NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commita56c495

committed

Doc: fix old oversights in GRANT/REVOKE documentation.

The GRANTED BY clause in GRANT/REVOKE ROLE has been there since 2005but was never documented. I'm not sure now whether that was just anoversight or was intentional (given the limited capability of theoption). But seeing that pg_dumpall does emit code that uses thisoption, it seems like not documenting it at all is a bad idea.Also, when we upgraded the syntax to allow CURRENT_USER/SESSION_USERas the privilege recipient, the role form of GRANT was incorrectlynot modified to show that, and REVOKE's docs weren't touched at all.Although I'm not that excited about GRANTED BY, the other oversightseems serious enough to justify a back-patch.Discussion:https://postgr.es/m/3070.1581526786@sss.pgh.pa.us

1 parent9193627 commita56c495Copy full SHA for a56c495

File tree

2 files changed

+49

-21

lines changed

doc/src/sgml/ref
- grant.sgml
- revoke.sgml

2 files changed

+49

-21

lines changed

`‎doc/src/sgml/ref/grant.sgml`

Lines changed: 20 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -79,14 +79,16 @@ GRANT { USAGE \| ALL [ PRIVILEGES ] }`
`79`	`79`	`ON TYPE <replaceable>type_name</replaceable> [, ...]`
`80`	`80`	`TO <replaceable class="PARAMETER">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]`
`81`	`81`
	`82`	`+GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
	`83`	`+ [ WITH ADMIN OPTION ]`
	`84`	`+ [ GRANTED BY <replaceable class="PARAMETER">role_specification</replaceable> ]`
	`85`	`+`
`82`	`86`	`<phrase>where <replaceable class="PARAMETER">role_specification</replaceable> can be:</phrase>`
`83`	`87`
`84`	`88`	`[ GROUP ] <replaceable class="PARAMETER">role_name</replaceable>`
`85`	`89`	`\| PUBLIC`
`86`	`90`	`\| CURRENT_USER`
`87`	`91`	`\| SESSION_USER`
`88`		`-`
`89`		`-GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replaceable class="PARAMETER">role_name</replaceable> [, ...] [ WITH ADMIN OPTION ]`
`90`	`92`	`</synopsis>`
`91`	`93`	`</refsynopsisdiv>`
`92`	`94`
`@@ -420,10 +422,17 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace`
`420`	`422`	`or revoke membership in any role that is not a superuser.`
`421`	`423`	`</para>`
`422`	`424`
	`425`	`+ <para>`
	`426`	`+ If <literal>GRANTED BY</literal> is specified, the grant is recorded as`
	`427`	`+ having been done by the specified role. Only database superusers may`
	`428`	`+ use this option, except when it names the same role executing the command.`
	`429`	`+ </para>`
	`430`	`+`
`423`	`431`	`<para>`
`424`	`432`	`Unlike the case with privileges, membership in a role cannot be granted`
`425`		`- to <literal>PUBLIC</>. Note also that this form of the command does not`
`426`		`- allow the noise word <literal>GROUP</>.`
	`433`	`+ to <literal>PUBLIC</literal>. Note also that this form of the command`
	`434`	`+ does not allow the noise word <literal>GROUP</literal>`
	`435`	`+ in <replaceable class="parameter">role_specification</replaceable>.`
`427`	`436`	`</para>`
`428`	`437`	`</refsect2>`
`429`	`438`	`</refsect1>`
`@@ -653,6 +662,13 @@ GRANT admins TO joe;`
`653`	`662`	`to roles.`
`654`	`663`	`</para>`
`655`	`664`
	`665`	`+ <para>`
	`666`	`+ The SQL standard allows the <literal>GRANTED BY</literal> option to`
	`667`	`+ be used in all forms of <command>GRANT</command>. PostgreSQL only`
	`668`	`+ supports it when granting role membership, and even then only superusers`
	`669`	`+ may use it in nontrivial ways.`
	`670`	`+ </para>`
	`671`	`+`
`656`	`672`	`<para>`
`657`	`673`	`The SQL standard provides for a <literal>USAGE</literal> privilege`
`658`	`674`	`on other kinds of objects: character sets, collations,`

`‎doc/src/sgml/ref/revoke.sgml`

Lines changed: 29 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,88 +26,96 @@ REVOKE [ GRANT OPTION FOR ]`
`26`	`26`	`[, ...] \| ALL [ PRIVILEGES ] }`
`27`	`27`	`ON { [ TABLE ] <replaceable class="PARAMETER">table_name</replaceable> [, ...]`
`28`	`28`	`\| ALL TABLES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }`
`29`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`29`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`30`	`30`	`[ CASCADE \| RESTRICT ]`
`31`	`31`
`32`	`32`	`REVOKE [ GRANT OPTION FOR ]`
`33`	`33`	`{ { SELECT \| INSERT \| UPDATE \| REFERENCES } ( <replaceable class="PARAMETER">column_name</replaceable> [, ...] )`
`34`	`34`	`[, ...] \| ALL [ PRIVILEGES ] ( <replaceable class="PARAMETER">column_name</replaceable> [, ...] ) }`
`35`	`35`	`ON [ TABLE ] <replaceable class="PARAMETER">table_name</replaceable> [, ...]`
`36`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`36`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`37`	`37`	`[ CASCADE \| RESTRICT ]`
`38`	`38`
`39`	`39`	`REVOKE [ GRANT OPTION FOR ]`
`40`	`40`	`{ { USAGE \| SELECT \| UPDATE }`
`41`	`41`	`[, ...] \| ALL [ PRIVILEGES ] }`
`42`	`42`	`ON { SEQUENCE <replaceable class="PARAMETER">sequence_name</replaceable> [, ...]`
`43`	`43`	`\| ALL SEQUENCES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }`
`44`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`44`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`45`	`45`	`[ CASCADE \| RESTRICT ]`
`46`	`46`
`47`	`47`	`REVOKE [ GRANT OPTION FOR ]`
`48`	`48`	`{ { CREATE \| CONNECT \| TEMPORARY \| TEMP } [, ...] \| ALL [ PRIVILEGES ] }`
`49`	`49`	`ON DATABASE <replaceable>database_name</replaceable> [, ...]`
`50`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`50`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`51`	`51`	`[ CASCADE \| RESTRICT ]`
`52`	`52`
`53`	`53`	`REVOKE [ GRANT OPTION FOR ]`
`54`	`54`	`{ USAGE \| ALL [ PRIVILEGES ] }`
`55`	`55`	`ON DOMAIN <replaceable>domain_name</replaceable> [, ...]`
`56`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`56`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`57`	`57`	`[ CASCADE \| RESTRICT ]`
`58`	`58`
`59`	`59`	`REVOKE [ GRANT OPTION FOR ]`
`60`	`60`	`{ USAGE \| ALL [ PRIVILEGES ] }`
`61`	`61`	`ON FOREIGN DATA WRAPPER <replaceable>fdw_name</replaceable> [, ...]`
`62`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`62`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`63`	`63`	`[ CASCADE \| RESTRICT ]`
`64`	`64`
`65`	`65`	`REVOKE [ GRANT OPTION FOR ]`
`66`	`66`	`{ USAGE \| ALL [ PRIVILEGES ] }`
`67`	`67`	`ON FOREIGN SERVER <replaceable>server_name</replaceable> [, ...]`
`68`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`68`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`69`	`69`	`[ CASCADE \| RESTRICT ]`
`70`	`70`
`71`	`71`	`REVOKE [ GRANT OPTION FOR ]`
`72`	`72`	`{ EXECUTE \| ALL [ PRIVILEGES ] }`
`73`	`73`	`ON { FUNCTION <replaceable>function_name</replaceable> [ ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">arg_name</replaceable> ] <replaceable class="parameter">arg_type</replaceable> [, ...] ] ) ] [, ...]`
`74`	`74`	`\| ALL FUNCTIONS IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }`
`75`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`75`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`76`	`76`	`[ CASCADE \| RESTRICT ]`
`77`	`77`
`78`	`78`	`REVOKE [ GRANT OPTION FOR ]`
`79`	`79`	`{ USAGE \| ALL [ PRIVILEGES ] }`
`80`	`80`	`ON LANGUAGE <replaceable>lang_name</replaceable> [, ...]`
`81`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`81`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`82`	`82`	`[ CASCADE \| RESTRICT ]`
`83`	`83`
`84`	`84`	`REVOKE [ GRANT OPTION FOR ]`
`85`	`85`	`{ { SELECT \| UPDATE } [, ...] \| ALL [ PRIVILEGES ] }`
`86`	`86`	`ON LARGE OBJECT <replaceable class="PARAMETER">loid</replaceable> [, ...]`
`87`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`87`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`88`	`88`	`[ CASCADE \| RESTRICT ]`
`89`	`89`
`90`	`90`	`REVOKE [ GRANT OPTION FOR ]`
`91`	`91`	`{ { CREATE \| USAGE } [, ...] \| ALL [ PRIVILEGES ] }`
`92`	`92`	`ON SCHEMA <replaceable>schema_name</replaceable> [, ...]`
`93`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`93`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`94`	`94`	`[ CASCADE \| RESTRICT ]`
`95`	`95`
`96`	`96`	`REVOKE [ GRANT OPTION FOR ]`
`97`	`97`	`{ CREATE \| ALL [ PRIVILEGES ] }`
`98`	`98`	`ON TABLESPACE <replaceable>tablespace_name</replaceable> [, ...]`
`99`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`99`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`100`	`100`	`[ CASCADE \| RESTRICT ]`
`101`	`101`
`102`	`102`	`REVOKE [ GRANT OPTION FOR ]`
`103`	`103`	`{ USAGE \| ALL [ PRIVILEGES ] }`
`104`	`104`	`ON TYPE <replaceable>type_name</replaceable> [, ...]`
`105`		`- FROM{ [ GROUP ]<replaceable class="PARAMETER">role_name</replaceable> \| PUBLIC } [, ...]`
	`105`	`+ FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
`106`	`106`	`[ CASCADE \| RESTRICT ]`
`107`	`107`
`108`	`108`	`REVOKE [ ADMIN OPTION FOR ]`
`109`		`- <replaceable class="PARAMETER">role_name</replaceable> [, ...] FROM <replaceable class="PARAMETER">role_name</replaceable> [, ...]`
	`109`	`+ <replaceable class="PARAMETER">role_name</replaceable> [, ...] FROM <replaceable class="PARAMETER">role_specification</replaceable> [, ...]`
	`110`	`+ [ GRANTED BY <replaceable class="PARAMETER">role_specification</replaceable> ]`
`110`	`111`	`[ CASCADE \| RESTRICT ]`
	`112`	`+`
	`113`	`+<phrase>where <replaceable class="PARAMETER">role_specification</replaceable> can be:</phrase>`
	`114`	`+`
	`115`	`+ [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable>`
	`116`	`+ \| PUBLIC`
	`117`	`+ \| CURRENT_USER`
	`118`	`+ \| SESSION_USER`
`111`	`119`	`</synopsis>`
`112`	`120`	`</refsynopsisdiv>`
`113`	`121`
`@@ -167,10 +175,14 @@ REVOKE [ ADMIN OPTION FOR ]`
`167`	`175`	`</para>`
`168`	`176`
`169`	`177`	`<para>`
`170`		`- When revoking membership in a role, <literal>GRANT OPTION</> is instead`
`171`		`- called <literal>ADMIN OPTION</>, but the behavior is similar.`
	`178`	`+ When revoking membership in a role, <literal>GRANT OPTION</literal> is instead`
	`179`	`+ called <literal>ADMIN OPTION</literal>, but the behavior is similar.`
	`180`	`+ This form of the command also allows a <literal>GRANTED BY</literal>`
	`181`	`+ option, but that option is currently ignored (except for checking`
	`182`	`+ the existence of the named role).`
`172`	`183`	`Note also that this form of the command does not`
`173`		`- allow the noise word <literal>GROUP</>.`
	`184`	`+ allow the noise word <literal>GROUP</literal>`
	`185`	`+ in <replaceable class="parameter">role_specification</replaceable>.`
`174`	`186`	`</para>`
`175`	`187`	`</refsect1>`
`176`	`188`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita56c495

File tree

2 files changed

2 files changed

`‎doc/src/sgml/ref/grant.sgml`

`‎doc/src/sgml/ref/revoke.sgml`

0 commit comments