Add a role property 'rolinherit' which, when false, denotes that the role

doesn't automatically inherit the privileges of roles it is a member of;
for such a role, membership in another role can be exploited only by doing
explicit SET ROLE.  The default inherit setting is TRUE, so by default
the behavior doesn't change, but creating a user with NOINHERIT gives closer
adherence to our current reading of SQL99.  Documentation still lacking,
and I think the information schema needs another look.

Author: tglsfdc

doc/src/sgml/catalogs.sgml

@@ -1,6 +1,6 @@
 <!--
  Documentation of the system catalogs, directed toward PostgreSQL developers
- $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.108 2005/07/14 05:13:38 tgl Exp $
+ $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.109 2005/07/26 16:38:25 tgl Exp $
  -->
 
 <chapter id="catalogs">
@@ -976,6 +976,14 @@
       <entry>Role has superuser privileges</entry>
      </row>
 
+     <row>
+      <entry><structfield>rolinherit</structfield></entry>
+      <entry><type>bool</type></entry>
+      <entry></entry>
+      <entry>Role automatically inherits privileges of roles it is a
+       member of</entry>
+     </row>
+
      <row>
       <entry><structfield>rolcreaterole</structfield></entry>
       <entry><type>bool</type></entry>
@@ -4728,6 +4736,11 @@
    that blanks out the password field.
   </para>
 
+  <para>
+   This view explicitly exposes the OID column of the underlying table,
+   since that is needed to do joins to other catalogs.
+  </para>
+
   <table>
    <title><structname>pg_roles</> Columns</title>
 
@@ -4756,6 +4769,14 @@
       <entry>Role has superuser privileges</entry>
      </row>
 
+     <row>
+      <entry><structfield>rolinherit</structfield></entry>
+      <entry><type>bool</type></entry>
+      <entry></entry>
+      <entry>Role automatically inherits privileges of roles it is a
+       member of</entry>
+     </row>
+
      <row>
       <entry><structfield>rolcreaterole</structfield></entry>
       <entry><type>bool</type></entry>
@@ -4811,6 +4832,13 @@
       <entry></entry>
       <entry>Session defaults for run-time configuration variables</entry>
      </row>
+
+     <row>
+      <entry><structfield>oid</structfield></entry>
+      <entry><type>oid</type></entry>
+      <entry><literal><link linkend="catalog-pg-authid"><structname>pg_authid</structname></link>.oid</literal></entry>
+      <entry>ID of role</entry>
+     </row>
     </tbody>
    </tgroup>
   </table>

doc/src/sgml/func.sgml

@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.271 2005/07/26 00:04:17 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.272 2005/07/26 16:38:25 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -8559,7 +8559,12 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
     can access a role in a particular way.  The possibilities for its
     arguments are analogous to <function>has_table_privilege</function>.
     The desired access privilege type must evaluate to
-    <literal>MEMBER</literal>.
+    <literal>MEMBER</literal> or
+    <literal>USAGE</literal>.
+    <literal>MEMBER</literal> denotes direct or indirect membership in
+    the role (that is, the right to do <literal>SET ROLE</>), while
+    <literal>USAGE</literal> denotes whether the privileges of the role
+    are immediately available without doing <literal>SET ROLE</>.
    </para>
 
    <para>

src/backend/catalog/aclchk.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.115 2005/07/07 20:39:57 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.116 2005/07/26 16:38:26 tgl Exp $
  *
  * NOTES
  *	  See acl.h.
@@ -1984,7 +1984,7 @@ pg_class_ownercheck(Oid class_oid, Oid roleid)
 
 	ReleaseSysCache(tuple);
 
-	return is_member_of_role(roleid, ownerId);
+	return has_privs_of_role(roleid, ownerId);
 }
 
 /*
@@ -2012,7 +2012,7 @@ pg_type_ownercheck(Oid type_oid, Oid roleid)
 
 	ReleaseSysCache(tuple);
 
-	return is_member_of_role(roleid, ownerId);
+	return has_privs_of_role(roleid, ownerId);
 }
 
 /*
@@ -2040,7 +2040,7 @@ pg_oper_ownercheck(Oid oper_oid, Oid roleid)
 
 	ReleaseSysCache(tuple);
 
-	return is_member_of_role(roleid, ownerId);
+	return has_privs_of_role(roleid, ownerId);
 }
 
 /*
@@ -2068,7 +2068,7 @@ pg_proc_ownercheck(Oid proc_oid, Oid roleid)
 
 	ReleaseSysCache(tuple);
 
-	return is_member_of_role(roleid, ownerId);
+	return has_privs_of_role(roleid, ownerId);
 }
 
 /*
@@ -2096,7 +2096,7 @@ pg_namespace_ownercheck(Oid nsp_oid, Oid roleid)
 
 	ReleaseSysCache(tuple);
 
-	return is_member_of_role(roleid, ownerId);
+	return has_privs_of_role(roleid, ownerId);
 }
 
 /*
@@ -2135,7 +2135,7 @@ pg_tablespace_ownercheck(Oid spc_oid, Oid roleid)
 	heap_endscan(scan);
 	heap_close(pg_tablespace, AccessShareLock);
 
-	return is_member_of_role(roleid, spcowner);
+	return has_privs_of_role(roleid, spcowner);
 }
 
 /*
@@ -2164,7 +2164,7 @@ pg_opclass_ownercheck(Oid opc_oid, Oid roleid)
 
 	ReleaseSysCache(tuple);
 
-	return is_member_of_role(roleid, ownerId);
+	return has_privs_of_role(roleid, ownerId);
 }
 
 /*
@@ -2203,7 +2203,7 @@ pg_database_ownercheck(Oid db_oid, Oid roleid)
 	heap_endscan(scan);
 	heap_close(pg_database, AccessShareLock);
 
-	return is_member_of_role(roleid, dba);
+	return has_privs_of_role(roleid, dba);
 }
 
 /*
@@ -2231,5 +2231,5 @@ pg_conversion_ownercheck(Oid conv_oid, Oid roleid)
 
 	ReleaseSysCache(tuple);
 
-	return is_member_of_role(roleid, ownerId);
+	return has_privs_of_role(roleid, ownerId);
 }

src/backend/catalog/system_views.sql

@@ -3,20 +3,22 @@
  *
  * Copyright (c) 1996-2005, PostgreSQL Global Development Group
  *
- * $PostgreSQL: pgsql/src/backend/catalog/system_views.sql,v 1.16 2005/06/28 05:08:52 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/catalog/system_views.sql,v 1.17 2005/07/26 16:38:26 tgl Exp $
  */
 
 CREATE VIEW pg_roles AS 
     SELECT 
         rolname,
         rolsuper,
+        rolinherit,
         rolcreaterole,
         rolcreatedb,
         rolcatupdate,
         rolcanlogin,
         '********'::text as rolpassword,
         rolvaliduntil,
-        rolconfig
+        rolconfig,
+        oid
     FROM pg_authid;
 
 CREATE VIEW pg_shadow AS

src/backend/commands/user.c

@@ -6,7 +6,7 @@
  * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.157 2005/07/25 22:12:31 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.158 2005/07/26 16:38:26 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -82,6 +82,7 @@ CreateRole(CreateRoleStmt *stmt)
 	bool		encrypt_password = Password_encryption; /* encrypt password? */
 	char		encrypted_password[MD5_PASSWD_LEN + 1];
 	bool		issuper = false;		/* Make the user a superuser? */
+	bool		inherit = true;			/* Auto inherit privileges? */
 	bool		createrole = false;		/* Can this user create roles? */
 	bool		createdb = false;		/* Can the user create databases? */
 	bool		canlogin = false;		/* Can this user login? */
@@ -91,6 +92,7 @@ CreateRole(CreateRoleStmt *stmt)
 	char	   *validUntil = NULL;		/* time the login is valid until */
 	DefElem    *dpassword = NULL;
 	DefElem    *dissuper = NULL;
+	DefElem    *dinherit = NULL;
 	DefElem    *dcreaterole = NULL;
 	DefElem    *dcreatedb = NULL;
 	DefElem    *dcanlogin = NULL;
@@ -99,6 +101,19 @@ CreateRole(CreateRoleStmt *stmt)
 	DefElem    *dadminmembers = NULL;
 	DefElem    *dvalidUntil = NULL;
 
+	/* The defaults can vary depending on the original statement type */
+	switch (stmt->stmt_type)
+	{
+		case ROLESTMT_ROLE:
+			break;
+		case ROLESTMT_USER:
+			canlogin = true;
+			/* may eventually want inherit to default to false here */
+			break;
+		case ROLESTMT_GROUP:
+			break;
+	}
+
 	/* Extract options from the statement node tree */
 	foreach(option, stmt->options)
 	{
@@ -120,7 +135,7 @@ CreateRole(CreateRoleStmt *stmt)
 		}
 		else if (strcmp(defel->defname, "sysid") == 0)
 		{
-			ereport(WARNING,
+			ereport(NOTICE,
 					(errmsg("SYSID can no longer be specified")));
 		}
 		else if (strcmp(defel->defname, "superuser") == 0)
@@ -131,6 +146,14 @@ CreateRole(CreateRoleStmt *stmt)
 						 errmsg("conflicting or redundant options")));
 			dissuper = defel;
 		}
+		else if (strcmp(defel->defname, "inherit") == 0)
+		{
+			if (dinherit)
+				ereport(ERROR,
+						(errcode(ERRCODE_SYNTAX_ERROR),
+						 errmsg("conflicting or redundant options")));
+			dinherit = defel;
+		}
 		else if (strcmp(defel->defname, "createrole") == 0)
 		{
 			if (dcreaterole)
@@ -196,6 +219,8 @@ CreateRole(CreateRoleStmt *stmt)
 		password = strVal(dpassword->arg);
 	if (dissuper)
 		issuper = intVal(dissuper->arg) != 0;
+	if (dinherit)
+		inherit = intVal(dinherit->arg) != 0;
 	if (dcreaterole)
 		createrole = intVal(dcreaterole->arg) != 0;
 	if (dcreatedb)
@@ -261,6 +286,7 @@ CreateRole(CreateRoleStmt *stmt)
 		DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
 
 	new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
+	new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
 	new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
 	new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
 	/* superuser gets catupdate right by default */
@@ -367,13 +393,15 @@ AlterRole(AlterRoleStmt *stmt)
 	bool		encrypt_password = Password_encryption; /* encrypt password? */
 	char		encrypted_password[MD5_PASSWD_LEN + 1];
 	int			issuper = -1;			/* Make the user a superuser? */
+	int			inherit = -1;			/* Auto inherit privileges? */
 	int			createrole = -1;		/* Can this user create roles? */
 	int			createdb = -1;			/* Can the user create databases? */
 	int			canlogin = -1;			/* Can this user login? */
 	List	   *rolemembers = NIL;		/* roles to be added/removed */
 	char	   *validUntil = NULL;		/* time the login is valid until */
 	DefElem    *dpassword = NULL;
 	DefElem    *dissuper = NULL;
+	DefElem    *dinherit = NULL;
 	DefElem    *dcreaterole = NULL;
 	DefElem    *dcreatedb = NULL;
 	DefElem    *dcanlogin = NULL;
@@ -408,6 +436,14 @@ AlterRole(AlterRoleStmt *stmt)
 						 errmsg("conflicting or redundant options")));
 			dissuper = defel;
 		}
+		else if (strcmp(defel->defname, "inherit") == 0)
+		{
+			if (dinherit)
+				ereport(ERROR,
+						(errcode(ERRCODE_SYNTAX_ERROR),
+						 errmsg("conflicting or redundant options")));
+			dinherit = defel;
+		}
 		else if (strcmp(defel->defname, "createrole") == 0)
 		{
 			if (dcreaterole)
@@ -458,6 +494,8 @@ AlterRole(AlterRoleStmt *stmt)
 		password = strVal(dpassword->arg);
 	if (dissuper)
 		issuper = intVal(dissuper->arg);
+	if (dinherit)
+		inherit = intVal(dinherit->arg);
 	if (dcreaterole)
 		createrole = intVal(dcreaterole->arg);
 	if (dcreatedb)
@@ -497,10 +535,10 @@ AlterRole(AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!have_createrole_privilege())
 	{
-		if (!have_createrole_privilege() &&
-			!(createrole < 0 &&
+		if (!(inherit < 0 &&
+			  createrole < 0 &&
 			  createdb < 0 &&
 			  canlogin < 0 &&
 			  !rolemembers &&
@@ -536,6 +574,12 @@ AlterRole(AlterRoleStmt *stmt)
 		new_record_repl[Anum_pg_authid_rolcatupdate - 1] = 'r';
 	}
 
+	if (inherit >= 0)
+	{
+		new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit > 0);
+		new_record_repl[Anum_pg_authid_rolinherit - 1] = 'r';
+	}
+
 	if (createrole >= 0)
 	{
 		new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole > 0);

src/backend/nodes/copyfuncs.c

@@ -15,7 +15,7 @@
  * Portions Copyright (c) 1994, Regents of the University of California
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/nodes/copyfuncs.c,v 1.311 2005/07/02 23:00:39 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/nodes/copyfuncs.c,v 1.312 2005/07/26 16:38:27 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -2392,6 +2392,7 @@ _copyCreateRoleStmt(CreateRoleStmt *from)
 {
 	CreateRoleStmt *newnode = makeNode(CreateRoleStmt);
 
+	COPY_SCALAR_FIELD(stmt_type);
 	COPY_STRING_FIELD(role);
 	COPY_NODE_FIELD(options);
 

src/backend/nodes/equalfuncs.c

@@ -18,7 +18,7 @@
  * Portions Copyright (c) 1994, Regents of the University of California
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/nodes/equalfuncs.c,v 1.248 2005/07/02 23:00:39 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/nodes/equalfuncs.c,v 1.249 2005/07/26 16:38:27 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -1308,6 +1308,7 @@ _equalDropPLangStmt(DropPLangStmt *a, DropPLangStmt *b)
 static bool
 _equalCreateRoleStmt(CreateRoleStmt *a, CreateRoleStmt *b)
 {
+	COMPARE_SCALAR_FIELD(stmt_type);
 	COMPARE_STRING_FIELD(role);
 	COMPARE_NODE_FIELD(options);