Re: Add sentence about SECURITY LABEL object ownership

On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
> Hi,
>
> I noticed that we don't document that you need to own the object being
> modified by SECURITY LABEL.
>
> Page: https://www.postgresql.org/docs/current/sql-security-label.html
>
> I've attached a patch that would have answered that question (for me)
> without diving into the code.

> --- a/doc/src/sgml/ref/security_label.sgml
> +++ b/doc/src/sgml/ref/security_label.sgml
> @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable class="parameter">provider</replaceable> ] ON
>     based on object labels, rather than traditional discretionary access control
>     (DAC) concepts such as users and groups.
>    </para>
> +
> +  <para>
> +   You must own the database object to use the <command>SECURITY LABEL</command>.
> +  </para>
>   </refsect1>
>
>   <refsect1>

Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.

In general, +1 for documenting that.

Yours,
Laurenz Albe