public inbox for [email protected]  
help / color / mirror / Atom feed
From: Laurenz Albe <[email protected]>
To: Michael Banck <[email protected]>
Cc: David Burns <[email protected]>
Cc: [email protected]
Subject: Re: Version 14/15 documentation Section "Alter Default Privileges"
Date: Fri, 27 Oct 2023 17:49:42 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <LV2PR12MB5725F7C1B8EB2FC38829F276E7399@LV2PR12MB5725.namprd12.prod.outlook.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

On Fri, 2023-10-27 at 11:34 +0200, Michael Banck wrote:
> On Fri, Oct 27, 2023 at 09:03:04AM +0200, Laurenz Albe wrote:
> > On Fri, 2022-11-04 at 10:49 +0100, Laurenz Albe wrote:
> > > On Thu, 2022-11-03 at 11:32 +0100, Laurenz Albe wrote:
> > > > On Wed, 2022-11-02 at 19:29 +0000, David Burns wrote:
> > > > > Some additional clarity in the versions 14/15 documentation
> > > > > would be helpful specifically surrounding the "target_role"
> > > > > clause for the ALTER DEFAULT PRIVILEGES command.  To the
> > > > > uninitiated, the current description seems vague.  Maybe
> > > > > something like the following would help:
> > > 
> > > After some more thinking, I came up with the attached patch.
> > 
> I think something like this is highly useful because I have also seen
> people very confused why default privileges are not applied.
> 
> However, maybe it could be made even clearer if also the main
> description is amended, like
> 
> "You can change default privileges only for objects that will be created
> by yourself or by roles that you are a member of (via target_role)."
> 
> or something.

True.  I have done that in the attached patch.
In this patch, it is mentioned *twice* that ALTER DEFAULT PRIVILEGES
only affects objects created by the current user.  I thought that
would not harm, but if it is too redundant, I can remove the second
mention.

Yours,
Laurenz Albe


Attachments:

  [text/x-patch] 0001-Improve-ALTER-DEFAULT-PRIVILEGES-documentation.V2.patch (2.3K, ../[email protected]/2-0001-Improve-ALTER-DEFAULT-PRIVILEGES-documentation.V2.patch)
  download | inline diff:
From 6c618553cc21639e774f6fd108423134139bfc0a Mon Sep 17 00:00:00 2001
From: Laurenz Albe <[email protected]>
Date: Fri, 27 Oct 2023 17:44:19 +0200
Subject: [PATCH] Improve ALTER DEFAULT PRIVILEGES documentation

Clarify that default privileges are only applied to objects
created by the target role.  This has been a frequent source
of misunderstandings.

Per request from David Burns.

Author: Laurenz Albe
Reviewed-by: Michael Banck
Discussion: https://postgr.es/m/LV2PR12MB5725F7C1B8EB2FC38829F276E7399%40LV2PR12MB5725.namprd12.prod.outlook.com
---
 doc/src/sgml/ref/alter_default_privileges.sgml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index f1d54f5aa3..cf0ffa9c49 100644
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -90,7 +90,10 @@ REVOKE [ GRANT OPTION FOR ]
   <para>
    <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
    that will be applied to objects created in the future.  (It does not
-   affect privileges assigned to already-existing objects.)  Currently,
+   affect privileges assigned to already-existing objects.)  <command>ALTER
+   DEFAULT PRIVILEGES</command> changes default privileges only for objects
+   that will be created by the user that executed the statement (or by
+   <replaceable>target_role</replaceable>, if specified).  Currently,
    only the privileges for schemas, tables (including views and foreign
    tables), sequences, functions, and types (including domains) can be
    altered.  For this command, functions include aggregates and procedures.
@@ -138,6 +141,11 @@ REVOKE [ GRANT OPTION FOR ]
      <para>
       The name of an existing role of which the current role is a member.
       If <literal>FOR ROLE</literal> is omitted, the current role is assumed.
+      Default privileges are only changed for new objects created by the
+      <replaceable>target_role</replaceable>.  There is no way to set default
+      privileges for objects created by arbitrary roles; for that, you'd have
+      to run <command>ALTER DEFAULT PRIVILEGES</command> for each role that can
+      create objects.
      </para>
     </listitem>
    </varlistentry>
-- 
2.41.0



view thread (5+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Version 14/15 documentation Section "Alter Default Privileges"
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox