit column could be changed from bool to "char", > storing t/f/d, and 'd' could mean the value of the rolinherit property > at time of use; thus, changing rolinherit would affect previous grants > performed using WITH INHERIT DEFAULT but not those that specified WITH > INHERIT TRUE or WITH INHERIT FALSE. Yeah, something like this might be a nice way to sidestep the issue. I was imagining something more like your second option, but instead of continuing to allow grant-level options to take effect when rolinherit was true or false, I was thinking we would ignore them or even disallow them. By disallowing grant-level options when a role-level option was set, we might be able to avoid the confusion about what takes effect when. That being said, the syntax for this sort of thing might not be the cleanest. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com