Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitef74225

Browse files
committed
Grant options, and cascading revoke. Grant options are allowed only for
users right now, not groups. Extension of has_foo_privileges functions toquery the grant options. Extension of aclitem type to store grantor.
1 parentaa78ca3 commitef74225

File tree

18 files changed

+670
-445
lines changed

18 files changed

+670
-445
lines changed

‎doc/src/sgml/func.sgml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/func.sgml,v 1.135 2003/01/2301:22:59 tgl Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/func.sgml,v 1.136 2003/01/2323:38:51 petere Exp $
33
PostgreSQL documentation
44
-->
55

@@ -5786,6 +5786,12 @@ SELECT has_table_privilege('myschema.mytable', 'select');
57865786
<literal>USAGE</literal>.
57875787
</para>
57885788

5789+
<para>
5790+
To evaluate whether a user holds a grant option on the privilege,
5791+
append <literal> WITH GRANT OPTION</literal> to the privilege key
5792+
word; for example <literal>'UPDATE WITH GRANT OPTION'</literal>.
5793+
</para>
5794+
57895795
<para>
57905796
<xref linkend="functions-misc-schema-table"> shows functions that
57915797
determine whether a certain object is <firstterm>visible</> in the

‎doc/src/sgml/ref/grant.sgml

Lines changed: 25 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.31 2002/11/21 23:34:43 petere Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.32 2003/01/23 23:38:53 petere Exp $
33
PostgreSQL documentation
44
-->
55

@@ -19,23 +19,23 @@ PostgreSQL documentation
1919
GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
2020
[,...] | ALL [ PRIVILEGES ] }
2121
ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
22-
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
22+
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
2323

2424
GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
2525
ON DATABASE <replaceable>dbname</replaceable> [, ...]
26-
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
26+
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
2727

2828
GRANT { EXECUTE | ALL [ PRIVILEGES ] }
2929
ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
30-
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
30+
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
3131

3232
GRANT { USAGE | ALL [ PRIVILEGES ] }
3333
ON LANGUAGE <replaceable>langname</replaceable> [, ...]
34-
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
34+
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
3535

3636
GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
3737
ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
38-
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
38+
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
3939
</synopsis>
4040
</refsynopsisdiv>
4141

@@ -63,13 +63,18 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
6363

6464
<para>
6565
There is no need to grant privileges to the creator of an object,
66-
as the creator has all privileges by default.
67-
(The creator could, however, choose to revoke
68-
some of his own privileges for safety.) Note that the ability to
69-
grant and revoke privileges is inherent in the creator and cannot
70-
be lost. The right to drop an object, or to alter it in any way
71-
not described by a grantable right, is likewise inherent in the
72-
creator, and cannot be granted or revoked.
66+
as the creator has all privileges by default. (The creator could,
67+
however, choose to revoke some of his own privileges for safety.)
68+
Note that the right to drop an object, or to alter it in any way is
69+
not described by a grantable right; it is inherent in the creator,
70+
and cannot be granted or revoked.
71+
</para>
72+
73+
<para>
74+
If <literal>WITH GRANT OPTION</literal> is specified, the recipient
75+
of the privilege may in turn grant it to others. By default this
76+
is not possible. Grant options can only be granted to individual
77+
users, not groups or <literal>PUBLIC</literal>.
7378
</para>
7479

7580
<para>
@@ -269,7 +274,7 @@ lusitania=> \dp mytable
269274
Access privileges for database "lusitania"
270275
Schema | Table | Access privileges
271276
--------+---------+---------------------------------------
272-
public | mytable | {=r,miriam=arwdRxt,"group todos=arw"}
277+
public | mytable | {=r/postgres,miriam=arwdRxt/postgres,"group todos=arw/postgres"}
273278
(1 row)
274279
</programlisting>
275280
The entries shown by <command>\dp</command> are interpreted thus:
@@ -290,6 +295,9 @@ lusitania=> \dp mytable
290295
C -- CREATE
291296
T -- TEMPORARY
292297
arwdRxt -- ALL PRIVILEGES (for tables)
298+
* -- grant option for preceding privilege
299+
300+
/yyyy -- user who granted this privilege
293301
</programlisting>
294302

295303
The above example display would be seen by user <literal>miriam</> after
@@ -346,13 +354,12 @@ GRANT ALL PRIVILEGES ON kinds TO manuel;
346354
</para>
347355

348356
<para>
349-
The <acronym>SQL92</acronym> syntax for GRANT allows setting
350-
privileges for individual columns within a table, and allows
351-
setting a privilege to grant the same privileges to others:
357+
The <acronym>SQL</acronym> syntax for <literal>GRANT</literal>
358+
allows setting privileges for individual columns within a table:
352359

353360
<synopsis>
354361
GRANT <replaceable class="PARAMETER">privilege</replaceable> [, ...]
355-
ON <replaceable class="PARAMETER">object</replaceable> [ ( <replaceable class="PARAMETER">column</replaceable> [, ...] ) ] [, ...]
362+
ON <replaceable class="PARAMETER">table</replaceable> [ ( <replaceable class="PARAMETER">column</replaceable> [, ...] ) ] [, ...]
356363
TO { PUBLIC | <replaceable class="PARAMETER">username</replaceable> [, ...] } [ WITH GRANT OPTION ]
357364
</synopsis>
358365
</para>

