Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vibWB-00At0y-0J for pgsql-bugs@arkaria.postgresql.org; Wed, 21 Jan 2026 16:57:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vibW9-008Dtx-2t for pgsql-bugs@arkaria.postgresql.org; Wed, 21 Jan 2026 16:57:18 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vibW9-008Df5-23 for pgsql-bugs@lists.postgresql.org; Wed, 21 Jan 2026 16:57:17 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vibW2-001keP-2J for pgsql-bugs@lists.postgresql.org; Wed, 21 Jan 2026 16:57:12 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 60LGv1ah2222572; Wed, 21 Jan 2026 11:57:01 -0500 From: Tom Lane To: Nathan Bossart cc: Robert Haas , Peter Eisentraut , "David G. Johnston" , "Ing. Marijo Kristo" , PostgreSQL Bug List Subject: Re: Revoke Connect Privilege from Database not working In-reply-to: References: <3467676.1744041977@sss.pgh.pa.us> <1933586.1768950341@sss.pgh.pa.us> Comments: In-reply-to Nathan Bossart message dated "Wed, 21 Jan 2026 09:28:53 -0600" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2222570.1769014621.1@sss.pgh.pa.us> Date: Wed, 21 Jan 2026 11:57:01 -0500 Message-ID: <2222571.1769014621@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Nathan Bossart writes: > Yeah, I think doing most of the work in select_best_grantor() is obviously > better. I recall wondering whether we should check for INHERIT or SET > privilege (or both) on the grantor role, and IIRC I settled on INHERIT > because select_best_grantor() searches through roles we have INHERIT on. Yeah, I mentally had that point as something to check on. Clearly, if you have SET ROLE privilege then you can become the target role and then issue the GRANT, so if we define GRANTED BY like that then we're not allowing anything that can't be done today. However, it feels like INHERIT is a more natural test to make, since AIUI that is what permits "automatic" use of a role's privileges, and that seems to be what we'd be doing here. I'd be interested to hear Robert's opinion on this, or somebody else who worked on the SET/INHERIT splitup. Also cc'ing Peter, who put in the current effectively-a-noise-clause behavior of GRANTED BY, to see if he has standards-compliance or other concerns about changing this. > Would you like to handle docs/tests/committing, or shall I? I'm willing to push it forward if we have consensus to do it. regards, tom lane