Re: SQL command : ALTER DATABASE OWNER TO
| От | David G. Johnston |
|---|---|
| Тема | Re: SQL command : ALTER DATABASE OWNER TO |
| Дата | |
| Msg-id | CAKFQuwYqhMfzzNeqx1HzYYH_bsu1O0H6Sdaux6wgG=_H-h-G8A@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: SQL command : ALTER DATABASE OWNER TO (Laurenz Albe <laurenz.albe@cybertec.at>) |
| Ответы |
Re: SQL command : ALTER DATABASE OWNER TO
|
| Список | pgsql-docs |
On Wed, Jan 24, 2024 at 9:13 AM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Wed, 2024-01-24 at 08:47 -0700, David G. Johnston wrote:
> I dislike this change, ownership of an object is completely independent of
> the grant system of privileges. The granted privileges of the old row do
> not transfer to the new owner when alter ... owner to is executed.
CREATE TABLE mytab ();
REVOKE ALL ON mytab FROM PUBLIC;
\z mytab
Access privileges
Schema │ Name │ Type │ Access privileges │ Column privileges │ Policies
════════╪═══════╪═══════╪═══════════════════════════╪═══════════════════╪══════════
public │ mytab │ table │ postgres=arwdDxt/postgres │ │
(1 row)
ALTER TABLE mytab OWNER TO laurenz;
\z mytab
Access privileges
Schema │ Name │ Type │ Access privileges │ Column privileges │ Policies
════════╪═══════╪═══════╪═════════════════════════╪═══════════════════╪══════════
public │ mytab │ table │ laurenz=arwdDxt/laurenz │ │
(1 row)
You need to actually revoke something to make the point stand out.
postgres=# \z tt1
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+-----------------------+-------------------+----------
public | tt1 | table | davidj=arwdDxt/davidj | |
(1 row)
postgres=# revoke update on tt1 from davidj;
REVOKE
postgres=# \z tt1
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+----------------------+-------------------+----------
public | tt1 | table | davidj=ardDxt/davidj | |
(1 row)
postgres=# alter table tt1 owner to testowner;
ALTER TABLE
postgres=# \z tt1
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+----------------------------+-------------------+----------
public | tt1 | table | testowner=ardDxt/testowner | |
(1 row)
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+-----------------------+-------------------+----------
public | tt1 | table | davidj=arwdDxt/davidj | |
(1 row)
postgres=# revoke update on tt1 from davidj;
REVOKE
postgres=# \z tt1
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+----------------------+-------------------+----------
public | tt1 | table | davidj=ardDxt/davidj | |
(1 row)
postgres=# alter table tt1 owner to testowner;
ALTER TABLE
postgres=# \z tt1
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+------+-------+----------------------------+-------------------+----------
public | tt1 | table | testowner=ardDxt/testowner | |
(1 row)
The new owner, testowner, is missing the same update privilege that davidj removed from himself. In short, setting owner does indeed cause explicit grants to appear in the system, grants that can be revoked. And so, yes, transferring ownership transfers the set of grants currently in effect for the existing owner.
I can see making this detail more clear in the DDL chapter. It is unrelated to the confusion behind the topic of this thread though.
David J.
В списке pgsql-docs по дате отправления: