release-20.2: sql: do not inherit role options #55305
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #55292.
/cc @cockroachdb/release
Previously, if a role had a role-level option like CREATEROLE, users who
were granted this role would inherit that privilege. This is
incompatible with Postgres, where such options are not inherited and
must be set explicitly on each user. I changed our behavior to match
Postgres.
The only role option this affects which is present in v20.1 is
CREATEROLE. This also affects all the new role options we added in
v20.2, such as CREATEDB.
Note that this does not affect privileges on database objects, e.g. the
SELECT privilege on a table. These continue to be inherited.
Fixes #53480
Release note (backward-incompatible change): For PostgreSQL
compatibility, the CREATEROLE privilege is no longer inherited by
children of a role which has that privilege. For example, say we run
these statements:
Previously, the child role would have the CREATEROLE privilege. Now it
will not. In order to grant this privilege to the child role, it is
necessary to run
ALTER ROLE child WITH CREATEROLE
.