On 09.07.2024 00:16, Tom Lane wrote:
Pavel Luzanov <p.luzanov@xxxxxxxxxxxxxx> writes:
On 08.07.2024 22:22, Christophe Pettus wrote:
This is more curiosity than anything else. In the v16 role system, is there actually any reason to grant membership in a role to a different role, but with SET FALSE, INHERIT FALSE, and ADMIN FALSE? Does the role granted membership gain any ability it didn't have before in that case?
Looks like there is one ability.
Authentication in pg_hba.conf "USER" field via +role syntax.
Hmm, if that check doesn't require INHERIT TRUE I'd say it's
a bug.
regards, tom lane
My test scenario:
postgres@demo(16.3)=# select * from pg_hba_file_rules ;
rule_number | file_name | line_number | type | database | user_name | address | netmask | auth_method | options | error
-------------+-------------------------------------+-------------+-------+----------+------------+---------+---------+-------------+---------+-------
1 | /etc/postgresql/16/main/pg_hba.conf | 118 | local | {all} | {postgres} | | | trust | |
2 | /etc/postgresql/16/main/pg_hba.conf | 121 | local | {all} | {+bob} | | | trust | |
3 | /etc/postgresql/16/main/pg_hba.conf | 122 | local | {all} | {alice} | | | reject | |
(3 rows)
postgres@demo(16.3)=# \drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+---------+----------
alice | bob | | postgres
(1 row)
postgres@demo(16.3)=# \c - alice
You are now connected to database "demo" as user "alice".
alice@demo(16.3)=>
--
Pavel Luzanov
Postgres Professional: https://postgrespro.com
