Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"
Дата
Msg-id 2176817.1644613186@sss.pgh.pa.us
обсуждение исходный текст
Ответ на "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"  (Bryn Llewellyn <bryn@yugabyte.com>)
Список pgsql-general
Дерево обсуждения 
Bryn Llewellyn <bryn@yugabyte.com> writes:
> If user "x" owns function "s.f()", and if you want user "z" to be able to execute it, then this alone is
insufficient:

> grant execute on function s.f() to z;

> The attempt by "z" to execute "s.f()" this draws the 42501 error, "permission denied for schema s". But this _is_
sufficient:

> grant usage on schema s to z;
> revoke execute on function s.f() from z; -- Yes, really!

> *This surprises me*

It shouldn't.  Per the docs, the default permissions on a function
include GRANT EXECUTE TO PUBLIC.  Revoking the never-granted-in-the-
first-place permission to z doesn't remove the PUBLIC permission.

So, if you want to be selective about who can use your functions,
you should revoke the PUBLIC permission and then grant out
permissions to individual roles.

            regards, tom lane

В списке pgsql-general по дате отправления:

Предыдущее
От: "Peter J. Holzer"
Дата:
Сообщение: Re: Can we go beyond the standard to make Postgres radically better?
Следующее
От: "David G. Johnston"
Дата:
Сообщение: Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"