public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: Laurenz Albe <[email protected]>
Cc: [email protected]
Cc: Daniel Gustafsson <[email protected]>
Cc: pgsql-docs <[email protected]>
Subject: Re: SQL command : ALTER DATABASE OWNER TO
Date: Wed, 24 Jan 2024 08:47:06 -0700
Message-ID: <CAKFQuwZjb=umdSBrW5diWDbXU25ygFzTKUON2TnfRdXmt9pjTg@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <2023185982.281851219.1646733038464.JavaMail.root@zimbra15-e2.priv.proxad.net>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Wed, Jan 24, 2024 at 8:35 AM Laurenz Albe <[email protected]>
wrote:
> On Wed, 2024-01-24 at 15:40 +0100, [email protected] wrote:
> > maybe a misunderstanding of my part, but your proposed modification
> doesn't matched
> > with the current behaviour of the command as precisely the object
> privileges of the old owner are **NOT** transferred
> > to the new owner along with the ownership
>
> But that is what happens.
>
> The permissions are transferred to the new owner, so the old owner doesn't
> have any privileges on the object (and, in your case, cannot connect to
> the database any more).
>
>
I dislike this change, ownership of an object is completely independent of
the grant system of privileges. The granted privileges of the old row do
not transfer to the new owner when alter ... owner to is executed. The
separate object attribute "owner" is the only thing that changes. If the
old owner doesn't have any granted privileges on the modified object then
they will be left with no ability to interact with that object. In the
case of Database the applicable interactions are Create and Connect. The
permissions the old owner may have on any other objects in the database are
also left unaffected - such as those on a schema. But if they have lost
the ability to Connect then actually exercising schema privileges becomes
impossible. It really isn't any different than removing their login
attribute.
Note that since PUBLIC gets connect privileges on all databases by
default...
David J.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: SQL command : ALTER DATABASE OWNER TO
In-Reply-To: <CAKFQuwZjb=umdSBrW5diWDbXU25ygFzTKUON2TnfRdXmt9pjTg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox