Обсуждение: BUG #16124: Altering default privileges problem
The following bug has been logged on the website:
Bug reference: 16124
Logged by: John Doe
Email address: john.doe@example.com
PostgreSQL version: 11.5
Operating system: NixOS
Description:
Altering default privileges in specific schema to revoke all privileges on
types from PUBLIC does nothing.
Steps to reproduce:
- Connect as superuser and execute:
CREATE ROLE ownerrole WITH INHERIT LOGIN PASSWORD 'ownerrole';
CREATE ROLE approle WITH INHERIT LOGIN PASSWORD 'approle';
CREATE DATABASE test1 ENCODING = 'UTF8' OWNER = ownerrole;
CREATE DATABASE test2 ENCODING = 'UTF8' OWNER = ownerrole;
Test 1
- Setup: Connect as ownerrole to test1 and execute the following commands:
CREATE SCHEMA myschema;
GRANT ALL PRIVILEGES ON SCHEMA myschema TO approle;
ALTER DEFAULT PRIVILEGES
FOR ROLE ownerrole
IN SCHEMA myschema
REVOKE ALL PRIVILEGES ON TYPES FROM PUBLIC;
CREATE DOMAIN myschema.comment AS text;
- Test: connect as approle to test1 and execute the following command:
CREATE TABLE myschema.table(
comment myschema.comment
);
- Actual result
The myschema.table table is created.
- Expected result:
The table creation should fail due to the following error:
ERROR: permission denied for type myschema.comment
- Notes:
$ psql -U ownerrole -d test1
psql (11.5)
Type "help" for help.
test1=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
-------+--------+------+-------------------
(0 rows)
Test 2
- Setup: Connect as ownerrole to test2 and execute the following commands
(ALTER DEFAULT PRIVILEGES is not specific to any schema):
CREATE SCHEMA myschema;
GRANT ALL PRIVILEGES ON SCHEMA myschema TO approle;
ALTER DEFAULT PRIVILEGES
FOR ROLE ownerrole
REVOKE ALL PRIVILEGES ON TYPES FROM PUBLIC;
CREATE DOMAIN myschema.comment AS text;
- Test: connect as approle to test2 and execute the following command:
CREATE TABLE myschema.table(
comment myschema.comment
);
- Actual result
ERROR: permission denied for type myschema.comment
- Expected result:
ERROR: permission denied for type myschema.comment
- Notes:
$ psql -U ownerrole -d test2
psql (11.5)
Type "help" for help.
test2=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
-----------+--------+------+-----------------------
ownerrole | | type | ownerrole=U/ownerrole
(1 row)
PG Bug reporting form <noreply@postgresql.org> writes:
> Bug reference: 16124
> Logged by: John Doe
> Email address: john.doe@example.com
... so, effectively an anonymous report. Hope the submitter reads
pgsql-bugs, else he'll get no answer.
> Altering default privileges in specific schema to revoke all privileges on
> types from PUBLIC does nothing.
AFAICT, this is operating as designed. SetDefaultACL() says:
* The default for a global entry is the hard-wired default ACL for the
* particular object type. The default for non-global entries is an empty
* ACL. This must be so because global entries replace the hard-wired
* defaults, while others are added on.
Hence, "ALTER ... IN SCHEMA whatever REVOKE ALL PRIVILEGES ON TYPES FROM
PUBLIC" is a no-op because the privilege was never granted at the schema
level in the first place.
This seems kind of unfortunate, and it's certainly not adequately
documented. The man page does say "Default privileges that are specified
per-schema are added to whatever the global default privileges are for the
particular object type" but the implication that you can't revoke
privileges at that level isn't obvious.
I don't see any way to change the actual behavior, at least not within the
existing representation of pg_default_acl, but we ought to improve the
documentation. I'm inclined to split out the just-quoted sentence to
a new para along the lines of
Default privileges that are specified per-schema are added to whatever
the global default privileges are for the particular object type.
This means you cannot revoke privileges per-schema if they are granted
globally (either by default, or according to a previous ALTER DEFAULT
PRIVILEGES command that did not specify a schema). Per-schema REVOKE
is only useful to reverse the effects of a previous per-schema GRANT.
Perhaps an explicit example too?
regards, tom lane