From 620ac285483fd78a54206a8b523a877ba8fd1e9b Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Mon, 29 Aug 2022 10:10:09 -0400 Subject: [PATCH] docs: Fix up some out-of-date references to INHERIT/NOINHERIT. Commit e3ce2de09d814f8770b2e3b3c152b7671bcdb83f should have updated these sections of the documentation, but failed to do so. Patch by me, reviewed by Nathan Bossart. Discussion: http://postgr.es/m/CA+TgmoaKMnde2W_=u7CqeCKi=FKnfbNQPwOR=c_3c8qD7b2nhQ@mail.gmail.com --- doc/src/sgml/ref/set_role.sgml | 19 ++++++++++--------- doc/src/sgml/user-manag.sgml | 28 ++++++++++++++++------------ 2 files changed, 26 insertions(+), 21 deletions(-) diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml index 4e02322158a..deecfe4120b 100644 --- a/doc/src/sgml/ref/set_role.sgml +++ b/doc/src/sgml/ref/set_role.sgml @@ -71,15 +71,16 @@ RESET ROLE Using this command, it is possible to either add privileges or restrict - one's privileges. If the session user role has the INHERIT - attribute, then it automatically has all the privileges of every role that - it could SET ROLE to; in this case SET ROLE - effectively drops all the privileges assigned directly to the session user - and to the other roles it is a member of, leaving only the privileges - available to the named role. On the other hand, if the session user role - has the NOINHERIT attribute, SET ROLE drops the - privileges assigned directly to the session user and instead acquires the - privileges available to the named role. + one's privileges. If the session user role has been granted memberships + WITH INHERIT TRUE, it automatically has all the + privileges of every such role. In this case, SET ROLE + effectively drops all the privileges except for those which the target role + directly possesses or inherits. On the other hand, if the session user role + has been granted memberships WITH INHERIT FALSE, the + privileges of the granted roles can't be accessed by default. However, the + session user can use SET ROLE to drop the privileges + assigned directly to the session user and instead acquire the privileges + available to the named role. diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 54cb253d95e..9b1f002d1bb 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -241,9 +241,12 @@ CREATE USER name; inheritance of privilegesroleprivilege to inherit - A role is given permission to inherit the privileges of roles it is a - member of, by default. However, to create a role without the permission, - use CREATE ROLE name NOINHERIT. + A role inherits the privileges of roles it is a member of, by default. + However, to create a role which does not inherit privileges by + default, use CREATE ROLE name + NOINHERIT. Alternatively, inheritance can be overriden + for individual grants by using WITH INHERIT TRUE + or WITH INHERIT FALSE. @@ -357,16 +360,17 @@ REVOKE group_role FROM role1INHERIT attribute automatically have use - of the privileges of roles of which they are members, including any + roles that have the been granted membership with the + INHERIT option automatically have use + of the privileges of those roles, including any privileges inherited by those roles. As an example, suppose we have done: -CREATE ROLE joe LOGIN INHERIT; -CREATE ROLE admin NOINHERIT; -CREATE ROLE wheel NOINHERIT; -GRANT admin TO joe; -GRANT wheel TO admin; +CREATE ROLE joe LOGIN; +CREATE ROLE admin; +CREATE ROLE wheel; +GRANT admin TO joe WITH INHERIT TRUE; +GRANT wheel TO admin WITH INHERIT FALSE; Immediately after connecting as role joe, a database session will have use of privileges granted directly to joe @@ -374,8 +378,8 @@ GRANT wheel TO admin; inherits admin's privileges. However, privileges granted to wheel are not available, because even though joe is indirectly a member of wheel, the - membership is via admin which has the NOINHERIT - attribute. After: + membership is via admin which was granted using + WITH INHERIT FALSE. After: SET ROLE admin; -- 2.39.5