public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: David G. Johnston <[email protected]>
Cc: Dominique Devienne <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: DROP ROLE as SUPERUSER
Date: Thu, 20 Feb 2025 11:52:18 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAKFQuwa4iiw9zei549ROy1VaWTWT5dM1Ubw9aH7TdmbQS2iiGw@mail.gmail.com>
References: <CAFCRh-_3+E3-pmdH+i5jUE-8Z1jJWxxdP3EcFjTbHVWM+oEweg@mail.gmail.com>
<CAKFQuwb-pHsxJF22fAp2Vb1jwbQxTVxXhuLzjaocsB5LEUEb5w@mail.gmail.com>
<[email protected]>
<CAKFQuwa4iiw9zei549ROy1VaWTWT5dM1Ubw9aH7TdmbQS2iiGw@mail.gmail.com>
"David G. Johnston" <[email protected]> writes:
> On Thu, Feb 20, 2025 at 9:05 AM Tom Lane <[email protected]> wrote:
>> It used to be that if a superuser issued GRANT/REVOKE, the operation
>> was silently done as the owner of the affected object.
> That is still the case according to the docs (REVOKE):
[ scratches head ... ] I thought we had changed that, but nope I'm wrong:
regression=# create user alice;
CREATE ROLE
regression=# create user bob;
CREATE ROLE
regression=# \c - alice
You are now connected to database "regression" as user "alice".
regression=> create table alices_table (f1 int);
CREATE TABLE
regression=> grant select on alices_table to bob;
GRANT
regression=> \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice+| |
| | | bob=r/alice | |
(1 row)
regression=> \c - postgres
You are now connected to database "regression" as user "postgres".
regression=# grant update on alices_table to bob;
GRANT
regression=# \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice+| |
| | | bob=rw/alice | |
(1 row)
regression=# revoke update on alices_table from bob;
REVOKE
regression=# \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice+| |
| | | bob=r/alice | |
(1 row)
regression=# revoke select on alices_table from bob;
REVOKE
regression=# \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice | |
(1 row)
So grants and revokes are still being done as the object owner by
default.
Now I'm unclear on exactly what was happening in Dominique's case.
Was the problematic permission granted by somebody other than the
database's owner?
regards, tom lane
view thread (8+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: DROP ROLE as SUPERUSER
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox