diff options
| author | Robert Haas <rhaas@postgresql.org> | 2022-08-25 10:06:02 -0400 |
|---|---|---|
| committer | Robert Haas <rhaas@postgresql.org> | 2022-08-25 10:06:02 -0400 |
| commit | e3ce2de09d814f8770b2e3b3c152b7671bcdb83f (patch) | |
| tree | 1ca5cf6da0ce86056ad4e573231a44ff651e252d /src/include | |
| parent | 2059c5e3b06545e7d0650dba9c665332374c3c21 (diff) | |
| download | postgresql-e3ce2de09d814f8770b2e3b3c152b7671bcdb83f.tar.gz postgresql-e3ce2de09d814f8770b2e3b3c152b7671bcdb83f.zip | |
Allow grant-level control of role inheritance behavior.
The GRANT statement can now specify WITH INHERIT TRUE or WITH
INHERIT FALSE to control whether the member inherits the granted
role's permissions. For symmetry, you can now likewise write
WITH ADMIN TRUE or WITH ADMIN FALSE to turn ADMIN OPTION on or off.
If a GRANT does not specify WITH INHERIT, the behavior based on
whether the member role is marked INHERIT or NOINHERIT. This means
that if all roles are marked INHERIT or NOINHERIT before any role
grants are performed, the behavior is identical to what we had before;
otherwise, it's different, because ALTER ROLE [NO]INHERIT now only
changes the default behavior of future grants, and has no effect on
existing ones.
Patch by me. Reviewed and testing by Nathan Bossart and Tushar Ahuja,
with design-level comments from various others.
Discussion: http://postgr.es/m/CA+Tgmoa5Sf4PiWrfxA=sGzDKg0Ojo3dADw=wAHOhR9dggV=RmQ@mail.gmail.com
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/catalog/catversion.h | 2 | ||||
| -rw-r--r-- | src/include/catalog/pg_auth_members.h | 1 | ||||
| -rw-r--r-- | src/include/commands/user.h | 2 | ||||
| -rw-r--r-- | src/include/nodes/parsenodes.h | 2 |
4 files changed, 4 insertions, 3 deletions
diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index b227c7a3377..7482c85a86c 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -57,6 +57,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202208221 +#define CATALOG_VERSION_NO 202208251 #endif diff --git a/src/include/catalog/pg_auth_members.h b/src/include/catalog/pg_auth_members.h index e57ec4f810c..3ee6ae5f6a4 100644 --- a/src/include/catalog/pg_auth_members.h +++ b/src/include/catalog/pg_auth_members.h @@ -34,6 +34,7 @@ CATALOG(pg_auth_members,1261,AuthMemRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_ Oid member BKI_LOOKUP(pg_authid); /* ID of a member of that role */ Oid grantor BKI_LOOKUP(pg_authid); /* who granted the membership */ bool admin_option; /* granted with admin option? */ + bool inherit_option; /* exercise privileges without SET ROLE? */ } FormData_pg_auth_members; /* ---------------- diff --git a/src/include/commands/user.h b/src/include/commands/user.h index d3dd8303d28..54c720d8801 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -28,7 +28,7 @@ extern Oid CreateRole(ParseState *pstate, CreateRoleStmt *stmt); extern Oid AlterRole(ParseState *pstate, AlterRoleStmt *stmt); extern Oid AlterRoleSet(AlterRoleSetStmt *stmt); extern void DropRole(DropRoleStmt *stmt); -extern void GrantRole(GrantRoleStmt *stmt); +extern void GrantRole(ParseState *pstate, GrantRoleStmt *stmt); extern ObjectAddress RenameRole(const char *oldname, const char *newname); extern void DropOwnedObjects(DropOwnedStmt *stmt); extern void ReassignOwnedObjects(ReassignOwnedStmt *stmt); diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h index b3760318562..469a5c46f62 100644 --- a/src/include/nodes/parsenodes.h +++ b/src/include/nodes/parsenodes.h @@ -2451,7 +2451,7 @@ typedef struct GrantRoleStmt List *granted_roles; /* list of roles to be granted/revoked */ List *grantee_roles; /* list of member roles to add/delete */ bool is_grant; /* true = GRANT, false = REVOKE */ - bool admin_opt; /* with admin option */ + List *opt; /* options e.g. WITH GRANT OPTION */ RoleSpec *grantor; /* set grantor to other than current role */ DropBehavior behavior; /* drop behavior (for REVOKE) */ } GrantRoleStmt; |