Re: replacing role-level NOINHERIT with a grant-level option

Robert Haas <robertmhaas@gmail.com> writes:
> Is this a kind of change people would support? Here's a quick sketch:

> 1. Extend the GRANT role_name TO role_name [ WITH ADMIN OPTION ] with
> a new, optional clause, something like WITH NO INHERIT or WITH
> NOINHERIT or WITHOUT INHERIT.
> 2. Remove the INHERIT | NOINHERIT flag from CREATE ROLE and ALTER ROLE.
> 3. Replace pg_authid.rolinherit with pg_auth_members.inherit. Any
> place where we would have considered rolinherit, instead consider the
> inherit flag for the particular pg_auth_members entry at issue.
> 4. When dumping from an old version, dump all grants to NOINHERIT
> roles as non-inheritable grants.

Point 2 would cause every existing pg_dumpall script to fail, which
seems like kind of a large gotcha.  Less unpleasant alternatives
could include

* Continue to accept the syntax, but ignore it, maybe with a WARNING
for the alternative that doesn't correspond to the new behavior.

* Keep pg_authid.rolinherit, and have it act as supplying the default
behavior for subsequent GRANTs to that role.

Perhaps there are other ways.

            regards, tom lane