release-20.2: sql: do not inherit role options #55305
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, if a role had a role-level option like CREATEROLE, users who were granted this role would inherit that privilege. This is incompatible with Postgres, where such options are not inherited and must be set explicitly on each user. I changed our behavior to match Postgres. The only role option this affects which is present in v20.1 is CREATEROLE. This also affects all the new role options we added in v20.2, such as CREATEDB. Note that this does not affect privileges on database objects, e.g. the SELECT privilege on a table. These continue to be inherited. Fixes cockroachdb#53480 Release note (backward-incompatible change): For PostgreSQL compatibility, the CREATEROLE privilege is no longer inherited by children of a role which has that privilege. For example, say we run these statements: ``` CREATE ROLE parent WITH CREATEROLE; CREATE ROLE child; GRANT parent TO child; ``` Previously, the child role would have the CREATEROLE privilege. Now it will not. In order to grant this privilege to the child role, it is necessary to run `ALTER ROLE child WITH CREATEROLE`.
|
This change is |
otan
approved these changes
Oct 7, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #55292.
/cc @cockroachdb/release
Previously, if a role had a role-level option like CREATEROLE, users who
were granted this role would inherit that privilege. This is
incompatible with Postgres, where such options are not inherited and
must be set explicitly on each user. I changed our behavior to match
Postgres.
The only role option this affects which is present in v20.1 is
CREATEROLE. This also affects all the new role options we added in
v20.2, such as CREATEDB.
Note that this does not affect privileges on database objects, e.g. the
SELECT privilege on a table. These continue to be inherited.
Fixes #53480
Release note (backward-incompatible change): For PostgreSQL
compatibility, the CREATEROLE privilege is no longer inherited by
children of a role which has that privilege. For example, say we run
these statements:
Previously, the child role would have the CREATEROLE privilege. Now it
will not. In order to grant this privilege to the child role, it is
necessary to run
ALTER ROLE child WITH CREATEROLE.