Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1iX88K-00043Q-4S
	for pgsql-hackers@arkaria.postgresql.org; Tue, 19 Nov 2019 18:21:48 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1iX88H-0006oJ-5l
	for pgsql-hackers@arkaria.postgresql.org; Tue, 19 Nov 2019 18:21:45 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1iX88G-0006o7-Nf; Tue, 19 Nov 2019 18:21:44 +0000
Received: from sss.pgh.pa.us ([66.207.139.130])
	by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1iX88D-0007lA-4D; Tue, 19 Nov 2019 18:21:42 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.14.4/8.14.4) with ESMTP id xAJILbAF022270;
	Tue, 19 Nov 2019 13:21:37 -0500
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Laurenz Albe <laurenz.albe@cybertec.at>
cc: pgsql-hackers@postgresql.org, pgsql-docs@lists.postgresql.org
Subject: Re: Role membership and DROP
In-reply-to: <6c993738c0054bedb9622da0d6789a8d12955cb2.camel@cybertec.at>
References: <504497aca66bf34bdcdd90bd0bcebdc3a33f577b.camel@cybertec.at>
 <6808.1573683426@sss.pgh.pa.us>
 <c1b3ed843b5002d56c04885b7ce7d0eea08c22c9.camel@cybertec.at>
 <10546.1573843266@sss.pgh.pa.us>
 <6c993738c0054bedb9622da0d6789a8d12955cb2.camel@cybertec.at>
Comments: In-reply-to Laurenz Albe <laurenz.albe@cybertec.at>
	message dated "Mon, 18 Nov 2019 15:40:51 +0100"
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Content-ID: <22176.1574187562.0@sss.pgh.pa.us>
Date: Tue, 19 Nov 2019 13:21:37 -0500
Message-ID: <22269.1574187697@sss.pgh.pa.us>
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Precedence: bulk

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <22176.1574187562.1@sss.pgh.pa.us>

Laurenz Albe <laurenz.albe@cybertec.at> writes:
> On Fri, 2019-11-15 at 13:41 -0500, Tom Lane wrote:
>> Laurenz Albe <laurenz.albe@cybertec.at> writes:
>>> On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
>>>> It might be worth clarifying this point in section 5.7,
>>>> https://www.postgresql.org/docs/devel/ddl-priv.html

> I like your second sentence, but I think that "the right ... is inherent
> in being the ... owner" is unnecessarily complicated.
> Removing the "always" and "only" makes the apparent contradiction between
> the sentences less jarring to me.

I think it's important to emphasize that this is implicit in object
ownership.

Looking at the page again, I notice that there's a para a little further
down that overlaps quite a bit with what we're discussing here, but it's
about implicit grant options rather than the right to DROP.  In the
attached, I reworded that too, and moved it because it's not fully
intelligible until we've explained grant options.  Thoughts?

			regards, tom lane


------- =_aaaaaaaaaa0
Content-Type: text/x-diff; name="doc-owner-privileges-3.patch";
	charset="us-ascii"
Content-ID: <22176.1574187562.2@sss.pgh.pa.us>
Content-Description: doc-owner-privileges-3.patch
Content-Transfer-Encoding: quoted-printable

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 9d6ec2c..0be0774 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -1578,8 +1578,10 @@ ALTER TABLE products RENAME TO items;
   </para>
 =

   <para>
-   The right to modify or destroy an object is always the privilege of
-   the owner only.
+   The right to modify or destroy an object is inherent in being the
+   object's owner, and cannot be granted or revoked in itself.
+   (However, like all privileges, that right can be inherited by
+   members of the owning role; see <xref linkend=3D"role-membership"/>.)
   </para>
 =

   <para>
@@ -1614,17 +1616,11 @@ GRANT UPDATE ON accounts TO joe;
   </para>
 =

   <para>
-   To revoke a privilege, use the fittingly named
+   To revoke a previously-granted privilege, use the fittingly named
    <xref linkend=3D"sql-revoke"/> command:
 <programlisting>
 REVOKE ALL ON accounts FROM PUBLIC;
 </programlisting>
-   The special privileges of the object owner (i.e., the right to do
-   <command>DROP</command>, <command>GRANT</command>, <command>REVOKE</co=
mmand>, etc.)
-   are always implicit in being the owner,
-   and cannot be granted or revoked.  But the object owner can choose
-   to revoke their own ordinary privileges, for example to make a
-   table read-only for themselves as well as others.
   </para>
 =

   <para>
@@ -1639,6 +1635,13 @@ REVOKE ALL ON accounts FROM PUBLIC;
   </para>
 =

   <para>
+   An object's owner can choose to revoke their own ordinary privileges,
+   for example to make a table read-only for themselves as well as others=
.
+   But owners are always treated as holding all grant options, so they
+   can always re-grant their own privileges.
+  </para>
+
+  <para>
    The available privileges are:
 =

    <variablelist>

------- =_aaaaaaaaaa0--