Re: SQL command : ALTER DATABASE OWNER TO

public inbox for [email protected]  
help / color / mirror / Atom feed

From: David G. Johnston <[email protected]>
To: Alvaro Herrera <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: [email protected]
Cc: Daniel Gustafsson <[email protected]>
Cc: pgsql-docs <[email protected]>
Subject: Re: SQL command : ALTER DATABASE OWNER TO
Date: Wed, 24 Jan 2024 10:02:31 -0700
Message-ID: <CAKFQuwbFrbdOWCNDgE49RRh07sTAuRODPR0BV1=-nVA01rFFrg@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>

On Wed, Jan 24, 2024 at 9:56 AM Alvaro Herrera <[email protected]>
wrote:

> On 2024-Jan-24, Laurenz Albe wrote:
>
> > The permissions are transferred to the new owner, so the old owner
> doesn't
> > have any privileges on the object (and, in your case, cannot connect to
> > the database any more).
>
> However, if the old owner had a pg_hba.conf line that allowed them in,
> and the new owner doesn't, then they're now both locked out of the
> database with no recourse.
>
>
The OP doesn't actually care about inherited permissions, just the stated
ones.  That said, I do think there is a problem here:

postgres=# select current_user;
-[ RECORD 1 ]+-------
current_user | davidj

postgres=# revoke all on database  newdb2 from public;
REVOKE
postgres=# \l newdb2
List of databases
-[ RECORD 1 ]-----+------------------------
Name              | newdb2
Owner             | testowner
Encoding          | UTF8
Locale Provider   | libc
Collate           | en_US.UTF-8
Ctype             | en_US.UTF-8
ICU Locale        |
ICU Rules         |
Access privileges | testowner=CTc/testowner

postgres=# grant all on database newdb2 to testowner;
-- as I am logged in as davidj this grant should actually happen, with
davidj as the grantor
-- the grants that materialize from ownership has the owning role as the
grantor
-- it is only those that should be removed upon reassigning ownership

GRANT
postgres=# \l newdb2
List of databases
-[ RECORD 1 ]-----+------------------------
Name              | newdb2
Owner             | testowner
Encoding          | UTF8
Locale Provider   | libc
Collate           | en_US.UTF-8
Ctype             | en_US.UTF-8
ICU Locale        |
ICU Rules         |
Access privileges | testowner=CTc/testowner

-- I expect to see "testowner=CTc/davidj" here as well

David J.

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: SQL command : ALTER DATABASE OWNER TO
  In-Reply-To: <CAKFQuwbFrbdOWCNDgE49RRh07sTAuRODPR0BV1=-nVA01rFFrg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox