Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:
> 1. Should we make the owner aclitem NEVER appear in the acl list? ie.
> when we do the first grant on an object, we don't put in a default acl
> for the owner. Instead we special case the aclcheck to always allow the
> owner full privilieges?
That would be *entirely* unacceptable, since it would for example
prevent the owner from making the table read-only to himself.
I think that's an important feature to preserve.
The solution I had in mind was for ALTER OWNER to run through the ACL
and replace the old owner ID with the new one wherever the old one
appears, in both grantor and grantee positions. So in your example{chriskl=arwdRxt/chriskl,other=r/chriskl}
becomes{gumby=arwdRxt/gumby,other=r/gumby}
You could skip doing this when the ACL is null of course, since the
default assumption about its contents will change in just the same way.
The minimum you could safely do is make this replacement in every
place where the old owner appears as a grantor, but leave grantees
alone. This rule produces
{chriskl=arwdRxt/gumby,other=r/gumby}
Now IMHO this would be an utterly bizarre behavior ... but it would
at least produce a legal, consistent state of the ACL, in which every
granted right is traceable back to the new owner's implicit grant
options. If the new owner gumby didn't want chriskl to have those
permissions, he'd at least be able to revoke 'em. One would think
though that the first alternative is much more likely to be what
people would expect.
> {chriskl=arwdRxt/gumby,other=r/chriskl}
When gumby is the owner, this is an illegal ACL: chriskl is granting
rights he doesn't have grant option for.
regards, tom lane