On Wed, 2022-11-02 at 19:29 +0000, David Burns wrote:
> To Whom It May Concern;
It concerns me, because I often see questions from people who misunderstand this.
> Some additional clarity in the versions 14/15 documentation would be helpful specifically
> surrounding the "target_role" clause for the ALTER DEFAULT PRIVILEGES command.
> To the uninitiated, the current description seems vague. Maybe something like the following would help:
>
> target_role
> The name of an existing role of which the current role is a member.
> Default privileges are only applied to objects created by the targeted role/user (FOR ROLE target_role).
> If the FOR ROLE clause is omitted, the targeted user defaults to the current user executing the
> ALTER DEFAULT PRIVILEGES command.
+1
I like the wording, except that I would replace "targeted role/user (FOR ROLE target_role)" with
"target role" for added clarity.
> The result can be seen using the following query:
>
> select table_catalog as database
> ,table_schema
> ,table_name
> ,privilege_type
> ,grantee
> ,'revoke '||privilege_type||' on '||table_schema||'.'||table_name||' from '||grantee||';' as revoke_stmt
> from information_schema.table_privileges
> where table_schema = 'my_schema'
> and table_name = 'my_table'
> order by 1,2,3,5,4;
I am not so happy with that query; I thinks that is going too far.
Perhaps we can say that the "psql" command "\ddp" can be used to view default privileges.
> Also, additional explanation about the differences between global defaults versus
> schema-level defaults, and how to identify them, would be helpful.
The examples already cover that in some detail.
> Additional explanation about exactly what is happening would help to put this command into perspective.
> On successful execution with the correct parameter values, and using both the FOR ROLE and
> IN SCHEMA clauses, I also received privilege grants directed to the user executing the
> ALTER DEFAULT PRIVILEGES command. This was in addition to the expected privileges specified in the command.
> I'm not sure why this occurred or how to eliminate it, in the interest of establishing "least privilege"
permissions.
ALTER DEFAULT PRIVILEGES does nothing like that...
Yours,
Laurenz Albe