On 7/1/22 07:48, Robert Haas wrote:
On Fri, Jul 1, 2022 at 6:17 AM Joe Conway <m...@joeconway.com> wrote:
Would this allow for an explicit REVOKE to override a default INHERIT
along a specific path?
Can you give an example?
If you mean that A is granted to B which is granted to C which is
granted to D and you now want NOINHERIT behavior for the B->C link in
the chain, this would allow that. You could modify the existing grant
by saying either "REVOKE INHERIT OPTION FOR B FROM C" or "GRANT B TO C
WITH INHERIT FALSE".
Hmm, maybe I am misunderstanding something, but what I mean is something
like:
8<----------------
CREATE TABLE t1(f1 int);
CREATE TABLE t2(f1 int);
CREATE USER A; --defaults to INHERIT
CREATE USER B;
CREATE USER C;
GRANT select ON TABLE t1 TO B;
GRANT select ON TABLE t2 TO C;
GRANT B TO A;
GRANT C TO A;
SET SESSION AUTHORIZATION A;
-- works
SELECT * FROM t1;
-- works
SELECT * FROM t2;
RESET SESSION AUTHORIZATION;
REVOKE INHERIT OPTION FOR C FROM A;
SET SESSION AUTHORIZATION A;
-- works
SELECT * FROM t1;
-- fails
SELECT * FROM t2;
8<----------------
So now A has implicit inherited privs for t1 but not for t2.
--
Joe Conway
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
