public inbox for [email protected]
help / color / mirror / Atom feedFrom: Nathan Bossart <[email protected]>
To: Tom Lane <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: David G. Johnston <[email protected]>
Cc: Ing. Marijo Kristo <[email protected]>
Cc: PostgreSQL Bug List <[email protected]>
Subject: Re: Revoke Connect Privilege from Database not working
Date: Fri, 6 Mar 2026 16:01:50 -0600
Message-ID: <aatOzgie9RlzbGoo@nathan> (raw)
In-Reply-To: <[email protected]>
References: <CAKFQuwa7m2smqqpgPetw=i8Aj-xqg9Zjc5Z2aX3AUwNh96WnXw@mail.gmail.com>
<[email protected]>
<CAKFQuwbB-ZKtN_p_y5sWa2MrTuy5=pRNPWSj1Ud4HHvTuhb54w@mail.gmail.com>
<[email protected]>
<CAKFQuwbpC5w6sUq8gZQATrviZUT4bYpxW+=2uH6sWWMg7fWjzg@mail.gmail.com>
<aRYLkTpazxKhnS_w@nathan>
<[email protected]>
<aXDwtbXCu42Fdmrn@nathan>
<[email protected]>
On Wed, Jan 21, 2026 at 11:57:01AM -0500, Tom Lane wrote:
> Nathan Bossart <[email protected]> writes:
>> Yeah, I think doing most of the work in select_best_grantor() is obviously
>> better. I recall wondering whether we should check for INHERIT or SET
>> privilege (or both) on the grantor role, and IIRC I settled on INHERIT
>> because select_best_grantor() searches through roles we have INHERIT on.
>
> Yeah, I mentally had that point as something to check on. Clearly,
> if you have SET ROLE privilege then you can become the target role
> and then issue the GRANT, so if we define GRANTED BY like that
> then we're not allowing anything that can't be done today. However,
> it feels like INHERIT is a more natural test to make, since AIUI
> that is what permits "automatic" use of a role's privileges, and that
> seems to be what we'd be doing here.
Agreed.
> I'd be interested to hear Robert's opinion on this, or somebody
> else who worked on the SET/INHERIT splitup.
>
> Also cc'ing Peter, who put in the current effectively-a-noise-clause
> behavior of GRANTED BY, to see if he has standards-compliance or
> other concerns about changing this.
Robert/Peter, do you have any thoughts about expanding GRANT/REVOKE GRANTED
BY like this? I think it would've helped with a couple of reports received
during this development cycle, and IMHO it'd be a nice little feature for
v19.
--
nathan
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Revoke Connect Privilege from Database not working
In-Reply-To: <aatOzgie9RlzbGoo@nathan>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox