Re: Clarification on View Privileges and Operator Execution in PostgreSQL

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Ayush Vatsa <[email protected]>
To: David G. Johnston <[email protected]>
Cc: [email protected]
Subject: Re: Clarification on View Privileges and Operator Execution in PostgreSQL
Date: Sun, 7 Apr 2024 23:32:36 +0530
Message-ID: <CACX+KaOH=wX-CBYw2tSowKNwKW2nMMLD1fVmeKGh_GyVjFJdpg@mail.gmail.com> (raw)
In-Reply-To: <CAKFQuwaMN7LkHwqm9LHxpR2_PdN_NGMyrmvL_VshV+=hxiBkrQ@mail.gmail.com>
References: <CACX+KaN-Lqv+k6d4b37oKFiqF6ibMkq1RVHbcTby5EjRtNQewg@mail.gmail.com>
	<CAKFQuwbMkum2q05EvhVNWXC4ij-HL-Nv=3d5yDPfZsEhNTrJbQ@mail.gmail.com>
	<CACX+KaMxg+WiHuQHA8==BmP0jsVFXm-RKnAd1bhF=yFYopP4Pg@mail.gmail.com>
	<CAKFQuwaMN7LkHwqm9LHxpR2_PdN_NGMyrmvL_VshV+=hxiBkrQ@mail.gmail.com>

> If you want to confirm what the documentation says create a custom
operator/function that alex is not permitted to execute and have them query
a view defined by postgres that uses that function.
Thanks for the suggestion, it helped and I found out alex could not execute
the view as it didn't have privileges for the function associated with
operator

But a small doubt arises here I have to revoke the execution of the
function using the command
REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public from public;
but when I tried
REVOKE EXECUTE ON FUNCTION text_equals(text,text) FROM alex;
or
REVOKE ALL ON FUNCTION text_equals(text,text) FROM alex;
It didn't work i.e alex can still execute text_equals function. Why is it
so?

Thanks
Ayush Vatsa
SDE AWS


On Sun, 7 Apr 2024 at 22:31, David G. Johnston <[email protected]>
wrote:

> On Sun, Apr 7, 2024 at 9:32 AM Ayush Vatsa <[email protected]>
> wrote:
>
>>  but who will execute the
>> > underlying function inside the ( > ) operator ? Is it postgres or alex?
>>
>>>
> I'm reasonably confident that all the built-in functions are security
> invoker.  Not that a pure function like greater-than really cares.
>
> David J.
>
>

view thread (2+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Clarification on View Privileges and Operator Execution in PostgreSQL
  In-Reply-To: <CACX+KaOH=wX-CBYw2tSowKNwKW2nMMLD1fVmeKGh_GyVjFJdpg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox