通过 Postgres 中的角色授予

Question

I'd like to ask Postgres experts about a confusing sentence which I found in the documentation. In particular, I refer to the GRANT command, where the documentation states:

If the role executing GRANT holds the required privileges indirectly via more than one role membership path, it is unspecified which containing role will be recorded as having done the grant. In such cases it is best practice to use SET ROLE to become the specific role you want to do the GRANT as.

If I understand correctly, this is related to role inheritance. In particular, you might have a role C which inherits a permission from both role A and role B. In this case, if a user has role C and grants the permission, then Postgres might non-deterministically stipulate that the permission was granted by either A or B. To avoid this ambiguity, the user can issue SET ROLE A or SET ROLE B to force a lesser role and clarify how the granting should occur.

Some questions about this and a more general one:

1. Is this reading correct or does the sentence mean something different?
2. What if, in the prior example, a user has the permission via A and C (as opposed to A and B)? In that case, the recommended practice of using "SET ROLE to become the specific role you want to do the GRANT as" does not seem to help, because setting the role to C still leaves an ambiguity due to inheritance.
3. More generally, is there any good reference documentation where the role system of Postgres is compared against traditional SQL grant diagrams? Some parts of the Postgres implementation are not straightforward and I'd like to learn more about it, which is complicated to do via experiments alone.

Thanks in advance.

Answer 1

Yes, in my opinion, you are right:

1. You understand it correctly.

2. It is no matters if the role that grants a permission has innerited the privilege or not. For each permission that you have postgress registers the role that granted the privilege.

3. I don't know. If you find it, please post a comment.