NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit19989d8

committed

Doc: fix missing explanation of default object privileges.

The GRANT reference page, which lists the default privileges for newobjects, failed to mention that USAGE is granted by default for datatypes and domains. As a lesser sin, it also did not specify anythingabout the initial privileges for sequences, FDWs, foreign servers,or large objects. Fix that, and add a comment to acldefault() in theprobably vain hope of getting people to maintain this list in future.Noted by Laurenz Albe, though I editorialized on the wording a bit.Back-patch to all supported branches, since they all have this behavior.Discussion:https://postgr.es/m/1507620895.4152.1.camel@cybertec.at

1 parent36c687a commit19989d8Copy full SHA for 19989d8

File tree

2 files changed

+18

-6

lines changed

doc/src/sgml/ref
- grant.sgml
src/backend/utils/adt
- acl.c

2 files changed

+18

-6

lines changed

`‎doc/src/sgml/ref/grant.sgml`

Lines changed: 15 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -156,12 +156,22 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace`
`156`	`156`	`<para>`
`157`	`157`	`PostgreSQL grants default privileges on some types of objects to`
`158`	`158`	`<literal>PUBLIC</literal>. No privileges are granted to`
`159`		`- <literal>PUBLIC</literal> by default on tables,`
`160`		`- columns, schemas or tablespaces. For other types, the default privileges`
	`159`	`+ <literal>PUBLIC</literal> by default on`
	`160`	`+ tables,`
	`161`	`+ table columns,`
	`162`	`+ sequences,`
	`163`	`+ foreign data wrappers,`
	`164`	`+ foreign servers,`
	`165`	`+ large objects,`
	`166`	`+ schemas,`
	`167`	`+ or tablespaces.`
	`168`	`+ For other types of objects, the default privileges`
`161`	`169`	`granted to <literal>PUBLIC</literal> are as follows:`
`162`		`- <literal>CONNECT</literal> and <literal>CREATE TEMP TABLE</literal> for`
`163`		`- databases; <literal>EXECUTE</literal> privilege for functions; and`
`164`		`- <literal>USAGE</literal> privilege for languages.`
	`170`	`+ <literal>CONNECT</literal> and <literal>TEMPORARY</literal> (create`
	`171`	`+ temporary tables) privileges for databases;`
	`172`	`+ <literal>EXECUTE</literal> privilege for functions; and`
	`173`	`+ <literal>USAGE</literal> privilege for languages and data types`
	`174`	`+ (including domains).`
`165`	`175`	`The object owner can, of course, <command>REVOKE</command>`
`166`	`176`	`both default and expressly granted privileges. (For maximum`
`167`	`177`	`security, issue the <command>REVOKE</> in the same transaction that`

`‎src/backend/utils/adt/acl.c`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -722,7 +722,9 @@ hash_aclitem(PG_FUNCTION_ARGS)`
`722`	`722`	`* acldefault() --- create an ACL describing default access permissions`
`723`	`723`	`*`
`724`	`724`	`* Change this routine if you want to alter the default access policy for`
`725`		`- * newly-created objects (or any object with a NULL acl entry).`
	`725`	`+ * newly-created objects (or any object with a NULL acl entry). When`
	`726`	`+ * you make a change here, don't forget to update the GRANT man page,`
	`727`	`+ * which explains all the default permissions.`
`726`	`728`	`*`
`727`	`729`	`* Note that these are the hard-wired "defaults" that are used in the`
`728`	`730`	`* absence of any pg_default_acl entry.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit19989d8

File tree

2 files changed

2 files changed

`‎doc/src/sgml/ref/grant.sgml`

`‎src/backend/utils/adt/acl.c`

0 commit comments