‎doc/src/sgml/ref/revoke.sgml

Lines changed: 44 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.24 2003/01/10 11:02:51 petere Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.25 2003/01/23 23:38:53 petere Exp $
33
PostgreSQL documentation
44
-->
55

@@ -16,31 +16,36 @@ PostgreSQL documentation
1616

1717
<refsynopsisdiv>
1818
<synopsis>
19-
REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
19+
REVOKE [ GRANT OPTION FOR ]
20+
{ { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
2021
[,...] | ALL [ PRIVILEGES ] }
2122
ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
2223
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
23-
[ RESTRICT ]
24+
[CASCADE |RESTRICT ]
2425

25-
REVOKE { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
26+
REVOKE [ GRANT OPTION FOR ]
27+
{ { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
2628
ON DATABASE <replaceable>dbname</replaceable> [, ...]
2729
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
28-
[ RESTRICT ]
30+
[CASCADE |RESTRICT ]
2931

30-
REVOKE { EXECUTE | ALL [ PRIVILEGES ] }
32+
REVOKE [ GRANT OPTION FOR ]
33+
{ EXECUTE | ALL [ PRIVILEGES ] }
3134
ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
3235
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
33-
[ RESTRICT ]
36+
[CASCADE |RESTRICT ]
3437

35-
REVOKE { USAGE | ALL [ PRIVILEGES ] }
38+
REVOKE [ GRANT OPTION FOR ]
39+
{ USAGE | ALL [ PRIVILEGES ] }
3640
ON LANGUAGE <replaceable>langname</replaceable> [, ...]
3741
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
38-
[ RESTRICT ]
42+
[CASCADE |RESTRICT ]
3943

40-
REVOKE { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
44+
REVOKE [ GRANT OPTION FOR ]
45+
{ { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
4146
ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
4247
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
43-
[ RESTRICT ]
48+
[CASCADE |RESTRICT ]
4449
</synopsis>
4550
</refsynopsisdiv>
4651

@@ -70,8 +75,22 @@ REVOKE { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
7075
</para>
7176

7277
<para>
73-
The <literal>RESTRICT</literal> key word is currently only noise.
74-
See also the compatibility notes below.
78+
If <literal>GRANT OPTION FOR</literal> is specified, only the grant
79+
option for the privilege is revoked, not the privilege itself.
80+
</para>
81+
82+
<para>
83+
If a user holds a privilege with grant option and has granted it to
84+
other users then the privileges held by those other users are
85+
called dependent privileges. If the privilege or the grant option
86+
held by the first user is being revoked and dependent privileges
87+
exist, those dependent privileges are also revoked if
88+
<literal>CASCADE</literal> is specified, else the revoke action
89+
will fail. This recursive revocation only affects privileges that
90+
were granted through a chain of users that is traceable to the user
91+
that is the subject of this <literal>REVOKE</literal> command.
92+
Thus, the affected users may effectively keep the privilege if it
93+
was also granted through other users.
7594
</para>
7695
</refsect1>
7796

@@ -83,6 +102,16 @@ REVOKE { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
83102
display the privileges granted on existing objects. See also <xref
84103
linkend="sql-grant" endterm="sql-grant-title"> for information about the format.
85104
</para>
105+
106+
<para>
107+
A user can only revoke privileges that were granted directly by
108+
that user. If, for example, user A has granted a privilege with
109+
grant option to user B, and user B has in turned granted it to user
110+
C, then user A cannot revoke the privilege directly from C.
111+
Instead, user A could revoke the grant option from user B and use
112+
the <literal>CASCADE</literal> option so that the privilege is
113+
automatically revoked from user C.
114+
</para>
86115
</refsect1>
87116

88117
<refsect1 id="SQL-REVOKE-examples">
@@ -122,16 +151,8 @@ REVOKE [ GRANT OPTION FOR ] { SELECT | INSERT | UPDATE | DELETE | REFERENCES }
122151
FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] }
123152
{ RESTRICT | CASCADE }
124153
</synopsis>
125-
</para>
126-
127-
<para>
128-
If user1 gives a privilege WITH GRANT OPTION to user2,
129-
and user2 gives it to user3 then user1 can revoke
130-
this privilege in cascade using the CASCADE keyword.
131-
If user1 gives a privilege WITH GRANT OPTION to user2,
132-
and user2 gives it to user3, then if user1 tries to revoke
133-
this privilege it fails if he specifies the RESTRICT
134-
keyword.
154+
One of <literal>RESTRICT</literal> or <literal>CASCADE</literal>
155+
is required.
135156
</para>
136157
</refsect2>
137158
</refsect1>

‎doc/src/sgml/release.sgml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.179 2003/01/20 18:54:44 tgl Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.180 2003/01/23 23:38:51 petere Exp $
33
-->
44

55
<appendix id="release">
@@ -38,6 +38,7 @@ ON COMMIT options for temp tables
3838
extra_float_digits option allows pg_dump to dump float data accurately
3939
Long options for psql and pg_dump are now available on all platforms
4040
Read-only transactions
41+
Object owners can allow grantees to grant the privilege to others (grant option)
4142
]]></literallayout>
4243

4344
</sect1>

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp