I'm playing around trying to fix the problem where ACLs enter an illegal
state when you change the owner of a table, say.
This is the current situation:
test=# create user gumby;
CREATE USER
test=# create user other;
CREATE USER
test=# create table test (a int4);
CREATE TABLE
test=# grant select on test to other;
GRANT
test=# alter table test owner to gumby;
ALTER TABLE
test=# \dp Access privileges for database "test" Schema | Name | Type | Access privileges
--------+------+-------+------------------------------------------- public | test | table |
{chriskl=arwdRxt/chriskl,other=r/chriskl}
(1 row)
test=# \dt List of relations Schema | Name | Type | Owner
--------+------+-------+------- public | test | table | gumby
(1 row)
Now, the chriskl user's old owner privs are still there, but are granted
by chriskl still. The initial fix would be to modify the acl to be like
this after owner change:
{chriskl=arwdRxt/gumby,other=r/chriskl}
Perhaps even:
{gumby=arwdRxt/chriskl,other=r/gumby}
But there's a few other options:
1. Should we make the owner aclitem NEVER appear in the acl list? ie.
when we do the first grant on an object, we don't put in a default acl
for the owner. Instead we special case the aclcheck to always allow the
owner full privilieges? Also, if the first grant was 'select' for the
'other' user, and then we changed the owner to the 'other' user, should
we erase the 'other' user's aclitem?
2. Should we just whenever the owner is changed, change all grantors
that are the old owner to the new owner?
3. Should we do (2) but only when the grantor is the old owner and the
grantee is the old owner?
Is there a logical way of determining which of these is correct?
Chris