public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Laurenz Albe <[email protected]>
Cc: [email protected]
Cc: [email protected]
Subject: Re: Role membership and DROP
Date: Tue, 19 Nov 2019 13:21:37 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Laurenz Albe <[email protected]> writes:
> On Fri, 2019-11-15 at 13:41 -0500, Tom Lane wrote:
>> Laurenz Albe <[email protected]> writes:
>>> On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
>>>> It might be worth clarifying this point in section 5.7,
>>>> https://www.postgresql.org/docs/devel/ddl-priv.html
> I like your second sentence, but I think that "the right ... is inherent
> in being the ... owner" is unnecessarily complicated.
> Removing the "always" and "only" makes the apparent contradiction between
> the sentences less jarring to me.
I think it's important to emphasize that this is implicit in object
ownership.
Looking at the page again, I notice that there's a para a little further
down that overlaps quite a bit with what we're discussing here, but it's
about implicit grant options rather than the right to DROP. In the
attached, I reworded that too, and moved it because it's not fully
intelligible until we've explained grant options. Thoughts?
regards, tom lane
Attachments:
[text/x-diff] doc-owner-privileges-3.patch (1.7K, 2-doc-owner-privileges-3.patch)
download | inline diff:
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 9d6ec2c..0be0774 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -1578,8 +1578,10 @@ ALTER TABLE products RENAME TO items;
</para>
<para>
- The right to modify or destroy an object is always the privilege of
- the owner only.
+ The right to modify or destroy an object is inherent in being the
+ object's owner, and cannot be granted or revoked in itself.
+ (However, like all privileges, that right can be inherited by
+ members of the owning role; see <xref linkend="role-membership"/>.)
</para>
<para>
@@ -1614,17 +1616,11 @@ GRANT UPDATE ON accounts TO joe;
</para>
<para>
- To revoke a privilege, use the fittingly named
+ To revoke a previously-granted privilege, use the fittingly named
<xref linkend="sql-revoke"/> command:
<programlisting>
REVOKE ALL ON accounts FROM PUBLIC;
</programlisting>
- The special privileges of the object owner (i.e., the right to do
- <command>DROP</command>, <command>GRANT</command>, <command>REVOKE</command>, etc.)
- are always implicit in being the owner,
- and cannot be granted or revoked. But the object owner can choose
- to revoke their own ordinary privileges, for example to make a
- table read-only for themselves as well as others.
</para>
<para>
@@ -1639,6 +1635,13 @@ REVOKE ALL ON accounts FROM PUBLIC;
</para>
<para>
+ An object's owner can choose to revoke their own ordinary privileges,
+ for example to make a table read-only for themselves as well as others.
+ But owners are always treated as holding all grant options, so they
+ can always re-grant their own privileges.
+ </para>
+
+ <para>
The available privileges are:
<variablelist>
view thread (8+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Role membership and DROP
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox