public inbox for [email protected]
help / color / mirror / Atom feedFrom: Laurenz Albe <[email protected]>
To: Michael Banck <[email protected]>
Cc: David Burns <[email protected]>
Cc: [email protected]
Subject: Re: Version 14/15 documentation Section "Alter Default Privileges"
Date: Fri, 27 Oct 2023 17:49:42 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <LV2PR12MB5725F7C1B8EB2FC38829F276E7399@LV2PR12MB5725.namprd12.prod.outlook.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Fri, 2023-10-27 at 11:34 +0200, Michael Banck wrote:
> On Fri, Oct 27, 2023 at 09:03:04AM +0200, Laurenz Albe wrote:
> > On Fri, 2022-11-04 at 10:49 +0100, Laurenz Albe wrote:
> > > On Thu, 2022-11-03 at 11:32 +0100, Laurenz Albe wrote:
> > > > On Wed, 2022-11-02 at 19:29 +0000, David Burns wrote:
> > > > > Some additional clarity in the versions 14/15 documentation
> > > > > would be helpful specifically surrounding the "target_role"
> > > > > clause for the ALTER DEFAULT PRIVILEGES command. To the
> > > > > uninitiated, the current description seems vague. Maybe
> > > > > something like the following would help:
> > >
> > > After some more thinking, I came up with the attached patch.
> >
> I think something like this is highly useful because I have also seen
> people very confused why default privileges are not applied.
>
> However, maybe it could be made even clearer if also the main
> description is amended, like
>
> "You can change default privileges only for objects that will be created
> by yourself or by roles that you are a member of (via target_role)."
>
> or something.
True. I have done that in the attached patch.
In this patch, it is mentioned *twice* that ALTER DEFAULT PRIVILEGES
only affects objects created by the current user. I thought that
would not harm, but if it is too redundant, I can remove the second
mention.
Yours,
Laurenz Albe
Attachments:
[text/x-patch] 0001-Improve-ALTER-DEFAULT-PRIVILEGES-documentation.V2.patch (2.3K, ../[email protected]/2-0001-Improve-ALTER-DEFAULT-PRIVILEGES-documentation.V2.patch)
download | inline diff:
From 6c618553cc21639e774f6fd108423134139bfc0a Mon Sep 17 00:00:00 2001
From: Laurenz Albe <[email protected]>
Date: Fri, 27 Oct 2023 17:44:19 +0200
Subject: [PATCH] Improve ALTER DEFAULT PRIVILEGES documentation
Clarify that default privileges are only applied to objects
created by the target role. This has been a frequent source
of misunderstandings.
Per request from David Burns.
Author: Laurenz Albe
Reviewed-by: Michael Banck
Discussion: https://postgr.es/m/LV2PR12MB5725F7C1B8EB2FC38829F276E7399%40LV2PR12MB5725.namprd12.prod.outlook.com
---
doc/src/sgml/ref/alter_default_privileges.sgml | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index f1d54f5aa3..cf0ffa9c49 100644
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -90,7 +90,10 @@ REVOKE [ GRANT OPTION FOR ]
<para>
<command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
that will be applied to objects created in the future. (It does not
- affect privileges assigned to already-existing objects.) Currently,
+ affect privileges assigned to already-existing objects.) <command>ALTER
+ DEFAULT PRIVILEGES</command> changes default privileges only for objects
+ that will be created by the user that executed the statement (or by
+ <replaceable>target_role</replaceable>, if specified). Currently,
only the privileges for schemas, tables (including views and foreign
tables), sequences, functions, and types (including domains) can be
altered. For this command, functions include aggregates and procedures.
@@ -138,6 +141,11 @@ REVOKE [ GRANT OPTION FOR ]
<para>
The name of an existing role of which the current role is a member.
If <literal>FOR ROLE</literal> is omitted, the current role is assumed.
+ Default privileges are only changed for new objects created by the
+ <replaceable>target_role</replaceable>. There is no way to set default
+ privileges for objects created by arbitrary roles; for that, you'd have
+ to run <command>ALTER DEFAULT PRIVILEGES</command> for each role that can
+ create objects.
</para>
</listitem>
</varlistentry>
--
2.41.0
view thread (5+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Version 14/15 documentation Section "Alter Default Privileges"
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox