Re: SQL command : ALTER DATABASE OWNER TO

public inbox for [email protected]  
help / color / mirror / Atom feed

From: David G. Johnston <[email protected]>
To: Bruce Momjian <[email protected]>
Cc: [email protected]
Cc: Pg Docs <[email protected]>
Subject: Re: SQL command : ALTER DATABASE OWNER TO
Date: Tue, 8 Mar 2022 08:06:53 -0700
Message-ID: <CAKFQuwYMUq=Fa3gqMDUrd6yuUzmnyJSdFEiTDk-mQMS986jMvQ@mail.gmail.com> (raw)
In-Reply-To: <YidqjxKfp1Ao/[email protected]>
References: <1216810578.281812820.1646732222284.JavaMail.root@zimbra15-e2.priv.proxad.net>
	<2023185982.281851219.1646733038464.JavaMail.root@zimbra15-e2.priv.proxad.net>
	<YidqjxKfp1Ao/[email protected]>

On Tue, Mar 8, 2022 at 7:39 AM Bruce Momjian <[email protected]> wrote:

> On Tue, Mar  8, 2022 at 10:50:38AM +0100, [email protected] wrote:
> >
> > Hello,
> >
> > for this "ALTER DATABASE" form, it should be mentioned that after
> execution of the command,
> > the old database owner loses all his privileges on it (even connection)
> although it might
> > still owns schemas or objects (tables, index,...) inside it.
> >
> > Thanks in advance to add this important precision.
>
> Uh, the original owner is not the owner anymore, so why would they
> assume they can reconnect, unless there is some other permission
> specified for them.
>
>
Agreed.  The proposed solution simply addresses a single symptom of what
may be a misunderstanding about how the system works (i.e., that an object
can only have a single owner, and, each privilege is specific to an object
and does not confer any implied privileges on container objects - schemas
and databases namely).

If there is a suggestion to improve the core misunderstandings that is
something to consider.  Ideally in a central place about permissions in
general and not in the specific ALTER DATABASE command.

Given that the default behavior of PostgreSQL is to grant CONNECT via
PUBLIC, removing ownership of a database from a role does not, by default,
remove their connect privilege.

David J.

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: SQL command : ALTER DATABASE OWNER TO
  In-Reply-To: <CAKFQuwYMUq=Fa3gqMDUrd6yuUzmnyJSdFEiTDk-mQMS986jMvQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox