Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd30e0ed

Browse files
committed
Doc: clarify behavior of ALTER DEFAULT PRIVILEGES ... IN SCHEMA.
The existing text stated that "Default privileges that are specifiedper-schema are added to whatever the global default privileges are forthe particular object type". However, that bare-bones observation isnot quite clear enough, as demonstrated by the complaint in bug #16124.Flesh it out by stating explicitly that you can't revoke built-indefault privileges this way, and by providing an example to drivethe point home.Back-patch to all supported branches, since it's been like thisfrom the beginning.Discussion:https://postgr.es/m/16124-423d8ee4358421bc@postgresql.org
1 parenta1b2cf0 commitd30e0ed

File tree

1 file changed

+25
-9
lines changed

1 file changed

+25
-9
lines changed

‎doc/src/sgml/ref/alter_default_privileges.sgml

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -100,9 +100,7 @@ REVOKE [ GRANT OPTION FOR ]
100100
You can change default privileges only for objects that will be created by
101101
yourself or by roles that you are a member of. The privileges can be set
102102
globally (i.e., for all objects created in the current database),
103-
or just for objects created in specified schemas. Default privileges
104-
that are specified per-schema are added to whatever the global default
105-
privileges are for the particular object type.
103+
or just for objects created in specified schemas.
106104
</para>
107105

108106
<para>
@@ -114,6 +112,16 @@ REVOKE [ GRANT OPTION FOR ]
114112
<command>ALTER DEFAULT PRIVILEGES</>.
115113
</para>
116114

115+
<para>
116+
Default privileges that are specified per-schema are added to whatever
117+
the global default privileges are for the particular object type.
118+
This means you cannot revoke privileges per-schema if they are granted
119+
globally (either by default, or according to a previous <command>ALTER
120+
DEFAULT PRIVILEGES</command> command that did not specify a schema).
121+
Per-schema <literal>REVOKE</literal> is only useful to reverse the
122+
effects of a previous per-schema <literal>GRANT</literal>.
123+
</para>
124+
117125
<refsect2>
118126
<title>Parameters</title>
119127

@@ -134,10 +142,10 @@ REVOKE [ GRANT OPTION FOR ]
134142
<para>
135143
The name of an existing schema. If specified, the default privileges
136144
are altered for objects later created in that schema.
137-
If <literal>IN SCHEMA</> is omitted, the global default privileges
145+
If <literal>IN SCHEMA</literal> is omitted, the global default privileges
138146
are altered.
139-
<literal>IN SCHEMA</> is not allowed whenusing <literal>ON SCHEMAS</>
140-
as schemas can't be nested.
147+
<literal>IN SCHEMA</literal> is not allowed whensetting privileges
148+
for schemas, since schemas can't be nested.
141149
</para>
142150
</listitem>
143151
</varlistentry>
@@ -206,11 +214,19 @@ ALTER DEFAULT PRIVILEGES IN SCHEMA myschema REVOKE INSERT ON TABLES FROM webuser
206214

207215
<para>
208216
Remove the public EXECUTE permission that is normally granted on functions,
209-
for all functions subsequently created by role <literal>admin</>:
210-
217+
for all functions subsequently created by role <literal>admin</literal>:
211218
<programlisting>
212219
ALTER DEFAULT PRIVILEGES FOR ROLE admin REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
213-
</programlisting></para>
220+
</programlisting>
221+
Note however that you <emphasis>cannot</emphasis> accomplish that effect
222+
with a command limited to a single schema. This command has no effect,
223+
unless it is undoing a matching <literal>GRANT</literal>:
224+
<programlisting>
225+
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
226+
</programlisting>
227+
That's because per-schema default privileges can only add privileges to
228+
the global setting, not remove privileges granted by it.
229+
</para>
214230
</refsect1>
215231

216232
<refsect1>

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp